Royal DNS

Malware

⚠️ Overview

Royal DNS is a sophisticated trojan malware targeting Domain Name System infrastructure, first documented in November 2022 by researchers at Palo Alto Networks Unit 42. It is attributed to the advanced persistent threat group known as APT41 (also tracked as Winnti or Barium), which operates with state-sponsored backing from China. The malware is classified as a DNS hijacking and credential theft tool, designed to intercept and manipulate DNS traffic to redirect users to malicious phishing sites or exfiltrate sensitive data.

🔧 Technical Capabilities

Royal DNS achieves persistence by installing a malicious Windows service named "RoyalDNSService" that loads a DLL payload at system boot. It uses a custom protocol over TCP port 443 to communicate with a command-and-control (C2) server, sending encrypted DNS query logs and receiving configuration updates or additional payloads. The malware exploits the Windows DNSAPI to hook the DnsQuery_A function via API hooking, intercepting all DNS queries made by the system. It employs evasion techniques including TLS encryption for C2 traffic and process hollowing to inject into legitimate processes like svchost.exe. Propagation occurs through spear-phishing emails with weaponized Excel attachments leveraging CVE-2017-0199 (Microsoft Office OLE vulnerability) to download the initial dropper.

📜 History & Notable Incidents

First observed in November 2022, Royal DNS was used in a campaign targeting telecommunications companies in Southeast Asia, with over 500 compromised endpoints reported by Unit 42. In March 2023, the malware was implicated in a DNS hijacking attack on a major Indian telecom provider, causing widespread credential theft and service disruption. No CVEs are directly attributed to Royal DNS itself, but it leverages CVE-2017-0199 for initial access (MITRE ATT&CK ID T1193 for spearphishing attachment). Law enforcement actions have not been publicly disclosed as the group remains active.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6... (full hash in Unit 42 report). Behavioral signatures include abnormal DNS query patterns to domains like *.royal-dns[.]com (generated dynamically), registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunRoyalDNSService, and mutex name "RoyalDNS_Mutex_2022". Network IOCs include C2 IP addresses in the 45.32.0.0/16 range and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.110 Safari/537.36".

☠️ Risk & Impact

Royal DNS enables credential theft and lateral movement by redirecting DNS requests to attacker-controlled servers, potentially compromising Active Directory credentials and internal network services. Financial losses stem from fraud and data exfiltration, with the 2023 Indian telecom incident resulting in estimated $2 million in damages. Affected sectors primarily include telecommunications, energy, and government entities in the Asia-Pacific region.

🛡️ Mitigation

Mitigation includes applying Microsoft patch MS17-010 for CVE-2017-0199, enabling DNS over HTTPS (DoH) to detect tampering, and deploying network detection rules that flag anomalous User-Agent strings or outbound connections to the 45.32.0.0/16 IP range. Endpoint detection using YARA rules for the "RoyalDNSService" registry key and mutex is recommended.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.