Hellhounds: Operation Lahat

May 28, 2024, 12:01 p.m.

Description

A group called Hellhounds has continued attacking Russian organizations into 2024 using various techniques to compromise infrastructure. Research shows malware toolkit development began in 2019. The group maintains presence inside critical organizations for years. Although based on open-source projects, malware is modified to bypass defenses. The earliest Windows and Linux samples are from 2019 and 2021. Encryption and obfuscation are used. Foothold gained via system services. Main C2 method is DNS tunneling. At least 48 confirmed victims, focused on public sector and IT contractors. Victims likely compromised via supply chain attacks and trusted relationships.

External References

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/
https://otx.alienvault.com/pulse/6655bfed1aa29eeef5f3379b
Tags
apt
russia
2024-05-28
operation lahat

Date

  • Created: May 28, 2024, 11:28 a.m.
  • Published: May 28, 2024, 11:28 a.m.
  • Modified: May 28, 2024, 12:01 p.m.

Indicators

  • ae76fcf9b0c7740ff2e7be88acd0d4354ac08ea0
  • 6758df1ae1f88ce553e3eb76f95625c075978734
  • fd7298c3be42560f7a7e78903cc7ad5db3a14185eafc76a5bdac9bd2f2bf6bfc
  • f466ecd2edc5481853f1e4613cf49dd5bd075e246436ad28b3558c2fd4069aca
  • f1aa7cb84e515e6d4818531ecb6cf9241338c68ebcb93e181ab9dfebb6be9123
  • f11afd0d02e936e56aad7e5e86f3bc6781a1c67c4abb98fe7b3d831e8d67e312
  • ee8dd2626a4465f49f6d4aaf3b6d3735ca938e5e289304ba0664e4c9fb957672
  • e67c5731bed1e4d8c7947a6f474a161237ca9d795f8e86927b2faf1a17c94a79
  • e42e43e01e2ca96562fa67e58a4d539fcaf50054e631dd259351f95c69672288
  • e38dcc222f770a4d11be0bd31b6d22f69a9f5bce8306c1c96390a0701647c1f3
  • e27d1bab901c1bb414d0849c5c132faa8c7c6a61357d9627a7d2785270034793
  • e19dc185e99cfdc0c25f18fb34ffabff2a4877d6d5843e4c67c05ce182f9780e
  • dd83e7b5788588d3a6b806ce0e5ad4acc0343c99548a342bfca9d54ea64625e3
  • d9a8151aff9d1c061826a9812ed9a6600805c74a519df333513fd4a79d2d4e61
  • d89671386dd794996e7fbf57645a6ab8d40dc5d0d634ca9deec235ae31f5c500
  • d53fe08be9391ed668cdbcccecc4736e9d0e5dbc7cecbd32a7df21487d593232
  • d59fcb3e138b9eea0d70a1127f7b9d927f381a133720cae0c4fd5fc803e4b9dd
  • c67f28a2b85b0b242c2337f8717f9ddda13d471648ea56eccaaf92750b0da4dc
  • cb1993e26580d51a6676890b87e4b3c9a2f8562815a291d9829988f00d616683
  • c620742a863ab20ad0f211bf0e7a1be0725f2682af96db15c1a0d610875dd613
  • bca6da159bbf6af3ba6adfdb4f1da0e855c6ed2ac9076c98bcc702169dbeab40
  • b3538ce6d66a8a104f15a3431914da7214b54d1de2594f4ee536a6e7372ed664
  • b21e9a3581497eafbd92a45b670b9e6f18aa09f8375ed8ebb03a199d531b2d39
  • ae6c7656a973c797ad8c3a344da99fbca8452c471d26900a2300364ddeb959b9
  • a03e2ca143e867a99e2bc73bd4e5c2dd078a9f671aa0a4ce9611a8bc39a769e2
  • 9d9097e76b04b8e4e53e366a215a6debd8ada6efd0102694bf518da373d25e82
  • 9a977571296ae1548c32df94be75eec2a414798bee7064b0bf44859e886a0cfa
  • 9a96c7b0595f628027c4f4caeece475ef742c420adf2fde8df934c6ce6481fb5
  • 9517212c7f840355ec02f71eb5e4ec87ae869d4b0a8bdd52331677433cca66bf
  • 83a29477939ba8e70f8f401da1fefbaad17b155c194c35a2b328530038b3539b
  • 834d7a3ccd82dd51ead09f18d9e466f6b5cb79d3054d12e3c3771e0477e0bc75
  • 82746a68612661c699ff2998502c9a252d52f76284a6c623d5c7f45d97dcefba
  • 8184a41a1275751c018a7433f1a48a8eb2f271d8f8fef98a90b70926f2755754
  • 7f55c71e064c000906afad1ff649d5c2d3fb6d61d7e84338c9ecf95b4958c7a4
  • 75bf7d3aae0ed409c2c7e4f9b15e49d2f8dac6f9ecc27219d837e806894fe2a0
  • 6da74c7e2bf3d77ac2f2cfddd114d27d08d01c2131d05d36e9c54de1c2565b2b
  • 6cb2979aa1fddd42df2ba596f705ce9bbdb2ec246649218d598d779769857c21
  • 66b7ce1c90ade1556469c4b9ef868bc6da2faea63987fbbfa4fa320723760a4e
  • 64af32f631c4ace6604ee84e2875c3393a54a0e8ad838a85833c086757d343fe
  • 5ab7025a477fba68821be7cd3b425b74a5adcccbddbfe90dbce9bbb028cca4c4
  • 5264dcb00fd0e7261f95173e44df2023d9842c61befd3a3e5a1677d187331576
  • 510da6d88ae4dd51d62796023a18b39db08a016ee4ee7178b1afdc91c58f9e1e
  • 4d30fd05c3bdac792e0a011892e2cad02818436484e81b6de6a02928149bc92d
  • 49cda974e0f9fdf1a99c76ab1f02c501cd720700efcc303e05dfb7d1e71f0d16
  • 494c857b3abe11ab66024c605648dfeb23804d554e32b0411215d83b1bde4434
  • 33e9020a2d6e6604ac0abafaa9427738937a282d3e418723e4857519c9bf99bc
  • 31b21de71f2162e8da1be8483f3a5d019b0c817832bc11a9f307b6b36821ca54
  • 30fd37421f35748b2adb1a45e71e77c38c4b4ebb6854112520bc27726a5d4424
  • 30617ff59db71da76e05828bf8eaf4c92553044bcf81870743cb35e1b482b1d8
  • 2c726b0bee65f2290c233f84139baf9dfee736d46978f42fcf8033215c1ccd19
  • 299a7888e960b7be5b7dc75e3a4bfd0c38f0f0e7313b630dcca62b6093794535
  • 25ff8d416a4158c7401f6c23e040c592ff29855da83ea67340342a3dfacd99a5
  • 1b8b4be020d3350d025c7a245eb0d7166ff2c329dc92af175ef0499cba583071
  • 1b7d26b2547ceb7f44dc9cabeb54d9c0c90b1ffb354dd1da711e269710f5d75c
  • 18d4a3a92b24b2ad75115a44fe2727081316eca346499a4aa00aa13713cf00cb
  • 121ab168fd3d59f83d127eb6a049e67ffdea9a3d4cdc6044f92116f4b1beb26d
  • 106436a4fafe00112b19b1374456c1746b988950b71d700680088d74494e4936
  • 0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6
  • 0d6d89023c7e4d72d8c68d5d7308eb2a58286a0ecc2ddcbe325d78f6b2149680
  • 07fe71b256c1c913b0f3e3fa67e53d21a3d1f499beb4e550597f5743797a77c4
  • 07dfb5b3e666400469fa451cdca5f29a346a5c9036e00c6587ef2b3b43631f10
  • 04241c476f7ff0b86987dbc74f7f236d1bd1fcc05896ad704bd8c152920e2ee9
  • 025d91fa1609138b30d9f95da41800aa5633913a8598ae54e95f0bc92cab2820
  • 00625fe8a6573f1774bfd9d58ba4a73d2c6307126271aa9accda89cd4b7270a9
  • 31.184.204.42
  • c.glb-ru.info
  • nsdps.cc
  • net-sensors.net
  • dw-filter.com
  • rcsmf100.net
  • maxpatrol.net
  • wmssh.com
  • claudfront.net
Download all indicators here!

Attack Patterns

  • DecoyDog
  • Sliver
  • Hellhounds

Additional Informations

  • Russian Federation