Hard-to-detect malware toolkit ‘Decoy Dog’, is targeting enterprise networks worldwide


Infoblox’s Threat Intelligence Group has found a critical security threat communicating with ‘Decoy Dog’, a malware toolkit that has command-and-control (C2) propagated to a Russian IP that is selectively targeting organisations worldwide – and going undetected.

This activity was discovered at the DNS level, is extremely hard to detect and the activity is consistent with a nation state advanced persistent threat (APT) actor.

While Infoblox is the first to discover Decoy Dog, the company is collaborating with peer companies in the security industry, as well as customers, to identify and disrupt this activity. 

Threat Summary:

  • Infoblox discovered and validated a previously unknown remote access trojan (RAT) active in multiple enterprise networks in early April 2023. This RAT is not a generic  consumer device threat.
  • Infoblox is now able to confirm with high confidence that all deployments of this activity arise from a single toolkit. Infoblox refers to this toolkit as “Decoy Dog.”
  • This C2 communication was very hard to find, due to a small amount of data queries in a large pool of DNS data.
  • This RAT uses DNS as a C2 channel through which the malicious actor has control of the internal devices. This RAT has been active since April 2022 – it was undiscovered for an entire year. 
  • It creates a footprint in DNS that is extremely hard to detect in isolation but, when analysed in a global cloud-based protective DNS system like BloxOne Threat Defense, demonstrates strong outlier behaviour. 
  • Decoy Dog C2 communications are made over DNS and are based on an open source RAT called Pupy. While this is an open source project, it has been consistently associated with nation state actors. 
  • Infoblox is the first to discover Decoy Dog, and is collaborating with other security vendors and customers to disrupt this activity, identify the attack vector, and secure global networks. 
  • The Infoblox Threat Intelligence group is working around the clock to understand motivations as well as the identity of the actor and nature of the compromise.
  • Infoblox has observed active C2 communications in the US, Europe, South America, and Asia in the technology, healthcare, energy, financial and other sectors. 
  • Organisations with protective DNS are able to block these domains immediately, mitigating their risk while they continue to investigate further. 

C2 Domains to Block:

  • claudfront[.]net
  • allowlisted[.]net
  • atlas-upd[.]com
  • ads-tm-glb[.]click
  • cbox4[.]ignorelist[.]com
  • hsdps[.]cc

The Impact:

The Infoblox Threat Intelligence Group believes that this set of beacons exists on limited networks and they appear to exist on common network devices such as firewalls; not user devices such as laptops or mobile devices. The presence of an undetected Remote Access Trojan (RAT) in a network gives the attacker control of the device.

Infoblox’s BloxOne Threat Defense customers are protected from these suspicious domains. 

Add a Comment

No messages on this article yet

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter