MalwareUsed by 1 actor

iodine

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Funnull

"...it automatically falls back to DNS tunneling using the open-source iodine tool..."

via cyber security newscybersecuritynews.com

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Command and Control

2 techniques

T1071.004DNSEvidence2

В MITRE ATT&CK скрытые каналы покрывают сразу несколько тактик: Command and Control - DNS (T1071.004 ...). ... DNS tunneling (T1071.004, Command and Control ...) эксплуатирует штатный механизм рекурсивного разрешения имён.

T1572Protocol TunnelingEvidence1

В MITRE ATT&CK скрытые каналы покрывают сразу несколько тактик: ... Protocol Tunneling (T1572 ...). ... HTTP covert channels (T1001.003 ..., T1572 ...) работают на другом уровне...

Exfiltration

1 technique

T1048Exfiltration Over Alternative ProtocolEvidence1

Malicious actors have utilized Command & Control (C2) communication channels over the Domain Name Service (DNS) and, in some cases, have even used the protocol to exfiltrate data.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

codebyNews

Jun 6, 2026

Скрытые C2 каналы: DNS tunneling и HTTP от атаки до детекта

Open-source tool that tunnels IPv4 traffic over DNS and creates a virtual dns0 interface; supports multiple DNS record types and is noted for fixed-frequency polling artifacts.

cyber security newsNews

Mar 5, 2026

Threat Actors Use New RingH23 Arsenal to Compromise MacCMS and CDN Infrastructure at Scale

Open-source DNS tunneling utility leveraged as a fallback C2 channel when primary WebSocket communications are blocked.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.