For the complete documentation index, see llms.txt.
Skip to main content
New

DarkHydrus

Updated May 23, 2026

DarkHydrus is a Middle East–focused cyber-espionage threat group identified by Unit 42 in 2018, known for spear-phishing government targets using the RogueRobin trojan.

DarkHydrus is the name given by Palo Alto Networks' Unit 42 to a threat group first publicly disclosed in July 2018 after a credential-harvesting campaign targeting a government entity in the Middle East. The group has primarily focused on government, educational, and government-related organizations in the region, with a particular emphasis on the Arabian Peninsula.

The group is best known for two technical signatures:

  • RogueRobin, a custom PowerShell- and later C#-based trojan delivered via weaponized Microsoft Office documents that abuse the DDE (Dynamic Data Exchange) protocol or template injection.
  • DNS tunneling for command-and-control, including the use of Google Drive APIs as an alternative C2 channel in later variants observed in early 2019.

DarkHydrus has been associated with spear-phishing lures impersonating regional universities and government bodies, often using look-alike domains and free certificate authorities to host payloads. Researchers at 360 Threat Intelligence Center in China have linked DarkHydrus activity to a cluster they call LazyMeerkat, and some analysts have suggested overlaps with broader Iran-nexus activity, though attribution to a specific state sponsor has not been conclusively established in public reporting.

For policy and IR researchers, DarkHydrus is a useful case study in several respects. It illustrates how mid-tier regional threat actors leverage living-off-the-land techniques (PowerShell, legitimate cloud services) rather than expensive zero-days, complicating both attribution and defense. It also highlights the Gulf as a contested cyber theater where state and state-aligned groups conduct espionage in parallel with diplomatic tensions. Delegates working on ITU, UN GGE, or Open-Ended Working Group (OEWG) cyber-norms files frequently cite groups like DarkHydrus when arguing for stronger norms on state behavior in cyberspace, even where direct state attribution is absent.

The group has maintained a relatively low public profile since 2019, but its tooling has been incorporated into open-source threat intelligence feeds and MITRE ATT&CK as group G0079.

Example

In July 2018, Palo Alto Networks' Unit 42 disclosed a DarkHydrus spear-phishing campaign that used weaponized Office documents to deliver the RogueRobin payload against a Middle Eastern government agency.

Frequently asked questions

Government, educational, and government-affiliated organizations in the Middle East, particularly on the Arabian Peninsula.
Talk to founder