PT ESC’s Hellhounds Operation Lahat reveals a long-running campaign against Russian infrastructure, expanding from Linux-based Decoy Dog loaders to Windows backdoors and loaders, with at least 48 confirmed victims by mid-2024. The group uses supply-chain-style entry, masquerades as legitimate software, and employs multiple C2 channels (net-sensors.net, dynamic-dns.net) along with obfuscation and encryption to maintain a covert foothold. #Hellhounds #OperationLahat #DecoyDog #PupyRAT #Sliver #NetSensors #DynamicDNS #PositiveTechnologies
Keypoints
- Hellhounds (Operation Lahat) targeted Russian organizations, expanding from Linux backdoors to Windows infrastructure with 48 confirmed victims by mid-2024.
- First-stage Decoy Dog Loader for Windows installs Windows services (Microsoft Account Service / Microsoft Viewer Service) and decrypts domain lists to obtain keys for payloads.
- Second-stage Decoy Dog for Windows is based on the Pupy RAT and uses C2 servers net-sensors.net and dynamic-dns.net, with no dynamic configuration in the samples observed.
- Initial access often occurred via a contractor and compromised SSH credentials, with reported use of ISO images impersonating legitimate services like iMind.
- Linux 3snake tooling was used to harvest credentials and facilitate movement, including interception of multiple system calls and RC4-based data protection.
- Malware authors employed extensive obfuscation and masquerading (as Positive Technologies and other legitimate processes) to evade detection and maintain persistence.
MITRE Techniques
- [T1195] Supply Chain Compromise – The attackers presumably penetrated infrastructures by using supply chain attacks. “The malicious actor presumably penetrated the infrastructures by using supply chain attacks.”
- [T1078] Valid Accounts – The attackers gained access via compromised SSH login credentials. “By compromising SSH login credentials, the malicious actor got in and installed the Decoy Dog backdoor.”
- [T1036] Masquerading – The actors disguised tools as legitimate software processes including Positive Technologies products. “The malicious actor imitated MaxPatrol SIEM and Microsoft services.”
- [T1543.003] Create or Modify System Process: Windows Service – They installed services named “Microsoft Account Service” and “Microsoft Viewer Service” to run backdoors. “installed a service named ‘Microsoft Account Service’ or ‘Microsoft Viewer Service’, which ran the PE executable …”
- [T1071.004] DNS – The backdoor communicated using DNS-based C2: “C2: net-sensors.net and DGA domains: dynamic-dns.net.”
- [T1027] Obfuscated/Compressed Files and Information – The configuration and payloads were encrypted/decrypted (CLEFIA in CBC mode) and domains/paths decrypted prior to execution. “The block … is encrypted with the CLEFIA algorithm in CBC mode.”
Indicators of Compromise
- [Domains] net-sensors.net, dynamic-dns.net – Domains used in C2/configuration and key material generation
- [SHA-256] 9a977571296ae1548c32df94be75eec2a414798bee7064b0bf44859e886a0cfa, 4d30fd05c3bdac792e0a011892e2cad02818436484e81b6de6a02928149bc92d – Hashes for Decoy Dog Windows loaders
- [File name] AccSrvX64__STABLE__2016-11-10.exe, R_TARIF.VIEWS_X86.EXE – Backdoor payloads/labeled Windows components
- [IP address] 31.184.204.42 – C2 address observed in Sliver samples