Privacy Ninja

Iranian Hackers Target Energy Sector with New DNS Backdoor

Iranian Hackers Target Energy Sector with New DNS Backdoor

The Iranian Lycaeum APT hacking group uses a new .NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors.

Lyceum is a state-supported APT, also known as Hexane or Spilrin, that has previously targeted communication service providers in the Middle East using DNS-tunneling backdoors.

A recent analysis by Zscaler presents a new DNS backdoor based on the open-source tool to carry out “DNS hijacking” attacks, execute commands, drop more payloads, and exfiltrate data.

DNS hijacking is a redirection attack that relies on DNS query manipulation to take a user who attempts to visit a legitimate site to a malicious clone hosted on a server under the threat actor’s control. 

Any information entered on the malicious website, such as account credentials, will be shared directly with the threat actor.

Also Read: What is a data protection officer? Through the lens of a Master DPO

Starts with a Word doc

The attack begins with a Word Document containing a malicious macro downloaded from a website pretending to be a news site. The file is masked as a news report with an Iran Military affairs topic.

One of the fake news reports used by Lyceum
One of the fake news reports used by Lyceum (Zscaler)

If the target enables macros on their Microsoft Office to view the content, the DNS backdoor will be dropped directly onto the Startup folder for establishing persistence between reboots.

Dropping the payload on the Startup folder
Dropping the payload on the Startup folder (Zscaler)

New DNS backdoor

The backdoor uses the filename “DnsSystem.exe,” and it’s a customized version of, which the adversaries adjusted according to their needs.

“The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol.” – Zscaler

The malware sets up the DNS hijacking server by acquiring the IP address of the “cyberclub[.]one” domain and generates an MD5 based on the victim’s username to serve as a unique victim ID.

Also Read: Social engineering attacks: 4 Ways businesses and individuals can protect themselves

Generating a unique victim ID on each machine
Generating a unique victim ID on each machine (Zscaler)

Apart from performing DNS hijacking attacks, the backdoor can also receive commands from the C2 to execute on the compromised machine. The responses have the form of TXT records.

These commands are run through the cmd.exe tool (Windows command prompt), and the output is sent back to the C2 as a DNS A Record.

Malware's command execution routine
Malware’s command execution routine (Zscaler)

Additionally, the backdoor can exfiltrate local files to the C2 or download files from a remote resource and drop additional payloads.

Lyceum evolution

Lyceum is a group of hackers focusing on cyber espionage, and this new stealthy and potent backdoor is the mark of their evolution in the field.

The Iranian hackers are expected to continue participating in these information-collection campaigns that often involve multiple threat groups from the country.

As powerful as its new DNS manipulation tricks are, however, the initial infection still requires enabling macros on the Office suite, a request that should always be treated with ultimate suspicion.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us