Karkoff DNS Malware

Karkoff is a newly observed .NET-based malware believed to have been created by the group behind DNSpionage for use as a remote execution tool during these campaigns.

During new DNSpionage campaigns, the group will perform extensive reconnaissance, including collecting user and system information, on the affected system before installing Karkoff. They will also check for the presence of several anti-virus products on the system and will not install Karkoff if they are.

Once installed, Karkoff will initiate a new command and control connection using the same infrastructure as previous DNSpionage campaigns, before awaiting further commands.

The domain used for the C2 is also bizarre. The previous version of DNSpionage attempted to use legitimate-looking domains in an attempt to remain undetected. However, this newer version uses the domain “coldfart[.]com,” which would be easier to spot than other APT campaigns which generally try to blend in with traffic more suitable to enterprise environments. The domain was also hosted in the U.S., which is unusual for any espionage-style attack.

coldfart.com website

Affected Platforms​​​​​​

DNS Servers

Indicators of Compromise (IOCs)

The following IOCs are associated to this campaign:

DNSpionage XLS document

2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5 (SHA256)

DNSpionage sample

e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8 (SHA256)

Karkoff samples


C2 server


Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: