Threat Intelligence Tarot
Vol. II · 123
Iran-suspected
G0079
risk 3/5
The Many-Headed Whisper
DarkHydrus
LazyMeerkat-adjacent
Middle East governmentEducational institutionsEnergy sector
Active since ~2016 · Espionage, Regional surveillance
The Many-Headed Whisper does not hiss in private — it whispers through public DNS, the most-watched and least-suspected channel. Severing one head only reveals two more.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.001
PowerShell
Execution
T1071.001
Web Protocols
Command and Control
T1027
Obfuscated Files or Information
Defense Evasion
T1041
Exfiltration Over C2 Channel
Exfiltration
T1083
File and Directory Discovery
Discovery
Notable Operations
  • RogueRobin DNS-based PowerShell trojan
  • Phishery toolkit-based credential harvesting
  • Middle East government targeting via document lures
  • Educational institution spear-phishing campaigns (Palo Alto Unit 42 disclosure)
Defenses
Reversed: Their Weakness
DNS-layer detection and corporate DNS filtering remove this operator's preferred carrier. A whisper without a channel is just silence.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Patient ColonyNext →The Quiet Hand
Related Adversaries
The Desert Hawk
Stealth Falcon
5 shared TTPs
The Dusty Archivist
Earth Lusca
5 shared TTPs
The Customs Officer
MoustachedBouncer
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.