G0079: DarkHydrus
DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]
Analyst context for executives and security teams
DarkHydrus matters because MITRE describes it as a group targeting Middle East government and educational institutions and using a mix of open-source tools and custom payloads. For defenders, the practical concern is not the name alone but the pattern: spearphishing attachments, malicious documents, PowerShell execution, credential theft/forced authentication, and post-compromise tooling such as Mimikatz, Cobalt Strike, and RogueRobin.
Executive priority
Treat this as a readiness check for targeted intrusion resilience, especially where public-sector, education, or Middle East exposure is relevant. Leaders should ask whether email security, endpoint visibility, Windows credential protections, and incident response playbooks can prove coverage for document-led initial access and credential-access activity. This object is also useful for audit and risk discussions because it maps named threat reporting to concrete ATT&CK behaviors that can be tested without assuming current exposure.
Technical view
MITRE provides no group-level detection text and no platforms for the group itself, so validation should be driven by the related ATT&CK relationships. Prioritize coverage for spearphishing attachments and malicious files, Office template injection, PowerShell execution, hidden windows, forced authentication over Windows authentication mechanisms, and credential dumping/tool activity associated with Mimikatz, Cobalt Strike, and RogueRobin. The relationship context is Windows-heavy, though some related techniques/tools also list Linux and macOS; do not infer enterprise-wide platform coverage without local telemetry confirmation.
Likely telemetry
- Email security logs for targeted messages, attachments, file types, sender reputation, and user delivery/open events
- Endpoint process telemetry for Office child processes, PowerShell execution, unusual command lines, and hidden-window style execution
- PowerShell logging where enabled, including script block/module/command history evidence
- Windows authentication telemetry, especially SMB/NTLM-related activity relevant to forced authentication
- Endpoint security alerts or forensic artifacts associated with credential dumping tools such as Mimikatz
Detection direction
- Validate that phishing-attachment detections are tied to post-delivery endpoint behavior, not only gateway blocking, because user execution is part of the related technique set.
- Tune detections for Office spawning PowerShell or other interpreters while accounting for legitimate administrative or macro-enabled business workflows.
- Confirm PowerShell visibility is sufficient to distinguish normal administration from suspicious execution patterns; absence of script logging is a material blind spot.
- Hunt for forced-authentication patterns such as unexpected SMB/NTLM authentication attempts initiated by document handling or user workstations.
- Use tool detections for Mimikatz and Cobalt Strike as part of a behavior chain, not as standalone assurance, because DarkHydrus is described as using both open-source tools and custom payloads.
Mitigation priorities
- Start with email and document hardening: attachment filtering, sandboxing where available, user-reporting workflows, and restrictions on risky document behaviors such as external template loading.
- Reduce PowerShell abuse opportunities through least privilege, execution policy governance, enhanced logging, and administrative-use baselining.
- Harden Windows credential exposure by limiting NTLM/SMB risk where feasible, protecting privileged accounts, and monitoring for forced-authentication paths.
- Prepare IR playbooks for phishing-to-credential-access scenarios, including containment steps for suspected credential dumping and post-exploitation tools.
- Use the ATT&CK relationships to scope tabletop exercises and detection validation, rather than relying on the group name as a control objective.
Analyst notes and limits
The supplied ATT&CK object identifies DarkHydrus, aliases, sector/geographic targeting from cited reporting, and relationships to several software and techniques. The strongest defensive value comes from converting those relationships into control validation: phishing/document handling, PowerShell, Windows authentication, credential dumping, and post-compromise tooling.
MITRE does not provide official detection guidance, group-level tactics, or group-level platforms for this object. The related techniques and software provide useful defensive context, but local relevance depends on the organization’s geography, sector, technology stack, telemetry retention, and exposure to the cited behaviors.
DarkHydrus
DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.CitationUnit 42 DarkHydrus July 2018CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1187 | Forced Authentication | DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.CitationUnit 42 Phishery Aug 2018 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | DarkHydrus has used |
| Enterprise | T1059.001 | PowerShell Sub-technique | DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.CitationUnit 42 DarkHydrus July 2018CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server.CitationUnit 42 DarkHydrus July 2018CitationUnit 42 Phishery Aug 2018CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1221 | Template Injection | DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.CitationUnit 42 Phishery Aug 2018 |
| Enterprise | T1588.002 | Tool Sub-technique | DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike.CitationUnit 42 DarkHydrus July 2018 |
Groups, software, and campaigns
S0002: Mimikatz
S0270: RogueRobin
RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. [1][2]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 79d82eaf46ba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 DarkHydrus July 2018
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Open source URL -
[2]
Unit 42 Playbook Dec 2017
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
Open source URL -
[3]
DarkHydrus
(Citation: Unit 42 DarkHydrus July 2018)
-
[4]
mitre-attack G0079Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.