No Way to Hide: Uncovering New Campaigns from Daily Tunneling Det...

Executive Summary

This article reviews four previously undisclosed domain name system (DNS) tunneling campaigns that occurred in recent months. We identified these new campaigns through our recently deployed campaign monitoring system, which can identify new, potentially malicious campaigns from daily tunneling detection.

DNS tunneling is a technique threat actors use to encode non-DNS traffic data within DNS packet traffic. This allows the information to bypass traditional network firewalls and establish covert communication channels for data exfiltration and infiltration.

Our new campaign monitoring system is designed to detect tunneling domains based on the techniques and attributes commonly used in malicious campaigns. These unique intercorrelations among individual tunneling campaigns can reveal new tunneling domains.

For example, can attackers connect a new domain to any existing well-documented tunneling campaign? Do a couple of recently detected tunneling domains originate from an undisclosed campaign?

Hence, instead of investigating the tunneling domains individually, we seek to analyze these domains from the perspective of common attributes and quickly uncover new campaigns.

We have deployed this tunneling campaign monitoring system in our Advanced DNS Security service. This system allows organizations to secure their DNS traffic by identifying and blocking new potential campaigns from tunneling domains. It also provides detailed campaign information for customers who can log in to our Test A Site service.

Palo Alto Networks Next-Generation Firewall customers can access the tunneling campaign information with the Advanced DNS Security subscription and receive protections against malicious indicators (domains and IP addresses) mentioned in this article via Advanced URL Filtering. The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.

The Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with best practices by identifying the corresponding malware samples and command and control (C2) traffic.

Palo Alto Networks Cortex Analytics customers receive protection against DNS tunneling techniques mentioned in this article via the DNS tunneling analytics detector.

Cortex also helps protect against malware from the Hiloti family and others through features such as prevention for shellcode injection.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics	DNS, C2

DNS Tunneling: An Overview

DNS is a critical component of the internet infrastructure responsible for translating human-readable domain names into IP addresses. Many organizations leave UDP and TCP port 53 open in their firewalls, which is the port DNS uses for communication. They also often leave this port unmonitored, making it an attractive target for attackers to use as a covert communications channel.

DNS tunneling leverages the DNS protocol to encode data within DNS queries and responses. Therefore, cyberattackers tend to use DNS tunneling for data exfiltration, command and control (C2), or bypassing security measures.

Figure 1 illustrates an example of covert communications using DNS tunneling techniques.

Attackers first infect a client system with malware that is able to steal the user's data. Then, the stolen data is encoded and embedded within subdomains and is transmitted over DNS queries. The attackers can receive and decode the data by hosting an authoritative DNS (aDNS) server of the root domain (e.g., helloworld[.]com in Figure 1).

DNS tunneling can achieve stealthiness because the recursive DNS servers enable indirect communications between client systems and attacker-controlled authoritative DNS servers. Attackers are also able to transmit commands by encoding data into DNS responses.

Malicious actors also abuse DNS tunneling in attack campaigns. For example, the Iranian threat group Evasive Serpens (aka OilRig) employed DNS tunneling to communicate between infected hosts and their C2 servers, targeting critical infrastructure in the Middle East. Another Iranian threat group we track as Obscure Serpens (aka DarkHydrus) also used DNS tunneling when it targeted government agencies and educational institutions in the Middle East in 2016.

The detection of DNS tunneling has typically focused on the attributes of individual domains, such as lexical or infrastructure patterns. However, defenders often overlook additional attributes.

For example, correlations between tunneling domains can help us monitor significant clusters for tunneling detection and discover emerging campaigns. In this article, we reveal common attributes shared within individual campaigns that could facilitate automated detection of new DNS tunneling campaigns.

Based on these attributes, we have designed and deployed the first campaign monitoring system in our products. This system aims to automatically determine if a couple of historically detected tunneling domains originate from an undisclosed campaign, or if a new tunneling domain belongs to any existing well-documented campaign.

Attributes for Campaign Monitoring

This section presents methods that can identify new tunneling campaigns from daily tunneling detection results. Our detection relies on the fact that domains used in each individual tunneling campaign typically exhibit similar attributes because the same malicious actors registered the domains, or the campaigns used the same tunneling methods.

We discuss the common attributes we identified within each tunneling campaign. To the best of our knowledge, these distinctive intercorrelations among tunneling campaigns have not been fully studied previously.

The following attributes relate to infrastructure, configurations, lexical patterns and targets that could be shared across the tunneling domains in each campaign:

• Authoritative nameserver: The nameservers used by tunneling campaigns are usually owned and controlled by attackers themselves, as attackers should have unrestricted access to fetch query logs and manipulate the response. To limit the attack cost, attackers tend to use a single self-hosted authoritative DNS server. This centralized server enables them to efficiently manage and process DNS traffic of multiple tunneling domains.
• DNS configurations: In a single tunneling campaign, the DNS configurations used for each domain are usually similar or even identical. This is because the same attacker group sets and stores the configuration in the same aDNS server. The shared infrastructure settings allow attackers to effectively deploy and control the various domains in the campaign, but they also provide a significant indicator for security researchers. For instance, RussianSite and 8NS tunneling campaigns have their own DNS configuration pattern with a single aDNS IP address.
• Payload encoding: To launch a tunneling campaign, attackers usually employ consistent tunneling tools or encoding methods to encapsulate their payload data into subdomains. Therefore, within a single campaign, the patterns of subdomains across various root domains often show significant similarities. This consistency helps attackers manage their C2 or data exfiltration processing. For example, RussianSite and NSfinder use the same encoding method within each campaign.
• Domain registration: Domains used in individual campaigns frequently share the same top-level domain (TLD). Also, the associated root domains use a notably similar naming scheme, indicating a consistent choice made by the attacker group. Moreover, the registration time of these domains tends to align closely from their WHOIS records.
• Attack target: Each tunneling campaign tends to target one or a few specific victim types (e.g., governments, public infrastructures, finance/banking/investments or health/medical care).

Based on the above criteria, we used machine learning techniques to explore the potential new campaigns among the detected tunneling domains.

New Campaigns

By focusing on the correlations between DNS tunneling domains, we detected four previously undiscovered campaigns. Each campaign shares some attributes from infrastructure, payloads, domain registration or targeted victims. We show the detailed case studies on these campaigns in this section.

FinHealthXDS

The first campaign contains 12 domains that use a customized DNS beaconing format for Cobalt Strike C2 communications. While Cobalt Strike has a default configuration for DNS C2 communications through a malleable C2 profile, this campaign leverages a customized format.

In this format, the associated DNS queries use three-letter prefixes (e.g., xds) to indicate the function of the queries used in this tunneling traffic. This campaign targets the finance and healthcare industries, thus we named it FinHealthXDS.

By analyzing the passive DNS records, we discovered this customized Cobalt Strike DNS beaconing format. This campaign uses the xds prefix to indicate command request queries and resolves to 40.112.72[.]205 as the IP address.

After obtaining the returned IP address such as 40.112.72[.]62, malware will calculate the XOR value of the last byte to determine the returned command. For example, 205 XOR 62 = 243, which typically indicates transferring data with TXT records (mode dns-txt command).

Below, we find two examples of DNS A record queries for transferring subsequent data using TXT records.

• xds.5af195b6.gear.<rootdom> A 40.112.72[.]205
• xds.5af195b6.gear.<rootdom> A 40.112.72[.]62

This campaign can use either A records or TXT records for an infected host to receive data. When using A records, the DNS queries follow a format with a customized prefix of pro (compared to the default value of cdn when using malleable C2 profiles for DNS beaconing in Cobalt Strike).

pro.[hex-counter][8-digit-hex-random-number].[beacon-id].[subdomain-padding].<rootdom> A [hex-infiltration-data]

When using TXT records for data infiltration, the DNS queries use the prefix snd instead of the default api prefix used in the malleable C2 for DNS beaconing in Cobalt Strike. An example of the format is shown below.

snd.[hex-counter][8-digit-hex-random-number].[beacon-id].[subdomain-padding].<rootdom> TXT [infiltration-data]

To exfiltrate data to a C2 server, the DNS queries leverage two prefixes (i.e., txt for short messages and del for long messages, not the default prefix of post). The format is as follows.

[txt|del].[num-of-message][encoded-message].[counter][random-number].[beacon-id].[subdomain-padding].<rootdom> A 40.112.72[.]205

Table 1 shows six domains in this campaign. It also shows the query samples, nameservers and nameserver IP addresses.

Domain	Query Sample	Nameserver Domains	Nameserver IP Addresses
foxxbank[.]com	txt.1f0522f1e.3074aa20643.62c1b4ba.novel.foxxbank[.]com	ns1.foxxbank[.]com ns2.foxxbank[.]com	191.252.140[.]94 191.252.140[.]80
lifemedicalplus[.]net	del.1214999ab.36f446b3e.4c820ef2.dns0.lifemedicalplus[.]net	salad.liveritehealthcare[.]com	52.90.87[.]208
codeaddon[.]net	txt.1a74140ad.4f2fa129ed.1ab3dfba.dns11.codeaddon[.]net	content.codeaddon[.]net gateway.codeaddon[.]net jobs.codeaddon[.]net	188.114.96[.]3 44.197.246[.]120 3.89.115[.]116
healthproreview[.]com	xds.db6bee2.thing.healthproreview[.]com	pitch.healthproreview[.]com	54.242.65[.]191
familiesandfinance[.]com	del.17b48a6a3831f07076b2d81677d87ad5d93df75b7.142fb5314.250feff6.hunt.familiesandfinance[.]com	chance.familiesandfinance[.]com	18.116.41[.]255
soupandselfcare[].com	pro.b4ed82f96.2c3e46fa.brain.soupandselfcare[.]com	initiative.soupandselfcare[.]com	54.166.97[.]9

Table 1. The domain, query sample, nameservers and nameserver IP addresses in the campaign FinHealthXDS.

RussianSite

The second tunneling campaign contains over 100 domains, all of which share the same nameserver IP address of 185.161.248[.]253from Russia. Most domains in this campaign end with the TLD .site, while only a very few of these domains use .website. Therefore, based on the aDNS IP address and the TLD patterns, we named this campaign RussianSite.

The subdomain contains two parts: a 5-character alphanumeric payload and a 1-letter or 2-letter padding that is specific in each domain. The A records of these campaign domains are distributed worldwide. However, to receive tunneling information from aDNS servers, configuring a valid aDNS IP address is mandatory for attackers, while A records are discretionary and could be invalid.

In Table 2 we listed examples of the domains, along with a query sample, nameservers and nameserver IP address. We have obfuscated the listed FQDN queries so no customer data is revealed.

We observed this campaign targeting 10 organizations from higher education. Of these 10 targets, five are governments and public infrastructure, four are medical/health institutions and one is a public accounting firm.

Domain	Query Sample	Nameserver Domains	Nameserver IP Address
pretorya[.]site	h3t5b.g.pretorya[.]site	ns1.g.pretorya[.]site ns2.g.pretorya[.]site	185.161.248[.]253
zzczloh[.]site	ptqo1.p.zzczloh[.]site	ns1.p.zzczloh[.]site ns2.p.zzczloh[.]site	185.161.248[.]253
mouvobo[.]site	jpdqo.n.mouvobo[.]site	ns1.n.mouvobo[.]site ns2.n.mouvobo[.]site	185.161.248[.]253
mponiem[.]site	6nesl.v.mponiem[.]site	ns1.v.mponiem[.]site ns2.v.mponiem[.]site	185.161.248[.]253
linkwide[.]site	g49wo.y.linkwide[.]site	ns1.y.linkwide[.]site ns2.y.linkwide[.]site	185.161.248[.]253
dtodcart[.]site	lv1bi.f.dtodcart[.]site	ns1.f.dtodcart[.]site ns2.f.dtodcart[.]site	185.161.248[.]253

Table 2. The domain, query sample, nameservers, nameserver IP address in the campaign RussianSite.

8NS

The third tunneling campaign contains six domains that share the same DNS configurations and aDNS server IP address of 35.205.61[.]67. A special pattern of this campaign is that each domain has 8 NS records. Therefore, we named this campaign 8NS.

However, instead of keeping redundancy of nameservers, all the NS records (i.e., ns[1-8].<rootdom>) have the same A record of 35.205.61[.]67.

Meanwhile, the A record of the root domain is the same as the aDNS server IP address. That indicates the nameserver may be self-built, which is usually a premise for DNS tunneling. Below, Figure 2 shows a visual mapping of the 8NS campaign.

This campaign is driven by multiple Trojans. For example, malware from the Hiloti family 0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430, can contact the domain 011807dd0303[.]lantzel[.]com.

This Hiloti sample secretly downloads malicious files from a remote server and then injects the unpacked malware into explore[.]exe. The malware creates three registry entries under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Bfetipior HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Bfetipi, which a C2 domain generation algorithm uses to send client online messages to the C2 server through DNS queries, as depicted in Figure 3.

The generated domains are based on the information of infected systems, with a format such as the following:

0018786966.96428380.04.5E43287B03114C04A64F68C0C23E44F4.n.156.887.empty.6_1._t_i.3000.explorer_exe.156.rc2.a4h9uploading[.]com.

Let's break down the encoding of each component from the above example:

• 0018786966: Elapsed time
• 96428380: Infected machine volume serial number XOR 0x3C2C3DB7
• 04: Number of processor cores on the infected machine
• 5E43287B03114C04A64F68C0C23E44F4: Generated from the registry key "Jqoqegemidar" and XOR algorithm
• n: Indicator of a new process (n) or existing process (e), determined by mutex
• 156: Value of registry key "Nwasolonizo"
• 887: Hard-coded value
• empty: Hard-coded value
• 6_1: OS information: OS major version (6) and minor version (1)
• _t_i: Hard-coded
• 3000: Current process security identifier (SID)
• explorer_exe: Malware executing process name
• 156: Hard-coded
• rc2[.]a4h9uploading[.]com: Hard-coded domain

After sending a client online message, the malware starts C2 communication with the domain lantzel[.]com, which Figure 4 shows being decrypted during execution.

We illustrate these six domains in the campaign 8NS, along with the query sample, nameservers and nameserver IP address in Table 3.

Domain	Query Sample	Nameserver Domains	Nameserver IP Address
lantzel[.]com	080317e70613.lantzel[.]com	ns1.lantzel[.]com ns2.lantzel[.]com ns3.lantzel[.]com ns4.lantzel[.]com ns5.lantzel[.]com ns6.lantzel[.]com ns7.lantzel[.]com ns8.lantzel[.]com	35.205.61[.]67
unbeatableprice[.]us	029cd612cc2d9b9858aossoapcngb.unbeatableprice[.]us	ns1.unbeatableprice[.]us ns2.unbeatableprice[.]us ns3.unbeatableprice[.]us ns4.unbeatableprice[.]us ns5.unbeatableprice[.]us ns6.unbeatableprice[.]us ns7.unbeatableprice[.]us ns8.unbeatableprice[.]us	35.205.61[.]67
sosua[.]cz	0545326b975e.1400world.sosua[.]cz	ns1.sosua[.]cz ns2.sosua[.]cz ns3.sosua[.]cz ns4.sosua[.]cz ns5.sosua[.]cz ns6.sosua[.]cz ns7.sosua[.]cz ns8.sosua[.]cz	35.205.61[.]67
ns2000wip[.]com	fkdmw402.ns2000wip[.]com	ns1.ns2000wip[.]com ns2.ns2000wip[.]com ns3.ns2000wip[.]com ns4.ns2000wip[.]com ns5.ns2000wip[.]com ns6.ns2000wip[.]com ns7.ns2000wip[.]com ns8.ns2000wip[.]com	35.205.61[.]67
dreyzek[.]com	srv881.dreyzek[.]com	ns1.dreyzek[.]com ns2.dreyzek[.]com ns3.dreyzek[.]com ns4.dreyzek[.]com ns5.dreyzek[.]com ns6.dreyzek[.]com ns7.dreyzek[.]com ns8.dreyzek[.]com	35.205.61[.]67
avtomaty-bcg[.]online	001-zr6yarm4qwk4weuw.0zyywvutsrqp.avtomaty-bcg[.]online	ns1.avtomaty-bcg[.]online ns2.avtomaty-bcg[.]online ns3.avtomaty-bcg[.]online ns4.avtomaty-bcg[.]online ns5.avtomaty-bcg[.]online ns6.avtomaty-bcg[.]online ns7.avtomaty-bcg[.]online ns8.avtomaty-bcg[.]online	35.205.61[.]67

Table 3. The domain, query sample, nameservers and nameserver IP address in the campaign 8NS.

NSfinder

The fourth campaign contains over 50 domains. All domains are named by combining three words with the last word of finder (e.g., unlimitedpartnersfinder[.]com). The subdomains are composed of multiple similar segments, each of which contains a prefix ns500and a number. Based on the root domain and subdomain patterns, we named this campaign NSfinder.

NSfinder is related to multiple malicious IP addresses, mainly from Europe. Each domain typically uses three IP addresses each time for both aDNS IP addresses and resolved IP addresses.

The IP addresses used by different domains have high overlapping. Also, we observe that attackers periodically change the IP address set for each domain, and the time to live (TTL) is only 60 seconds.

NSfinder performs attacks by setting up adult websites, and it lures victims to enter their credit card information. This campaign also correlates with multiple Trojans, such as IcedID.

For example, attackers frequently used the nameserver IP address 206.188.197[.]111in the campaign to communicate with a malware sample with the SHA256 hash dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28, identified as IcedID by different sources in VirusTotal. The nameserver IP address 185.81.114[.]183communicated with the malware c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782, identified as RedLine stealer.

We observed this campaign having massive traffic within one month in 2023. The ns500 tokens have over a hundred variants, where the top tokens follow the distribution of English letters. We observed thousands of victims related to this campaign, mainly coming from high tech, education and manufacturing fields.

In Table 4, we list six domain examples with their query sample, nameservers and nameserver IP addresses.

Domain	Query Sample	Nameserver Domains	Nameserver IP Addresses
yummyflingsfinder[.]com	ns500505.ns500528.ns500505.ns500458.ns500528.ns500528.ns500528.ns500488.ns500488.ns500505.ns500476.ns500476.ns500440.ns500227.ns500209.yummyflingsfinder[.]com	ns500583.yummyflingsfinder[.]com ns500599.yummyflingsfinder[.]com ns500631.yummyflingsfinder[.]com	185.81.114[.]183 185.176.220[.]212 88.119.169[.]205
piquantchicksfinder[.]com	ns500458.ns500458.ns500505.ns500528.ns500528.ns500528.ns500458.ns500488.ns500505.ns500458.ns500476.ns500476.ns500488.ns500488.ns500440.ns500227.ns500209.piquantchicksfinder[.]com	ns500583.piquantchicksfinder[.]com ns500599.piquantchicksfinder[.]com ns500631.piquantchicksfinder[.]com	185.81.114[.]183 185.176.220[.]212 88.119.169[.]205
yummyloversfinder[.]com	ns500528.ns500458.ns500528.ns500505.ns500505.ns500505.ns500488.ns500505.ns500476.ns500458.ns500458.ns500458.ns500440.ns500288.ns500209.yummyloversfinder[.]com	ns500505.yummyloversfinder[.]com ns500488.yummyloversfinder[.]com ns500458.yummyloversfinder[.]com	206.188.197[.]111 23.95.170[.]183 185.176.220[.]80
unlimitedpartnersfinder[.]com	ns500505.ns500528.ns500505.ns500458.ns500505.ns500505.ns500505.ns500528.ns500528.ns500505.ns500476.ns500488.ns500488.ns500488.ns500488.ns500227.ns500209.unlimitedpartnersfinder[.]com	ns500575.unlimitedpartnersfinder[.]com ns500618.unlimitedpartnersfinder[.]com ns500635.unlimitedpartnersfinder[.]com	5.149.255[.]21 141.94.37[.]182 193.142.59[.]198
lustypartnersfinder[.]com	ns500414.ns500414.ns500414.ns500502.ns500414.ns500502.ns500485.ns500485.ns500511.ns500485.ns500502.ns500479.ns500414.ns500414.ns500478.ns500268.ns500168.lustypartnersfinder[.]com	ns500313.lustypartnersfinder[.]com ns500540.lustypartnersfinder[.]com ns500634.lustypartnersfinder[.]com	188.119.148[.]82 109.205.214[.]13 51.89.16[.]177
juicyplaymatesfinder[.]com	ns500501.ns500501.ns500291.ns500501.ns500525.ns500525.ns500525.ns500501.ns500292.ns500213.ns500213.ns500213.ns500291.ns500225.ns500197.juicyplaymatesfinder[.]com	ns500291.juicyplaymatesfinder[.]com ns500585.juicyplaymatesfinder[.]com ns500643.juicyplaymatesfinder[.]com	185.176.220[.]151 79.141.165[.]176 51.83.172[.]83

Table 4. The domain, query sample, nameservers and nameserver IP addresses in the campaign NSfinder.

Conclusion

The domains within each tunneling campaign share some common attributes, such as the following:

• Infrastructure
• DNS configurations
• Payload encoding
• Domain registration patterns
• Attack targets

These attributes enable us to identify significant clusters among the tunneling detection results so that we can discover the emerging tunneling campaigns.

This method of detection has revealed four new campaigns that we have described in this article and have named:

• FinHealthXDS
• RussianSite
• 8NS
• NSfinder

We have implemented these techniques as a new campaign monitoring system into our Advanced DNS Security service, providing campaign information and descriptions to our customers. With this system, we have detected four new campaigns from daily tunneling detection results.

The Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with best practices via the following Threat Prevention signature: 13033.

Customers can also receive protections against malicious indicators (domains, IP addresses) mentioned in this article via Advanced URL Filtering.

The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.

Palo Alto Networks Cortex Analytics customers receive protection against DNS tunneling techniques mentioned in this article via the DNS tunneling analytics detector.

Cortex also helps protect against malware from the Hiloti family and others through features such as prevention for shellcode injection.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America Toll-Free: 866.486.4842 (866.4.UNIT42)
• EMEA: +31.20.299.3130
• APAC: +65.6983.8730
• Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Domains

• avtomaty-bcg[.]online
• codeaddon[.]net
• dreyzek[.]com
• dtodcart[.]site
• foxxbank[.]com
• healthproreview[.]com
• juicyplaymatesfinder[.]com
• lifemedicalplus[.]net
• linkwide[.]site
• lustypartnersfinder[.]com
• mouvobo[.]site
• mponiem[.]site
• ns2000wip[.]com
• piquantchicksfinder[.]com
• pretorya[.]site
• sosua[.]cz
• soupandselfcare[].com
• unlimitedpartnersfinder[.]com
• yummyflingsfinder[.]com
• yummyloversfinder[.]com
• zzczloh[.]site

IP Addresses

• 88.119.169[.]205
• 185.161.248[.]253
• 185.176.220[.]80
• 185.176.220[.]212

Samples

• 0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430
• c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782
• c3a29c2457f33e54298a1c72a967aa161a96b0ae62ffbefe9e5e1c2057d7f3f4
• dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28

Additional Resources

• DNS Archives - Unit 42, Palo Alto Networks
• Understanding DNS Tunneling Traffic in the Wild - Unit 42, Palo Alto Networks
• DNS Tunneling: how DNS can be (ab)used by malicious actors - Unit 42, Palo Alto Networks
• SolarStorm Timeline: Details of the Software Supply-Chain Attack - Unit 42, Palo Alto Networks
• Evasive Serpens - Unit 42, Palo Alto Networks
• DarkHydrus delivers new Trojan that can use Google Drive for C2 communications - Unit 42, Palo Alto Networks
• DNS Tunneling in the Wild: Overview of OilRig's DNS Tunneling - Unit 42, Palo Alto Networks
• OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory - Unit 42, Palo Alto Networks
• xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control - Unit 42, Palo Alto Networks
• xHunt Campaign: New PowerShell Backdoor Blocked Through DNS Tunnel Detection - Unit 42, Palo Alto Networks
• Leveraging DNS Tunneling for Tracking and Scanning - Unit 42, Palo Alto Networks

Public link

Please use the above public link if you want to share this noodl on another website.