S0270: RogueRobin
RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. [1][2]
Analyst context for executives and security teams
RogueRobin matters because it represents a Windows payload with PowerShell and C# components and a broad set of post-compromise behaviors: execution through scripting and command shell activity, discovery of users, processes, system details, and security tools, persistence through startup mechanisms, command-and-control over web services, file transfer, screen capture, and obfuscation/encoding. For leaders, the decision value is not the malware name alone; it is whether Windows endpoint, PowerShell, registry, process, and network telemetry are good enough to reconstruct this behavior during an incident.
Executive priority
Prioritize RogueRobin as a validation case for Windows endpoint visibility, PowerShell governance, persistence monitoring, and command-and-control detection. The ATT&CK relationship to DarkHydrus provides threat-intelligence context, but local risk decisions should focus on whether controls can detect and investigate the mapped behaviors. Executives should ask whether SOC and IR teams can prove collection of PowerShell logs, command-line process data, registry/startup changes, WMI activity, web-service communications, file ingress, and screen-capture indicators, and whether those records are retained long enough to support incident response and compliance evidence.
Technical view
ATT&CK does not provide a dedicated detection section for RogueRobin, so defenders should validate coverage through its mapped techniques. On Windows, focus on PowerShell and Windows Command Shell execution, WMI activity, regsvr32 proxy execution, Run Key and Startup Folder persistence, shortcut modification, discovery commands or APIs for users/processes/system/network/security tools, deobfuscation or decoding activity, encoded or obfuscated command content, ingress tool transfer, bidirectional web-service C2 patterns, and screen capture behavior. Treat the DarkHydrus relationship as context for intelligence enrichment rather than proof of activity in the environment.
Likely telemetry
- Windows endpoint process creation events with command-line arguments
- PowerShell script block, module, and operational logs where enabled
- WMI execution and management activity logs
- Registry change telemetry for Run Keys and startup-related locations
- File system telemetry for Startup Folder and shortcut creation or modification
Detection direction
- Build detections around behavior clusters rather than the malware name: scripting execution plus discovery, persistence, obfuscation, and outbound web-service communication is more durable than a single indicator.
- Tune PowerShell analytics for encoded, obfuscated, or unusual script execution while accounting for administrative automation to reduce false positives.
- Monitor WMI, cmd.exe, powershell.exe, and regsvr32.exe usage with parent-child process context; legitimate administration can be noisy, so baselines by host role and user group are important.
- Validate registry and Startup Folder monitoring for both new persistence entries and suspicious shortcut changes.
- Review outbound web-service traffic for unusual bidirectional communication patterns, especially where endpoint context shows recent scripting, discovery, or tool transfer activity.
Mitigation priorities
- Harden and monitor PowerShell and Windows command execution using policy, logging, and least-privilege administration appropriate to the environment.
- Restrict unnecessary use of WMI, regsvr32, and other administrative execution paths where business operations allow, and monitor exceptions closely.
- Protect persistence locations such as Run Keys, Startup Folders, and shortcuts with change monitoring and least-privilege controls.
- Limit unmanaged outbound web access and improve inspection of web-service communications consistent with business and privacy requirements.
- Maintain endpoint visibility capable of detecting discovery, file transfer, decoding/deobfuscation, and screen capture behaviors.
Analyst notes and limits
RogueRobin is described by ATT&CK as a payload used by DarkHydrus and developed in PowerShell and C#. The relationship set maps it to execution, discovery, stealth, persistence, command-and-control, collection, and file transfer behaviors. The supplied object lists Windows as the platform; related techniques may include other platforms, but this take treats RogueRobin coverage as a Windows-focused validation exercise.
Official ATT&CK detection text is not provided for this malware object, and the supplied fields do not include indicators, hashes, infrastructure, active exploitation claims, or environment-specific prevalence. Any statement about exposure, detection success, or current activity requires local telemetry, threat intelligence validation, and incident evidence.
RogueRobin
RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. [1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.CitationUnit 42 DarkHydrus July 2018CitationUnit42 DarkHydrus Jan 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | RogueRobin uses various WMI queries to check if the sample is running in a sandbox.CitationUnit 42 DarkHydrus July 2018CitationUnit42 DarkHydrus Jan 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | RogueRobin can save a new file to the system from the C2 server.CitationUnit 42 DarkHydrus July 2018CitationUnit42 DarkHydrus Jan 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | RogueRobin gathers the IP address and domain from the victim’s machine.CitationUnit 42 DarkHydrus July 2018 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | RogueRobin uses regsvr32.exe to run a .sct file for execution.CitationUnit42 DarkHydrus Jan 2019 |
| Enterprise | T1033 | System Owner/User Discovery | RogueRobin collects the victim’s username and whether that user is an admin.CitationUnit 42 DarkHydrus July 2018 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in `Invoke-Obfuscation`.CitationUnit 42 DarkHydrus July 2018CitationGitHub Invoke-Obfuscation |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.CitationUnit 42 DarkHydrus July 2018 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | RogueRobin has used Google Drive as a Command and Control channel. CitationUnit42 DarkHydrus Jan 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RogueRobin uses Windows Script Components.CitationUnit42 DarkHydrus Jan 2019CitationUnit 42 DarkHydrus July 2018 |
| Enterprise | T1497.001 | System Checks Sub-technique | RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. CitationUnit 42 DarkHydrus July 2018CitationUnit42 DarkHydrus Jan 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.CitationUnit 42 DarkHydrus July 2018CitationUnit42 DarkHydrus Jan 2019 |
| Enterprise | T1057 | Process Discovery | RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.CitationUnit 42 DarkHydrus July 2018 |
| Enterprise | T1082 | System Information Discovery | RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.CitationUnit 42 DarkHydrus July 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | RogueRobin uses a command prompt to run a PowerShell script from Excel.CitationUnit 42 DarkHydrus July 2018 To assist in establishing persistence, RogueRobin creates |
| Enterprise | T1113 | Screen Capture | RogueRobin has a command named |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RogueRobin decodes an embedded executable using base64 and decompresses it.CitationUnit42 DarkHydrus Jan 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.CitationUnit 42 DarkHydrus July 2018 |
Groups, software, and campaigns
G0079: DarkHydrus
DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 1ae914f8cfcb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 DarkHydrus July 2018
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Open source URL -
[2]
Unit42 DarkHydrus Jan 2019
Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
Open source URL -
[3]
RogueRobin
(Citation: Unit 42 DarkHydrus July 2018)
-
[4]
mitre-attack S0270Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.