Magic Hound, as dubbed by researchers at Palo Alto Networks, is a targeted espionage campaign against Saudi Arabian government, energy and technology industries. The campaign utilized a common phishing tactic, embedding macros into Word and Excel documents. If the victim enabled macros on the document, Powershell scripts downloaded additional malware onto their computer, such as the open-source Python RAT, Pupy.
Similarities between the likely Iranian-based threat actor “Rocket Kitten” and Magic Hound group were noticed, with clues including the use of a shared Command and Control IP to distribute their malware. Researchers also noted an overlap in infrastructure with the domains used in the recent Shamoon 2 campaign, which also targeted Saudi Arabian companies.
ThreatSTOP customers are protected from Magic Hound if they have the TSCritical target enabled in their policy.