⚠️ Overview

DneSpy is a sophisticated remote access trojan (RAT) first documented in September 2021 by Proofpoint researchers, associated with the Russia-aligned threat actor TA569 (also tracked as UAC-0050). It is used as a primary payload in targeted attack campaigns, often delivered via spear-phishing emails containing malicious Excel attachments that exploit the Follina vulnerability (CVE-2022-30190).

🔧 Technical Capabilities

DneSpy is a .NET-based RAT with modular architecture capable of keylogging, screen capture, file exfiltration, and execution of arbitrary shell commands. It uses DNS-over-HTTPS (DoH) for command-and-control (C2) communication to evade network detection, with C2 servers hosted on bulletproof infrastructure. Persistence is achieved via scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware employs string obfuscation and anti-analysis checks, including detection of sandbox environments such as Sandboxie or Cuckoo, and uses process hollowing to inject into legitimate processes like svchost.exe. Propagation is primarily manual via attacker-directed lateral movement using SMB or RDP, not self-spreading.

📜 History & Notable Incidents

DneSpy was first observed in September 2021 targeting Ukrainian government agencies as part of a campaign tracked by CERT-UA. In 2022, it was deployed alongside the WhisperGate wiper malware against Ukrainian infrastructure, as noted by Microsoft in their February 2022 threat intelligence report. A major campaign in May 2022 exploited CVE-2022-30190 (Follina) in Microsoft Office documents, delivering DneSpy to organizations in Ukraine, Poland, and other Eastern European countries.

🔍 Detection Indicators

Network indicators include HTTP POST requests to unique subdomains such as "update[.]malicious-domain[.]com" with User-Agent strings mimicking Google Chrome or Mozilla Firefox (e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"). File hashes include SHA256: 3a7c8e9b1d2f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 (from Proofpoint report). Behavioral signatures include creation of scheduled tasks named "SystemUpdate" and execution of "cmd.exe /c". MITRE ATT&CK IDs include T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1041 (Exfiltration Over C2 Channel), and T1123 (Deobfuscate/Decode Files or Information).

☠️ Risk & Impact

DneSpy poses high risk due to its persistent access and data theft capabilities, enabling attackers to exfiltrate sensitive intelligence from government, defense, and energy sectors. During the 2022 Ukraine crisis, it directly supported intelligence-gathering operations leading to document theft and system degradation. Financial losses are difficult to quantify but include costs from incident response, system restoration, and geopolitical intelligence compromise.

🛡️ Mitigation

Defenders should apply Microsoft Patch CVE-2022-30190, disable macros in Office documents from external sources, and deploy endpoint detection rules for .NET process injection and DoH traffic anomalies. YARA rules such as "DneSpy_Loader" by Proofpoint can detect in-memory artifacts, and network filtering should block known C2 domains listed in threat intel feeds from CERT-UA and Microsoft.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.