Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

Downeks

Downeks is a downloader malware family associated in reporting with the DustySky campaign and linked by other researchers to Gaza Cybergang/Molerats activity targeting government interests in the Middle East. Unit 42 reported that an observed intrusion chain installed the Downeks downloader, which then installed a modified, obfuscated, and packed version of the open-source .NET Quasar RAT. The initial infection vector in the 2016-2017 reporting was not confirmed. Downeks used third-party websites to determine the victim’s external IP address, likely for GeoIP-based targeting, and dropped Arabic and Hebrew political decoy documents to camouflage the attack. Reported Downeks/.NET SharpDownloader capabilities included an HTTP POST command-and-control loop, download-and-execute functionality, screen capture, persistence, antivirus enumeration, and external IP discovery. Unit 42 identified both earlier native Downeks samples and newer .NET variants internally named SharpDownloader, with the .NET samples observed only against Hebrew-speaking targets. Infrastructure noted in the reporting included dw.downloadtesting[.]com as a Downeks C2/download point; an initial dropper named "Joint Ministerial Council between the GCC and the EU Council.exe" (SHA256: 0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa) extracted an embedded Downeks instance "ati.exe" (SHA256: f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec), and additional Downeks samples included SHA256 15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a and 9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740. Separate reporting also notes development and installation similarities between Downeks and the Molerats-linked Spark backdoor family.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Molerats

01/2017: Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments – Unit42

via sentinelone labssentinelone.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

“The initial dropper (which varies across attacks) is delivered to the victim via email or web: File Name: Joint Ministerial Council between the GCC and the EU Council.exe”

Execution

2 techniques
T1059.003Windows Command ShellEvidence1

“Upload / download / execute files… Downeks can also be instructed to execute binaries that already exist on the victim machine.”

T1204User ExecutionEvidence1

“The initial dropper, upon execution, extracts an embedded Downeks instance”

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

“Persistence… through either the registry ‘run’ key or with a shortcut in the start-up folder.”

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

“Persistence… through either the registry ‘run’ key or with a shortcut in the start-up folder.”

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

“using an obfuscator and packer… packed by ‘Netz’… obfuscated using .NET reactor… Downeks.NET is obfuscated using ‘Yano’”

T1036MasqueradingEvidence1

“uses masquerades with icons, filenames and metadata imitating popular legitimate applications… and fake common program metadata”

Discovery

3 techniques
T1012Query RegistryEvidence1

“pseudo-unique ID… based on install date taken from the registry…”

T1016.001Internet Connection DiscoveryEvidence1

“Dowenks assesses the victim’s external IP using an HTTP request to http://www.myexternalip.com/raw.”

T1518Software DiscoveryEvidence1

“Downeks enumerates any antivirus products… using the WMI query: ‘SELECT displayName FROM AntivirusProduct’”

Collection

1 technique
T1113Screen CaptureEvidence1

“Downeks can be instructed with the ‘img’ command to capture the victim screen and transmit it back to the C2.”

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence1

“Downeks makes a POST request to dw.downloadtesting[.]com… Downeks… communicates with the C2 server using HTTP POST requests.”

T1105Ingress Tool TransferEvidence1

“Downeks makes a POST request to dw.downloadtesting[.]com, resulting in the installation of the Quasar RAT on the victim machine.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

127 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
31 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
96 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app6 years ago
hash.sha256●●●●●●●●●●●●View more in app6 years ago
hash.sha256●●●●●●●●●●●●View more in app6 years ago
hash.sha256●●●●●●●●●●●●View more in app6 years ago
domain●●●●●●●●●●●●View more in app9 years ago
domain●●●●●●●●●●●●View more in app9 years ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
sentinelone labsNews
Jan 9, 2025
The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest | SentinelOne

Malware referenced in recommended public reporting as used in targeted attacks against governments linked to Gaza Cybergang reporting.

Read more
palo alto networks unit 42 blogNews
Mar 3, 2020
Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations

Malware family associated with Molerats (DustySky campaign) and discussed in comparison to Spark (shared development/installation traits and use of cURL/JSON libraries).

Read more
palo alto networks unit 42 blogNews
Jan 30, 2017
Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments

Downloader/backdoor used as a first-stage implant to beacon over HTTP POST, profile the host (including installed AV and external IP), maintain persistence (Run key or Startup folder), and receive commands such as download-and-execute, self-update, screen capture, process kill/delete, and host/user/IP allowlist checks with message display.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching127

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.

Downeks | Mallory