Egyptian DarkHydrus Targets Crypto Activists

It appears that the Egyptian government maybe resurrecting DarkHydrus in an attempt to track down dissidents abroad, after issuing a statement in Canada that they plan on carrying out target assassinations, or capture to bring an execution by judgement, on any and all that the Egyptian government deems as dissidents to the current brutal regime.

The worst possibility is that, this type of tactic could be recklessly used to send assassins. That is assuming that the IP address obtained is correct, and would reveal the correct geolocation of a targeted user affected by DarkHydrus. However, more chances than not the IP address will send such hypothetical assassins to the wrong physical address / geolocation; especially if a user masks, spoofs, proxies, VPNs, and/or TORs their IP address or all of the above — not to mention the ISP’s own rerouting through central servers that aren’t the users’ actual IP address maybe mistaken as the targeted IP address depending upon the ISP and the end-user security/privacy LAN features. Granted, governments of any nation haven’t much earned the trophy award of being smart in accuracy when carrying out attacks against targets, so assassins could very well show up at the wrong location and even possibly target the wrong individual(s).

At best the usage of DarkHydrus might all be to lock-up or corrupt files on a target’s device or their entire network if infected. So, instead of tracking down to physically murder an individual targeted by the Egyptian government, DarkHydrus could just be a means to ruin all locally stored data and/or ruin all of the cloud storage data on a specific account infected. Losing one’s data is a far less horrible outcome than having any life at risk, assuming this is as far as utilizing DarkHydrus goes in the hands of any tyrannical government like the current Egyptian regime. Historically, DarkHydrus has been utilized to ruin the data of outspoken journalists; which is a fairly common attack within that industry aside from the usual spoofed account cloning attacks to carry out espionage or blackmail. Yet, there have also been instances of DarkHydrus being used to physically track down journalists too; but it was not done as often as corrupting a targets’ data like remotely installing ransomware or outright ruining or deleting all of a targeted user’s data.

In the event that the Egyptian government’s DarkHydrus attempts somehow fail, it appears likely that the Egyptian government — or their contracted hackers — may have struck a deal with the shady scammy cryptocurrency exchange, IDAX (not to be confused with the legit ETH based, IDEX with an “E” instead of an “A”). As IDAX would reveal IP addresses of users and even obtain their full banking credentials if the target did indeed signing-up to use their exchange services; even though IDAX doesn’t provide fiat pairings which ironically make moot in asking for banking account information if an exchange has no on/off fiat ramps for their users. So asking for such information is likely a last resort attack vector, in that if there is no way to scam or attack a targeted user by the primary scheme they wished to unleash then they will simply resort to economic warfare by that of issuing fraudulent charges against the banking account a user had provided to the IDAX exchange.

This nefarious scheme surfaced on July 31st 2019 at approximately 10:11am Eastern Time in the United States, when a known activist’s Google Drive was spammed that morning. The target’s Google Gmail email address was most likely obtained through Facebook data which is easily and readily available, as such information is provided by all users on Facebook upon choosing a log-in email to use for their Facebook account. The suspicious connection to this entire drama was drawn due to the targeted activist’s previous contact with former Arab Spring activists in Egypt. As it has been rumored that the previous connected activists’ accounts had been compromised probably upon capture by Egyptian authorities as early as 2011 when all communications abruptly ceased. Thus, the Egyptian government got to review all of the past private messages in Facebook correspondence that the currently targeted U.S. activist had between 2009 through 2011 with the Egyptian activists. Fast forward to just a few months ago, one of the compromised accounts from a former Arab Spring Egyptian activist that had been taken over attempted to reconnect and communicate with the currently targeted U.S. activist; posing as one of the original Egyptian based Arab Spring activists that originally had previously communicated with the currently pursued U.S. based activist. Luckily, the currently pursued U.S. activist noticed something was airy and eventually blocked that compromised account from further Facebook communications.

It remains unconfirmed if this was a clever way of spear-phishing against the currently targeted activist or if it was a general phishing attack that would be attempted upon all targets from here on out in this scam spam campaign using free cryptocurrency as a lure. The reason being is, the attack attempted to play upon the fact that the targeted U.S. based activist is also a known cryptocurrency reluctant-advocate and active trader with a HODL. Whereby, this attack attempted to entice the targeted activist by an offer to obtain “free” cryptocurrency coins using a scam-coin named, Aidos Kuneen (ADK). If this wasn’t an attack specific to the known interests of the target and is an attempt that will be issued upon more potential victims, then it is suggest to people to not be tempted to try to receive free coins from a scam-coin like ADK. Just say no! In addition, if this Google Document pops up as a notification and/or appears in your Google Drive documents, DO NOT open it! Such a document may or may not have maliciously scripted macros. Instead, Google has a way of reporting a shared document in your Google Drive without opening the file — so do that instead. To be extra sure, once all precautions are taken and the spammy scam file has been reported to Google then proceed to secure your Google account properly.

Again, it remains unconfirmed if the document itself had malicious scripts of man-in-the-cloud to run or not as the targeted activist took appropriate actions in protecting themselves, but if it is a sophisticated attack it may very well do just that. Though through delivery in the Google Drive this attack is more than likely just using a yet undetected remix of the phishing attack that became popularized in 2017. So, if this is a regurgitation of that phishing attack to force a remote install of the DarkHydrus trojan, then this is a very clever execution that leverages the lustful greed of too-good-to-be-true crypto gains. After all, such a phishing attack would require less in-depth programing knowledge as man-in-the-cloud attacks would need.

Since the exact technical details of the attempted attack remains unknown still at this time, it is critical to not click/open the file if ever the recipient of this Google Drive document.

Source notes & citations:

• (DO NOT GO TO THIS SITE UNLESS YOU HAVE A SECURED NETWORK CONNECTION, BROWSER, & SYSTEM TO TEST) Aidos Kuneen scam-coin “official” website:
  www aidoskuneen com