Back

Hellhounds: Operation Lahat

May 28, 2024, 12:01 p.m.

Tags

apt
russia
2024-05-28
operation lahat

External References

https://www.ptsecurity.com/

https://otx.alienvault.com/

Description

A group called Hellhounds has continued attacking Russian organizations into 2024 using various techniques to compromise infrastructure. Research shows malware toolkit development began in 2019. The group maintains presence inside critical organizations for years. Although based on open-source projects, malware is modified to bypass defenses. The earliest Windows and Linux samples are from 2019 and 2021. Encryption and obfuscation are used. Foothold gained via system services. Main C2 method is DNS tunneling. At least 48 confirmed victims, focused on public sector and IT contractors. Victims likely compromised via supply chain attacks and trusted relationships.

Date

Published Created Modified
May 28, 2024, 11:28 a.m. May 28, 2024, 11:28 a.m. May 28, 2024, 12:01 p.m.

Indicators

ae76fcf9b0c7740ff2e7be88acd0d4354ac08ea0

6758df1ae1f88ce553e3eb76f95625c075978734

fd7298c3be42560f7a7e78903cc7ad5db3a14185eafc76a5bdac9bd2f2bf6bfc

f466ecd2edc5481853f1e4613cf49dd5bd075e246436ad28b3558c2fd4069aca

f1aa7cb84e515e6d4818531ecb6cf9241338c68ebcb93e181ab9dfebb6be9123

f11afd0d02e936e56aad7e5e86f3bc6781a1c67c4abb98fe7b3d831e8d67e312

ee8dd2626a4465f49f6d4aaf3b6d3735ca938e5e289304ba0664e4c9fb957672

e67c5731bed1e4d8c7947a6f474a161237ca9d795f8e86927b2faf1a17c94a79

e42e43e01e2ca96562fa67e58a4d539fcaf50054e631dd259351f95c69672288

e38dcc222f770a4d11be0bd31b6d22f69a9f5bce8306c1c96390a0701647c1f3

e27d1bab901c1bb414d0849c5c132faa8c7c6a61357d9627a7d2785270034793

e19dc185e99cfdc0c25f18fb34ffabff2a4877d6d5843e4c67c05ce182f9780e

dd83e7b5788588d3a6b806ce0e5ad4acc0343c99548a342bfca9d54ea64625e3

d9a8151aff9d1c061826a9812ed9a6600805c74a519df333513fd4a79d2d4e61

d89671386dd794996e7fbf57645a6ab8d40dc5d0d634ca9deec235ae31f5c500

d53fe08be9391ed668cdbcccecc4736e9d0e5dbc7cecbd32a7df21487d593232

d59fcb3e138b9eea0d70a1127f7b9d927f381a133720cae0c4fd5fc803e4b9dd

c67f28a2b85b0b242c2337f8717f9ddda13d471648ea56eccaaf92750b0da4dc

cb1993e26580d51a6676890b87e4b3c9a2f8562815a291d9829988f00d616683

c620742a863ab20ad0f211bf0e7a1be0725f2682af96db15c1a0d610875dd613

bca6da159bbf6af3ba6adfdb4f1da0e855c6ed2ac9076c98bcc702169dbeab40

b3538ce6d66a8a104f15a3431914da7214b54d1de2594f4ee536a6e7372ed664

b21e9a3581497eafbd92a45b670b9e6f18aa09f8375ed8ebb03a199d531b2d39

ae6c7656a973c797ad8c3a344da99fbca8452c471d26900a2300364ddeb959b9

a03e2ca143e867a99e2bc73bd4e5c2dd078a9f671aa0a4ce9611a8bc39a769e2

9d9097e76b04b8e4e53e366a215a6debd8ada6efd0102694bf518da373d25e82

9a977571296ae1548c32df94be75eec2a414798bee7064b0bf44859e886a0cfa

9a96c7b0595f628027c4f4caeece475ef742c420adf2fde8df934c6ce6481fb5

9517212c7f840355ec02f71eb5e4ec87ae869d4b0a8bdd52331677433cca66bf

83a29477939ba8e70f8f401da1fefbaad17b155c194c35a2b328530038b3539b

834d7a3ccd82dd51ead09f18d9e466f6b5cb79d3054d12e3c3771e0477e0bc75

82746a68612661c699ff2998502c9a252d52f76284a6c623d5c7f45d97dcefba

8184a41a1275751c018a7433f1a48a8eb2f271d8f8fef98a90b70926f2755754

7f55c71e064c000906afad1ff649d5c2d3fb6d61d7e84338c9ecf95b4958c7a4

75bf7d3aae0ed409c2c7e4f9b15e49d2f8dac6f9ecc27219d837e806894fe2a0

6da74c7e2bf3d77ac2f2cfddd114d27d08d01c2131d05d36e9c54de1c2565b2b

6cb2979aa1fddd42df2ba596f705ce9bbdb2ec246649218d598d779769857c21

66b7ce1c90ade1556469c4b9ef868bc6da2faea63987fbbfa4fa320723760a4e

64af32f631c4ace6604ee84e2875c3393a54a0e8ad838a85833c086757d343fe

5ab7025a477fba68821be7cd3b425b74a5adcccbddbfe90dbce9bbb028cca4c4

5264dcb00fd0e7261f95173e44df2023d9842c61befd3a3e5a1677d187331576

510da6d88ae4dd51d62796023a18b39db08a016ee4ee7178b1afdc91c58f9e1e

4d30fd05c3bdac792e0a011892e2cad02818436484e81b6de6a02928149bc92d

49cda974e0f9fdf1a99c76ab1f02c501cd720700efcc303e05dfb7d1e71f0d16

494c857b3abe11ab66024c605648dfeb23804d554e32b0411215d83b1bde4434

33e9020a2d6e6604ac0abafaa9427738937a282d3e418723e4857519c9bf99bc

31b21de71f2162e8da1be8483f3a5d019b0c817832bc11a9f307b6b36821ca54

30fd37421f35748b2adb1a45e71e77c38c4b4ebb6854112520bc27726a5d4424

30617ff59db71da76e05828bf8eaf4c92553044bcf81870743cb35e1b482b1d8

2c726b0bee65f2290c233f84139baf9dfee736d46978f42fcf8033215c1ccd19

299a7888e960b7be5b7dc75e3a4bfd0c38f0f0e7313b630dcca62b6093794535

25ff8d416a4158c7401f6c23e040c592ff29855da83ea67340342a3dfacd99a5

1b8b4be020d3350d025c7a245eb0d7166ff2c329dc92af175ef0499cba583071

1b7d26b2547ceb7f44dc9cabeb54d9c0c90b1ffb354dd1da711e269710f5d75c

18d4a3a92b24b2ad75115a44fe2727081316eca346499a4aa00aa13713cf00cb

121ab168fd3d59f83d127eb6a049e67ffdea9a3d4cdc6044f92116f4b1beb26d

106436a4fafe00112b19b1374456c1746b988950b71d700680088d74494e4936

0eb2c98d14fce41db0ac9352484438fc40489d6f40c915b659ecc84342aa83a6

0d6d89023c7e4d72d8c68d5d7308eb2a58286a0ecc2ddcbe325d78f6b2149680

07fe71b256c1c913b0f3e3fa67e53d21a3d1f499beb4e550597f5743797a77c4

07dfb5b3e666400469fa451cdca5f29a346a5c9036e00c6587ef2b3b43631f10

04241c476f7ff0b86987dbc74f7f236d1bd1fcc05896ad704bd8c152920e2ee9

025d91fa1609138b30d9f95da41800aa5633913a8598ae54e95f0bc92cab2820

00625fe8a6573f1774bfd9d58ba4a73d2c6307126271aa9accda89cd4b7270a9

31.184.204.42

Attack Patterns

DecoyDog

Sliver

Hellhounds

T1568

T1587

T1480

T1199

T1021

T1082

T1071

T1543

T1036

T1140

T1027

T1485

T1056

T1190

T1078

Additional Informations

Russian Federation