ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > DNSpionage

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: DNSpionage

NamesDNSpionage (Talos)
CountryIran Iran
MotivationInformation theft and espionage
First seen2019
Description(Talos) Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it’s clear that this adversary spent time understanding the victims’ network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Based on this actor’s infrastructure and TTPs, we haven’t been able to connect them with any other campaign or actor that’s been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling “DNSpionage,” supports HTTP and DNS communication with the attackers.

Talos found a possible relationship between DNSpionage and OilRig, APT 34, Helix Kitten, Chrysene.
ObservedSectors: Aviation, Government, Law enforcement, Telecommunications and Internet infrastructure.
Countries: Albania, Cyprus, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Sweden, UAE, USA and North Africa.
Tools usedDNSpionage, Karkoff.
Operations performedApr 2019DNSpionage brings out the Karkoff

Last change to this card: 15 April 2020

Download this actor card in PDF or JSON format

Previous: Desert Falcons
Next: Domestic Kitten

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]