ETDA ThaiCERT
Report
Search
Home > List all groups > DarkHydrus, LazyMeerkat

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: DarkHydrus, LazyMeerkat

NamesDarkHydrus (Palo Alto)
LazyMeerkat (Kaspersky)
ATK 77 (Thales)
CountryIran Iran
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2016
DescriptionDarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.

Some analysts track Dark Hydrus, APT 19, Deep Panda, C0d0so0 and Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu Kittens as the same group, but it is unclear from open source information if the groups are the same.
ObservedSectors: Education, Government.
Countries: Iran and Middle East.
Tools usedCobalt Strike, Mimikatz, Phishery, RogueRobin.
Operations performedJun 2018On June 24, 2018, Unit 42 observed DarkHydrus carrying out a credential harvesting attack on an educational institution in the Middle East. The attack involved a spear-phishing email with a subject of “Project Offer” and a malicious Word document as an attachment.
<https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/>
Jul 2018Attack on Middle East Government
This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).
<https://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/>
Jan 2019New Attacks in the Middle East
360 Threat Intelligence Center captured several lure Excel documents written in Arabic in January 9, 2019. A backdoor dropped by macro in the lure documents can communicate with C2 server through DNS tunnel, as well as Google Drive API.
<https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/>
<https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/>
Information<https://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0079/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=darkhydrus>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Previous: DarkHotel
Next: DarkUniverse

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key