Newly discovered cyber espionage group DarkHydrus carrying out credential harvest attack on government entities and educational institutions in the Middle East. DarkHydrus used the open-source Phishery tool to carry out the targeted attacks.
Palo Alto observed the ongoing spear-phishing email campaign with the subject “Project Offer” that contains malicious word documents as an attachment.
When the user opens the malicious word document present in the phishing email it attempts to load a template from a remote server and pops-up an authentication dialog box and ask the user to input the login credentials.
The authentication prompt connected with the domain [“<redacted>. 0utl00k[.]net“] which is the C&C server for the cyber espionage group DarkHydrus. Attackers use 0utl00k[.]net which resembles the Microsoft’s legitimate “outlook.com” to make the user less suspicious.
Once user enter’s the credentials in the dialog box it will be sent to attackers C&C server and the dialog box will go away and open’s an empty document.
Palo Alto researchers also found another two malicious word documents using the domain 0utl00k[.]net that is associated with September and November 2017 campaigns. Both of the campaigns appear particularly targeting an organization.
Out of the three malicious Word documents, two of the documents created using Phishery tool which provides the ability to install inject the URL into a .docx Word document and hosting a C&C server.
DarkHydrus carrying out all the credential harvesting attacks that use weaponized Word documents created through Phishery tool and continues to target the government and educational institutions.
d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318 9eac37a5c675cd1750cd50b01fc05085ce0092a19ba97026292a60b11b45bf49 0b1d5e17443f0896c959d22fa15dadcae5ab083a35b3ff6cb48c7f967649ec82
0utl00k[.]net 107.175.150[.]113 195.154.41[.]150
1. Have a unique Email address.
2. Do not open any attachments without proper validation.
3. Don’t open emails voluntary emails.
4. Use Spam filters & Antispam gateways.
5. Never respond to any spam emails.
Real-Time Intelligence Feed to Catch Malicious Phishing Domains SSL Certificate
Phishing and Keylogging Major Threats to Google Accounts Security
Hackers can Bypass Two-Factor Authentication with Phishing Attack
In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field Communication…
In a concerning trend for cybersecurity, multiple threat actors, including ransomware groups and state-sponsored entities,…
Unit 42’s 2025 Global Incident Response Report, ransomware actors are intensifying their cyberattacks, with 86%…
Group-IB’s High-Tech Crime Trends Report 2025 reveals a sharp 22% surge in phishing websites, with…
Cybersecurity firm Volexity has tracked a series of highly targeted attacks by suspected Russian threat…
Threat actors are increasingly leveraging Google Forms, the tech giant’s widely-used form and quiz-building tool,…
![](data:image/svg+xml;charset=utf-8,<svg height="454px" width="768px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
.webp?w=1600&resize=1600,900&ssl=1)