Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ DarkHydrus

🌐DarkHydrus

🌐 DarkHydrus is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 7 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0079) ↗
14Use cases
0Articles
7Techniques
0IOCs

About this actor (MITRE)

[DarkHydrus](https://attack.mitre.org/groups/G0079) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)

Known aliases

DarkHydrus

Top techniques

T1059.001 · PowerShellT1187 · Forced AuthenticationT1204.002 · Malicious File

All other tracked techniques

T1221 · Template InjectionT1564.003 · Hidden WindowT1566.001 · Spearphishing AttachmentT1588.002 · Tool

Detection use cases (14)

DarkHydrus Phishery-style forced authentication: Office app initiating outbound SMB to public IPs AI · profile S DarkHydrus RogueRobin loader: Office/script-host spawning hidden PowerShell from .iqy or macro chains AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Abnormal Security: malicious email opened MITRE match Email attachment opened from external sender MITRE match Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) MITRE match Office app spawning script/LOLBin child process MITRE match Phishing-link click correlated to endpoint execution MITRE match PowerShell encoded / obfuscated command MITRE match