Researchers uncover a malware network possibly linked to nation-state cyberattacks

An unknown nation-state appears to be laying the foundation for its next hacking campaign, but little is known yet about what its motivations may be and who's at risk, security researchers tell Axios.

What's happening: Researchers at Infoblox released new details Tuesday about a malware campaign they're calling Decoy Dog that has all the characteristics of a potential espionage campaign.

• Many of the suspicious domain names linked to the campaign are tied to Russian IP addresses, according to the report, but researchers can't say with certainty that Russia is behind the attack.
• But Infoblox, which scans domain name systems (DNS) for malicious activity, has only discovered the underlying foundation of the campaign so far.

Why it matters: Infoblox estimates that more than 100 devices are infected with the Decoy Dog malware already — and the company's researchers believe as many as four groups could be deploying the malware.

• Those groups might not all be tied to the same nation-state either, Infoblox CEO Scott Harrell tells Axios.

What they're saying: "We've just seen more points of data that tell us this is something for the industry to watch and for the industry to do research on because clearly there's something going on, and the threat actor is continuing to evolve," Harrell says.

The big picture: Infoblox detected the malicious activity through old-school DNS monitoring rather than through more popular reverse engineering, where researchers study a suspicious email attachment for signs of malware.

• DNS monitoring can give a bird's-eye view of what's happening across the entire internet, compared to malware detection tools that focus on a specific organization's network.
• During its scans, Infoblox spotted a handful of domain names operating in "a very specific way" that raised suspicions. The company first detected signs of Decoy Dog back in March 2022.
• Infoblox declined to disclose which organizations are affected and what kinds of devices have been infected, but a spokesperson says the company has discussed its findings with several security vendors and multiple government agencies.

Details: Decoy Dog appears to manipulate elements of open-source remote access tool Pupy, which helps the malware more easily disguise its activities.

• Pupy, which is also used as a penetration tool, allows people to control a device remotely from wherever they are, and the tool can bypass detection from most antivirus applications.
• Decoy Dog builds on that tool to adjust what operating systems the tool is compatible with and adds new communication tools to help the malware maintain long-term access to whatever device it's on.

Zoom out: Harrell tells Axios that Infoblox made a few changes to how it scans DNS following the 2020 SolarWinds cyber-espionage campaign that went undetected for more than a year.

• Those changes helped Infoblox find the Decoy Dog campaign, he says.

Yes, but: It's still unclear how exactly the hackers are getting a foothold on these devices and who is behind the campaign.

The intrigue: The last time Infoblox reported on Decoy Dog, the hackers quickly disconnected a few domains and changed up their tactics to try to shake off the researchers.

• Now, Infoblox is hoping more organizations will use today's report to scan for signs of Decoy Dog on their systems and piece together who's behind it and how they're breaking in.
• "To take the research further, we did want to see more people get involved and we wanted to get more awareness in the community," Harrell says.

Be smart: Infoblox included a list of identified domain names tied to the campaign that network administrators can block now.

Sign up for Axios’ cybersecurity newsletter Codebook here