Threat Research

Hellhounds: Operation Lahat

PTsecurity-ESC

Positive Technologies CSIRT analyzed a new, stealthier variant of the Decoy Dog backdoor (a Pupy-derived RAT) used by the Hellhounds APT to target Russian organizations, employing a modified UPX loader, host-specific encryption, DGA/DDNS-based C2 and encrypted telemetry. The campaign used impersonation (maxpatrol[.]net), encrypted dynamic configs (AES-CTR + elliptic-curve), and multiple evasive transports and injection techniques. #DecoyDog #Hellhounds

Keypoints

  • Positive Technologies found a modified Decoy Dog variant that targets specific Linux hosts and is actively used by the Hellhounds APT against Russian organizations.
  • The first-stage loader is a 9 KB ELF protected by a modified UPX that unpacks assembly shellcode using Linux syscalls and is followed by an encrypted configuration and compressed shellcode.
  • Loader performs anti-debug checks (TracerPid), reads local host identifiers (e.g., /etc/machine-id) to compute an MD5-derived key, and decrypts payloads encrypted with CLEFIA (128-bit) for host-specific execution.
  • Persistence is achieved by installing systemd service units (examples: /usr/bin/dcrond, /usr/bin/atd) and disguising binaries as legitimate services/libraries.
  • Main payload is a modified Pupy RAT (Decoy Dog) rewritten for Python 3.8 with Java injection, new transports (BOSH, lc4, lws4, ws4, dfws4), local socket channel (/var/run/ctl.socket) and support for encrypted dynamic configs and backup C2s/DGA.
  • Telemetry is encrypted and sent to a Mastodon-compatible instance (mindly.social) to the @lahat account; dynamic configuration is AES-CTR encrypted and the AES key is protected via elliptic-curve (brainpoolP384r1).
  • IOCs include specific file paths (e.g., /usr/share/misc/pcie.cache), multiple domains (e.g., maxpatrol.net, f-share.duckdns.org) and IP addresses (e.g., 194.87.68.65); the malware uses DNS tunneling and DGA for C2 resilience.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Adversaries compromise public-facing services (‘Adversaries compromise publicly available web services’).
  • [T1199] Trusted Relationship – Adversaries move across related systems (‘adversaries had previously accessed that host to get the identifier and add it to the configuration’).
  • [T1078] Valid Accounts – Use of legitimate accounts for access (‘Adversaries use legitimate accounts to log in via SSH’).
  • [T1021.004] Remote Services: SSH – Remote access over SSH to compromised hosts (‘Adversaries connect to a compromised host over SSH’).
  • [T1543.002] Create or Modify System Process: Systemd Service – Persistence via systemd units (dcrond/atd) (‘Decoy Dog gained a foothold on the system using dcrond.service or atd.service’).
  • [T1480.001] Execution Guardrails: Environmental Keying – Payload/config encrypted per-host using machine identifiers (‘uses the obtained MD5 hash as a key to decrypt the configuration’).
  • [T1140] Deobfuscate/Decode Files or Information – Components encrypted to hinder analysis (‘encrypted using the 128-bit CLEFIA algorithm’).
  • [T1027.002] Obfuscated Files or Information: Software Packing – Modified UPX packing to protect the loader (‘modified version of the UPX packer’).
  • [T1082] System Information Discovery – Loader reads host identifier files to derive keys (‘read each of the following files containing the compromised host’s identifiers’).
  • [T1568.002] Dynamic Resolution: Domain Generation Algorithms – DGA used to generate fallback C2 domains (‘Decoy Dog supports a domain generation algorithm (DGA)’).
  • [T1568.001] Dynamic Resolution: Fast Flux DNS – Use of DDNS services for resilience (‘used DDNS services’).
  • [T1071.004] Application Layer Protocol: DNS – DNS tunneling used as main C2 communication channel (‘DNS tunneling is the main method for communication between Decoy Dog RAT and the C2 server’).
  • [T1485] Data Destruction – Impact observed where adversaries destroyed infrastructure in a telecom incident (‘destroyed the Linux and Windows infrastructure in the incident at the telecom company’).

Indicators of Compromise

  • [File paths] Deployment and persistence locations – /usr/bin/dcrond, /usr/share/misc/pcie.cache, /var/lib/misc/mpci.bin, /var/run/ctl.socket
  • [File names] Loader and payload files – dcrond, atd, container, pcie.cache (main backdoor), and other masqueraded names like _lib7.so and irqballanced
  • [Domains] C2 and infrastructure – maxpatrol.net (impersonation), z-uid.lez2yae2.dynamic-dns.net, f-share.duckdns.org, m-srv.daily-share.ns3.name (and other DGA-generated domains)
  • [IP addresses] Observed hosts – 194.87.68.65, 185.126.239.60 (additional IPs reported in IOCs)
  • [File hashes] Representative hashes for loader/backdoor – pcie.cache: 8147c66144990691e2d9d870fb921475, dcrond: b83dffed692e165ad0274b63a6c7f1cb (and many more hashes listed)

The technical chain starts with a small ELF loader (~9 KB) hidden as legitimate services (dcrond/atd/container) and packed with a modified UPX variant that, instead of full binary unpacking, extracts an assembly shellcode using only Linux syscalls. The loader first performs anti-debugging by checking /proc/self/status (TracerPid) and then probes host identifier files (/etc/machine-id, /proc/self/cgroup, sys/class/dmi/*, etc.), computes an MD5 from the first available identifier, and uses that MD5 to decrypt an embedded configuration and the CLEFIA-encrypted main payload—effectively tying execution to a specific host (environmental keying).

Once decrypted, the payload is a Pupy-derived backdoor (Decoy Dog) rewritten for Python 3.8. It implements process injection (including Java JVM injection), multiple resilient transports (BOSH, lc4, lws4, ws4/dfws4 with ECPV+RC4 replacing original RSA/AES), DNS tunneling for C2, a local socket channel (/var/run/ctl.socket), and encrypted dynamic configuration files (AES-CTR; AES key protected via elliptic-curve brainpoolP384r1). Telemetry is packaged and sent encrypted to a Mastodon-compatible instance (mindly.social) tied to the @lahat account, and the code includes a DGA that produces daily emergency domains and multiple prefixed variants per configured seed domains and zones (duckdns.org, dynamic-dns.net, etc.).

Operational resilience is achieved via bootstrap domains, DDNS fallback, and DGA-generated backup names; the sample also embeds YARA signatures and specific file paths/hashes for detection. Detection and response should focus on anomalous systemd units, suspicious small ELF binaries with modified UPX headers, host-locked encrypted payloads (CLEFIA), presence of pcie.cache/pcie.* files, network connections to listed DDNS/DGA domains and DNS tunneling indicators, and encrypted telemetry endpoints (mindly.social/@lahat).

Read more: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat