DNSpionage
DNSpionage is malware/tooling associated with DNS hijacking and man-in-the-middle credential theft. The provided content describes it as code used for man-in-the-middle operations to extract authentication details and as code for managing DNS hijacking. It is referenced in leaked APT34 (OilRig) tooling published via the “Read My Lips” / “Lab Dookhtegan” Telegram channel, where a tool labeled “DNSpionage” was included alongside other alleged OilRig tools. Chronicle assessed that this leaked DNS-hijacking tool had similar functionality to the previously reported DNSpionage campaign and shared some victim overlap, but did not believe it was the same malware used in that earlier campaign. The earlier DNSpionage activity is described as targeting dozens of Middle East organizations by altering DNS registries to redirect traffic for interception and credential theft. The content also associates DNSpionage with Haywire Kitten, stating that the group delivers DNSpionage malware via spear-phishing with malicious documents, exploits Microsoft Exchange vulnerabilities, and uses PowerShell scripts. Targeting mentioned in the content includes Middle Eastern organizations, with broader references to telecom and energy sectors in the Haywire Kitten context. No specific file hashes or other direct IOCs for DNSpionage are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Another tool included in the leak is described as 'DNSpionage' malware and described as 'code used for [man-in-the-middle] to extract authentication details' and 'code for managing the DNS hijacking.'"
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Charming Kitten, Haywire Kitten, and Remix Kitten are described as “exploiting Microsoft Exchange vulnerabilities,” including “ProxyShell.”
Multiple Iran-nexus APT groups are described as using spear-phishing: e.g., Charming Kitten uses “spear-phishing with fake personas and compromised emails… phishing via benign PDFs for credential harvesting”; several others use “spear-phishing with malicious documents/attachments/links.”
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used in spear-phishing operations; associated with PowerShell scripting and Exchange exploitation as described.
Malware used by Haywire Kitten (Emennet Pasargad) for espionage, delivered via spear-phishing and exploiting Exchange vulnerabilities.
Named malware/campaign referenced with alias COBALT EDGEWATER.
DNS-hijacking/MITM tooling intended to redirect victim traffic via altered DNS records to intercept and steal authentication details (usernames/passwords).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.