Lyceum, an Iranian state-sponsored malicious attacker has targeted Middle Eastern organizations in its recent campaigns by deploying a newly developed .NET-based DNS hijacking malware.

The tactic allows threat actors to execute system commands remotely and upload/download data on the infected machine.

Key features of the malware

The DNS malware is a modified version of the open-source utility
  • The malware uses the DNS protocol for C2 communication, which improves stealth and keeps its communication inquiry hidden from detection.
  • It includes features such as file upload/download, as well as system command execution on the infected machine via DNS records.

DNS hijacking is an attack type wherein legitimate domain DNS requests are intercepted and used to redirect an unsuspecting user to fake pages controlled by a threat actor. Unlike cache poisoning, this attack targets the website's DNS record on the nameserver rather than the resolver's cache.

Delivery mechanism

  • The macro-enabled Word document is downloaded from the domain and disguised as a news report about Iranian military affairs.
  • The AutoOpen() function is called when the user enables the macro content.
  • The threat actor then uses the AutoClose() function to infect the system with DNS malware.
  • When the document is closed, the AutoClose() function is called, which reads a PE file from the text box.
  • This PE file is then written into the Startup folder to ensure persistence via the macro code. As a result, the DNS hijacking malware is executed whenever the system is restarted.


The Lyceum Group has developed DNS hijacking malware, which has been widely used in recent campaigns. APT threat actors are constantly improving their strategies and malware to successfully carry out cyberattacks. The DNS malware used by the attackers employs new techniques to avoid detection by security solutions, and malware re-packaging makes detection even more difficult.
Cyware Publisher