Downeks
Downeks is a downloader malware family observed by Palo Alto Networks Unit 42 in campaigns linked to DustySky and the Gaza Cybergang/Molerats. In the reported intrusion chain, the initial infection vector was not confirmed, but execution resulted in installation of the Downeks downloader, which then installed the Quasar RAT. Unit 42 also reported newer .NET-based Downeks variants, internally named SharpDownloader, in addition to earlier native variants; the .NET samples were observed only against Hebrew-speaking targets.
Documented Downeks behavior includes communicating with command-and-control over HTTP POST, downloading and executing additional payloads, taking screen captures, establishing persistence, enumerating antivirus products, and determining the victim’s external IP address via third-party websites, likely for GeoIP-based targeting. The malware also dropped decoy Arabic and Hebrew documents related to Middle Eastern politics to camouflage the intrusion.
Downeks was observed in the DustySky campaign, which other researchers attributed to the Gaza Cybergang, a threat actor described as targeting government interests in the Middle East. Unit 42 identified multiple Downeks samples and assessed the Downeks downloader infrastructure and Quasar C2 infrastructure as largely independent, though with at least one shared IP address. They also noted timing patterns consistent with the Middle Eastern work week.
High-confidence indicators directly mentioned in the content include an initial dropper named "Joint Ministerial Council between the GCC and the EU Council.exe" (SHA256: 0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa), which extracted an embedded Downeks sample "ati.exe" (SHA256: f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec). Downeks was observed making an HTTP POST request to dw.downloadtesting[.]com that resulted in installation of Quasar RAT. Additional Downeks samples connecting to dw.downloadtesting[.]com included SHA256 15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a and 9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The initial infection vector in this attack is not clear, but it results in installing the “Downeks” downloader, which in turn infects the victim computer with the “Quasar” RAT.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique“The initial dropper (which varies across attacks) is delivered to the victim via email or web: File Name: Joint Ministerial Council between the GCC and the EU Council.exe”
Execution
2 techniques“Upload / download / execute files… Downeks can also be instructed to execute binaries that already exist on the victim machine.”
“The initial dropper, upon execution, extracts an embedded Downeks instance”
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniques“using an obfuscator and packer… packed by ‘Netz’… obfuscated using .NET reactor… Downeks.NET is obfuscated using ‘Yano’”
“uses masquerades with icons, filenames and metadata imitating popular legitimate applications… and fake common program metadata”
Discovery
3 techniques“pseudo-unique ID… based on install date taken from the registry…”
“Dowenks assesses the victim’s external IP using an HTTP request to http://www.myexternalip.com/raw.”
“Downeks enumerates any antivirus products… using the WMI query: ‘SELECT displayName FROM AntivirusProduct’”
Collection
1 technique“Downeks can be instructed with the ‘img’ command to capture the victim screen and transmit it back to the C2.”
Command and Control
2 techniques“Downeks makes a POST request to dw.downloadtesting[.]com… Downeks… communicates with the C2 server using HTTP POST requests.”
“Downeks makes a POST request to dw.downloadtesting[.]com, resulting in the installation of the Quasar RAT on the victim machine.”
IOCs tracked for this family
127 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family associated with Molerats (DustySky campaign) and discussed in comparison to Spark (shared development/installation traits and use of cURL/JSON libraries).
Downloader/backdoor used as a first-stage implant to beacon over HTTP POST, profile the host (including installed AV and external IP), maintain persistence (Run key or Startup folder), and receive commands such as download-and-execute, self-update, screen capture, process kill/delete, and host/user/IP allowlist checks with message display.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.