cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Iranian-backed hacking group distributing malware through GitHub

A new custom malware being used by an Iranian-backed hacking group has been discovered by researchers of Secureworks Counter Threat Unit.

user icon Daniel Croft
Mon, 12 Dec 2022
Iranian-backed hacking group distributing malware through GitHub
expand image

The malware, known as Drokbk, is used by Cluster B, a subgroup of Iranian Cobalt Mirage which is sponsored by the Islamic Revolutionary Guard Corps (IRGC).

Cobalt Mirage was first thought to be a single group, however, Secureworks analysis has unveiled two subgroups — Cluster A and Cluster B. The two groups do share some methods, passwords and infrastructure, but vary in terms of other TTPs. Cluster B seems more focused on information collection, while Cluster A is more set on financial gain.

Cluster B has been using GitHub to distribute Drokbk, which makes use of a dropper and a payload. Once the business has already been breached, the group uploads command and control server location instructions to a GitHub repository. Drokbk then instructs the malware on which server to communicate with.


Drokbk on its own has rather limited functionality, but by executing malware on the command and control server, it becomes rather effective while also maintaining a low profile.

“The use of GitHub as a virtual dead drop helps the malware blend in,” says Secureworks principal researcher and the lead on Iran-related research, Rafe Pilling.

“All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions.”

Having had an eye on Cobalt Mirage for some time, Drokbk was first discovered by Secureworks in February, where it was used following a breach of a US local government network.

“To date, Drokbk has kept a low profile and hasn’t been documented in Open Source, so, this is the first really in-depth look at how it works under the hood,” adds Pilling.

“Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunnelling tools like Fast Reverse Proxy (FRP) and Ngrok.

“Our advice to organisations is to use available controls to review and restrict access to the IP addresses, domains and URLs associated with Drokbk which we have listed in our blog.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.