DarkHydrus: Persistent Middle Eastern Espionage Group
- Suspected Origin
- Iran
- Motivation
- Espionage, Information Theft, Regional Political Objectives
- Aliases
- None documented
- Target Sectors
- Government, Education, Energy, Telecommunications
- Associated Malware
- RogueRobin, Mimikatz, Empire, Cobalt Strike, Phishery, Meterpreter, Veil, Invoke-Obfuscation
Overview
DarkHydrus, tracked as G0079 in the MITRE ATT&CK framework, is a sophisticated threat group that has been operational since at least 2016, focusing its efforts primarily on cyber espionage within the Middle East. This group is also known by various aliases such as LazyMeerkat, ATK 77, and Obscure Serpens. While some analysts have suggested overlaps with APT26, open-source information does not definitively confirm if these groups are one and the same.
The group’s likely origin is Iran, and it is widely linked to Middle Eastern state-sponsored actors. Their primary motivation is information theft and espionage, aimed at gathering intelligence to support regional security and political objectives. DarkHydrus predominantly targets government agencies and educational institutions, particularly within the Arabian Peninsula, including countries such as Qatar, Kuwait, and the United Arab Emirates. Beyond these core targets, they have also shown interest in the energy and telecommunications sectors. A defining characteristic of DarkHydrus is its heavy reliance on open-source tools and custom payloads for its attack operations.
Tactics & Techniques
DarkHydrus employs a consistent set of tactics, techniques, and procedures (TTPs) that leverage social engineering and well-known offensive security tools. The initial access vector almost exclusively involves spear-phishing campaigns. These campaigns often utilize malicious Microsoft Office documents, including Excel Web Query files (.iqy) delivered within password-protected RAR archives, or Word documents that exploit the “attachedTemplate” technique to load remote templates. The lures are typically crafted in Arabic and designed to trick recipients into enabling macros or entering their credentials into fake authentication dialogs. DarkHydrus has been observed using the open-source Phishery tool to create these weaponized Word documents and even host command-and-control (C2) infrastructure for credential harvesting. To enhance credibility, they often impersonate regional universities and government bodies, sometimes employing typosquatting domains.
Upon successful compromise, DarkHydrus typically uses PowerShell to download and execute additional scripts, often concealing these activities by utilizing the -WindowStyle Hidden parameter. For persistence, their custom malware, RogueRobin, has been observed creating .bat files and shortcuts in Windows startup folders.
The group also demonstrates various defense evasion techniques. They conduct checks for virtualized environments, sandboxes, and common analysis tools, and will exit if detected. DarkHydrus has also been noted for abusing open-source penetration testing techniques, such as AppLocker bypasses. A significant evolution in their C2 infrastructure involves the abuse of legitimate cloud services, particularly Google Drive, as an alternative communication channel for their RogueRobin Trojan, making detection harder.
Notable Campaigns
DarkHydrus gained public attention with several key campaigns that highlighted their operational methods:
- July 2018 Middle East Government Attack: Unit 42 (Palo Alto Networks) first publicly disclosed DarkHydrus after observing a targeted attack against a Middle Eastern government agency. This campaign utilized malicious .iqy files delivered via spear-phishing emails and introduced their custom PowerShell-based payload, RogueRobin.
- June 2018 Credential Harvesting: Prior to the July disclosure, DarkHydrus conducted a credential harvesting attack against an educational institution in the Middle East. This involved spear-phishing emails containing malicious Word documents, with evidence suggesting similar credential harvesting attempts dating back to late 2017.
- January 2019 RogueRobin Evolution: New campaigns in early 2019 saw DarkHydrus deploying updated lure Excel documents, often written in Arabic. Critically, this campaign introduced a C# variant of the RogueRobin Trojan that leveraged the Google Drive API for C2 communications, indicating an evolution in their tooling and evasion capabilities.
- Operation RogueRobin: This refers to a broader, large-scale campaign targeting government and educational institutions with the goal of intelligence gathering. The group has also been implicated in attacks on energy and telecommunications entities to exfiltrate sensitive information and communications data.
Associated Malware & Tools
DarkHydrus’s toolkit heavily features both custom malware and a range of abused legitimate and open-source penetration testing tools:
- RogueRobin: This is DarkHydrus’s signature custom Trojan. Initially written in PowerShell, it evolved into a C# variant. RogueRobin primarily relies on DNS tunneling for command and control, but later versions incorporated the use of the Google Drive API for alternative C2 channels. The malware includes anti-analysis features such as sandbox and virtual machine detection, and anti-debugging capabilities to hinder forensic efforts.
- Mimikatz: A well-known post-exploitation tool used for credential dumping from memory.
- Empire (PowerShellEmpire): A powerful post-exploitation framework that enables adversaries to gain persistent access, escalate privileges, and move laterally within compromised networks.
- Cobalt Strike: A commercial adversary simulation software often misused by threat actors for advanced persistent threat operations, offering a wide array of capabilities including beaconing, lateral movement, and data exfiltration.
- Phishery: An open-source tool primarily used for credential harvesting by injecting malicious remote template URLs into Microsoft Office documents.
- Meterpreter: A highly advanced, dynamically extensible payload used with Metasploit, providing an interactive shell for remote control.
- Veil: An evasion framework that generates payloads bypassing common antivirus solutions.
- Invoke-Obfuscation: A PowerShell script obfuscator used to conceal malicious PowerShell commands.
- Custom PowerShell Scripts: Beyond RogueRobin, DarkHydrus frequently develops and deploys its own PowerShell scripts to facilitate various stages of an attack.
Current Status
As of mid-2026, DarkHydrus remains an active threat, continuing to evolve its tactics and techniques. While the group maintained a relatively lower public profile after 2019 compared to its earlier disclosed campaigns, its tooling, particularly RogueRobin, is well-documented and incorporated into threat intelligence feeds. The MITRE ATT&CK entry for DarkHydrus (G0079) was last modified on April 25, 2025, indicating ongoing relevance and updates to its documented characteristics. Reports from August 2024 confirm the group’s continued activity, with another from April 2024 noting its resurfacing after a period of dormancy. This suggests that DarkHydrus is still actively engaged in cyber espionage, even if specific new incidents are not always immediately publicized. Organizations in the Middle East, particularly those in government and education, should remain vigilant against the TTPs associated with this persistent threat actor.
Related content
Carbanak Threat Profile: Financial Apex Predators
Adversary ProfileFIN6: From POS Skimming to Ransomware and Enterprise Infiltration
Adversary ProfilePlay Ransomware (G1040) Threat Profile: Evolving Tactics and Global Impact
Adversary ProfileFIN7: From Point-of-Sale Theft to Ransomware Kingpins
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call