Enterprise Networks

A deeper analysis of a recently discovered malware called Decoy Dog has revealed that it's a significant upgrade over the Pupy RAT, an open-source remote access trojan it's modeled on.

"Decoy Dog has a full suite of powerful, previously unknown capabilities – including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time," Infoblox said in a Tuesday report. "Some victims have actively communicated with a Decoy Dog server for over a year."

Other new features allow the malware to execute arbitrary Java code on the client and connect to emergency controllers using a mechanism that's similar to a traditional DNS domain generation algorithm (DGA), with the Decoy Dog domains engineered to respond to replayed DNS queries from breached clients.


"Decoy Dog has added functionality not available in Pupy," Dr. Renée Burton, head of threat intelligence at Infoblox, told The Hacker News. "In particular, it has a command that tells the compromised device to stop talking to the current controller and start talking to another controller. We could determine this using statistical analysis on the DNS queries."

The sophisticated toolkit was first discovered by the cybersecurity firm in early April 2023 after detecting anomalous DNS beaconing activity, revealing its highly targeted attacks against enterprise networks.

The origins of Decoy Dog remain unclear as yet, but it's suspected to be operated by a handful of nation-state hackers, who employ distinct tactics but respond to inbound requests that match the structure of client communication.

Decoy Dog

Decoy Dog makes use of the domain name system (DNS) to perform command-and-control (C2). An endpoint that's compromised by the malware communicates with, and receives instructions from, a controller (i.e., a server) via DNS queries and IP address responses.

The threat actors behind the operation are said to have made swift adjustments to their attack infrastructure in response to the earlier disclosures, taking down some of the DNS nameservers as well as registering new replacement domains to establish remote persistence.


"Rather than shutting down their operation, the actor transferred existing compromised clients to the new controllers," Infoblox noted. "This is an extraordinary response demonstrating the actor felt it necessary to maintain access to their existing victims."

The first known deployment of Decoy Dog dates back to late-March or early-April 2022, following which three other clusters were detected as under the control of different controllers. A total of 21 Decoy Dog domains have been detected to date.

What's more, one set of controllers registered since April 2023 has adapted by incorporating a geofencing technique to limit responses to client IP addresses to certain locations, with observed activity limited to Russia and Eastern Europe.

"The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat," Burton said. "The best defense against this malware is DNS."

"We expect the actors to independently change based on the new reporting. The actors can change certain aspects of their C2, e.g., encodings, fairly easily, but other elements are difficult to change and are inherent in their choice of DNS as a C2 mechanism."

"The real question is why did they choose to modify Pupy for their C2? What is it about that RAT that they either need or desire for these operations? There are plenty of other choices, but they made this one when there is no other known malicious deployment of Pupy in the past. How they react to our update will depend on why they chose to make or use Decoy Dog in the first place."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.