[r0ny]

In DarkHydrus’s case, the preferred payload retrieved in their previous attacks were exclusively open-source legitimate tools which they abuse for malicious purposes, such as Meterpreter and Cobalt Strike. However, in this instance, it appears that this group used a custom PowerShell based payload that we call RogueRobin.

ref:https://researchcenter.paloaltonetworks ... overnment/

IOCs:
.iqy file: cc1966eff7bed11c1faada0bb0ed0c8715404abd936cfa816cef61863a0c1dd6

bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d

Thanks,

[Antelox]

BR,

Antelox