Iranian cybercriminal group Oilrig (also known as APT34) became the first APT to use DNS-over-HTTPS (DoH) protocol in their attacks to exfiltrate data from compromised networks.

Vicente Diaz, a malware analyst for antivirus maker Kaspersky, told in a webinar the change happened in May this year when Oilrig added a new tool to its hacking arsenal. Diaz said Oilrig members have begun using the new DNSExfiltrator utility in their cyberattacks.

DNSExfiltrator is an open-source project available on GitHub that allows users to create covert communication channels by channeling data and hiding it in non-standard protocols. The tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

Oilrig uses DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point. Criminals allegedly use DoH as a leakage channel to avoid detection or monitoring activity when stolen data is moved.