Decoy Dog Malware Targets Windows Systems in Russia

A recent investigation by Power Technologies security firm has unveiled that a cybercriminal group, known as Hellhounds, has expanded its operations from targeting the infrastructure of Russian companies via Linux hosts to now also compromising Windows-based systems. The group has been deploying the Decoy Dog backdoor, a sophisticated piece of malware, against a variety of sectors in Russia, including IT, medical, telecommunication, security, retail, transport and logistics, mining, and the space industry. The total number of victims has reached 48.

The Decoy Dog malware, a custom variant of the open-source Pupy RAT, has been under development since November 2019, with the group actively targeting Russian entities since at least 2021. The malware exhibits advanced capabilities such as DNS tunneling for communication with its command-and-control (C2) server and ensuring persistence on infected hosts. This enables the remote control of compromised devices.

The report details how the attackers have managed to gain access to their targets’ infrastructures through supply chain attacks, compromising SSH login credentials via contractors. In some instances, the Decoy Dog backdoor was disguised as ISO images for the iMind online meeting, video conferencing, and webinar service, evidencing the attackers’ sophisticated obfuscation methods. They have also been known to mimic legitimate software processes and services, including those of Positive Technologies and Microsoft, to remain undetected on the networks they infiltrate.

Further analysis revealed the attackers’ use of the Sliver framework for the observed decrypted payload, which was identical to the Linux version of Decoy Dog. The C2 server associated with these activities was identified, linking back to known infrastructure used by the malicious actors.

This development marks a significant shift in the cybercriminal group’s operations, indicating not only an expansion in the types of systems they target but also an evolution in their tactics and malware capabilities. The findings underscore the importance of heightened security measures and vigilance among companies in the targeted sectors, especially in Russia, to protect against such sophisticated threat actors.