MalwareUsed by 1 actor

RoyalDNS

RoyalDNS is a custom DNS-based backdoor associated with the China-linked espionage group APT15, also tracked as Ke3chang, Mirage, Vixen Panda, GREF, Playful Dragon, Nickel, and Flea. It was identified by NCC Group during investigation of a May 2017 compromise of a company providing services to the UK Government, where APT15 stole sensitive documents assessed to relate to UK government departments and military technology. RoyalDNS was deployed after the actor regained access via a corporate VPN using a stolen VPN certificate extracted from a compromised host.

RoyalDNS establishes persistence on Windows systems by creating a service named "Nwsapagent." Its command-and-control channel uses DNS, specifically TXT records, and reported C2 communications used the domain andspurs[.]com. The malware is described as one of several APT15 backdoors alongside RoyalCli, BS2005, Okrum, Ketrum, and later Graphican. In the cited intrusion, RoyalDNS represented APT15’s shift to a DNS-based backdoor after earlier tooling in the same campaign used HTTP communications via Internet Explorer COM objects.

High-confidence associated context indicates APT15 commonly targets government, diplomatic, and military-related entities and uses credential theft, keylogging, lateral movement, and living-off-the-land techniques during operations. For RoyalDNS specifically, the directly stated behaviors are its Windows service-based persistence through "Nwsapagent" and DNS TXT record-based C2. A known network IOC directly linked to RoyalDNS is andspurs[.]com.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Ke3chang

Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.

via mitre attack websiteattack.mitre.org

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1587.001MalwareEvidence1

APT15 developed its own malware, allowing it to persist within victim networks (T1587.001).

Initial Access

1 technique

T1566PhishingEvidence1

"The particular threat group uses phishing emails as an initial infection vector"

Persistence

1 technique

T1543.003Windows ServiceEvidence2

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

Privilege Escalation

1 technique

T1543.003Windows ServiceEvidence2

Command and Control

1 technique

T1071.004DNSEvidence1

“APT15 opted for a DNS based backdoor: RoyalDNS… C2 of this backdoor was performed using the TXT record of the DNS protocol.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app8 years ago

hash.sha256●●●●●●●●●●●●View more in app8 years ago

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

picus security blogNews

Dec 12, 2025

APT15 Cyber Espionage: Campaigns and TTPs Analysis

RoyalDNS is a backdoor malware used by APT15, leveraging DNS for command and control communications.

ptsecurity globalNews

Oct 26, 2024

Analytics

Custom backdoor used by APT15 as part of its malware arsenal for covert access.

bleeping computerNews

Jun 21, 2023

Chinese APT15 hackers resurface with new Graphican malware

Custom APT15 implant/backdoor referenced as part of the group’s historical tooling.

ncc group researchNews

Mar 10, 2018

APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS

DNS-based APT15 backdoor that performs C2 over DNS TXT records (observed domain: andspurs[.]com). Persistence achieved via a service named 'Nwsapagent'.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.