Threat Research

Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic

Securonix

Infoblox identifies a rare DNS-based toolkit named Decoy Dog, built around the Pupy RAT, observed in enterprise networks through DNS beacons and encrypted DNS traffic. The report links possible Earth Berberoka activity and outlines three infrastructure models (FreeDNS, NameCheap Russian NS, ChangeIP) with mitigation guidance for defenders. #DecoyDog #PupyRAT #EarthBerberoka #Russia

Keypoints

  • Decoy Dog is a cohesive DNS-based toolkit built around Pupy RAT, seen exclusively on enterprise networks and observed across multiple domains.
  • The toolkit features a unique DNS signature, with beacon-like activity that is low in volume and highly anomalous compared to standard DNS traffic.

MITRE Techniques

  • [T1071.004] DNS – “Before Decoy Dog communicates with the C2 via encrypted DNS packets, it typically sends a DNS request to one of the C2 ping subdomains…”
  • [T1572] Protocol Tunneling – “The DNS queries had unusual characteristics at both the second-level domain (SLD) and FQDN level” and “followed by a continuous series of DNS queries to subdomains with encrypted and high entropy labels.”
  • [T1583.004] Acquire Infrastructure – “three distinct infrastructure choices” and mentions of FreeDNS, NameCheap, and ChangeIP (dynamic DNS) supporting C2 domains.
  • [T1027] Obfuscated/Compressed Data – “FQDNs containing at least two labels… encoded using Base32… padding observed as ‘9’ for DNS-compatible strings” and the translation/dictionary that converts Base32 to DNS hostname formats.

Indicators of Compromise

  • [Domain] claudfront.net – Pupy C2 (examples: claudfront.net, allowlisted.net – and 4 more domains)
  • [Domain] allowlisted.net – Pupy C2
  • [Domain] atlas-upd.com – Pupy C2
  • [Domain] ads-tm-glb.click – Pupy C2
  • [Domain] cbox4.ignorelist.com – Pupy C2
  • [Domain] hsdps.cc – Pupy C2
  • [Temporary Domain] claudfront.ml – Temporary name server domain for claudfront.net
  • [SHA-256] e47db5ef2a23a156856b5ea3b156a32fc8b26fb1a5c496f62e74c8ca8bf4b924 – Pupy SSL certificate fingerprint on 213.183.48.75
  • [SHA-256] 84a2ed4270aaee360019f8136e464fbddb83d20ade79b43b712c711a632dfa14 – Pupy SSL certificate fingerprint on 83.166.240.52
  • [SHA-256] fa075deeb0af84792a08f6be728ea15f1cf6183443cc5ee8a0632c7b4209675f – Pupy SSL certificate fingerprint on 5.252.176.22
  • [SHA-256] 4996180b2fa1045aab5d36f46983e91dadeebfd4f765d69fa50eba4edf310acf – SHA-256 fingerprint for a malware sample communicating with the domains
  • [IPv4] 5.252.176.63 – IPv4 address used by ns1/ ns2 for Decoy Dog domains
  • [IPv4] 213.183.48.75 – IPv4 address associated with Pupy/Decoy Dog infrastructure
  • [Domain] wmssh[.]com – OSINT example not related to Decoy Dog; linked to Freegate VPN activity

Read more: https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/