* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Cybersecurity](https://origin-researchcenter.paloaltonetworks.com/blog/category/cybersecurity-2/)
* Palo Alto Networks Offers...

# Palo Alto Networks Offers Threat Mitigation for Havex, DragonFly and Variants

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2014%2F07%2Fpalo-alto-networks-offers-threat-mitigation-havex-dragonfly-variants%2F)  
[](https://twitter.com/share?text=Palo+Alto+Networks+Offers+Threat+Mitigation+for+Havex%2C+DragonFly+and+Variants&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2014%2F07%2Fpalo-alto-networks-offers-threat-mitigation-havex-dragonfly-variants%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2014%2F07%2Fpalo-alto-networks-offers-threat-mitigation-havex-dragonfly-variants%2F&title=Palo+Alto+Networks+Offers+Threat+Mitigation+for+Havex%2C+DragonFly+and+Variants&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2014/07/palo-alto-networks-offers-threat-mitigation-havex-dragonfly-variants/&ts=markdown)  
\[\](mailto:?subject=Palo Alto Networks Offers Threat Mitigation for Havex, DragonFly and Variants)  
Link copied  
By [John Harrison](https://www.paloaltonetworks.com/blog/author/john-harrison/?ts=markdown "Posts by John Harrison")  
Jul 10, 2014  
4 minutes  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)  
[SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown)  
[Threat Advisories - Advisories](https://www.paloaltonetworks.com/blog/category/threat-advisories-advisories/?ts=markdown)  
[Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)  
[DragonFly](https://www.paloaltonetworks.com/blog/tag/dragonfly/?ts=markdown)  
[Havex](https://www.paloaltonetworks.com/blog/tag/havex/?ts=markdown)  
[ICS](https://www.paloaltonetworks.com/blog/tag/ics/?ts=markdown)  
[SCADA](https://www.paloaltonetworks.com/blog/tag/scada/?ts=markdown)  
[WildFire](https://www.paloaltonetworks.com/blog/tag/wildfire/?ts=markdown)

Over the past 10 days we've seen a lot of attention on Havex malware and its variants, which target industrial control system (ICS) and SCADA users. [F-Secure](http://www.f-secure.com/weblog/archives/00002718.html), [Crowdstrike](http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_Threat_Report_2013.pdf) and [Symantec](http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat) were among those reporting on Havex RAT (Remote Access Trojan), also known as DragonFly, Energetic Bear, Backdoor.Oldrea and Trojan.Karagany.

Palo Alto Networks has been tracking Havex for quite a while and we've regularly found samples via WildFire, providing coverage via antivirus and additional indicators via URL filtering.

Similar to any other malware family or threat, Palo Alto Networks customers should use the entire solution for threat mitigation and threat prevention coverage. We recommend the following:

1. \*\*Use App-ID to reduce the attack surface.\*\*Look for TCP and UDP-unknown traffic which can indicate various Trojans and RATs that are communicating outbound.

2. **Use SSL Decryption for Webmail.** Prevent targeted attacks and watering hole attacks to personal email addresses. A single malicious RTF file, PDF or Office document is all it takes to own an organization and bypass all your protection when you don't have visibility into SSL communications.

3. **Use file-blocking technology.** Block or at least warn via continue page on all PE (portable executables), .EXEs from being installed by employees.
Consider blocking all additional high-risk targeted attack content types such as RTF files, .SCR files, .HLP files and .LNK files.

4. \*\*Use IPS signatures to prevent the vulnerability from being exploited from client-side attacks, exploit kits and watering hole attacks.\*\*Consider inline blocking with a strict IPS policy. Prevent the client-side vulnerability from being exploited with a drive-by download and dropping the malware on the system.

5. **Use Antivirus**.We continue to add specific AV coverage for hundreds of samples of Havex, Backdoor.Oldrea or Energetic Bear RAT. We previously had coverage and have added additional AV protection for newer samples for TrojanDownloader/Win32.karagany (Trojan.Karagany). Since naming for malware threats is so chaotic in the industry, our protection for Havex, Oldrea and the Energetic Bear RAT shows up as a wide variety of different names including those named including:

* Backdoor/Win32.havex.\[Random\]
* TrojanDownloader/Win32.karagany.\[Random\]
* Virus/ Multi.karagany.\[Random\]
* Virus/Win32.WGeneric. \[Random\]
* Trojan/Win32.spnr. \[Random\]

6. \*\*Use Spyware/CnC/C2 prevention to find infected systems that may pull down additional variants.\*\*Ensure DNS detection is enabled and in blocking mode. Palo Alto Networks has a number of Spyware/CnC signatures to help in detection of previously compromised systems including:

* Karagany.Gen Command and Control Traffic, ID 13154
* Havex.Gen Command And Control Traffic, ID 13488

7. \*\*Use URL Filtering with PAN-DB to prevent threats from being downloaded from known malicious domains.\*\*Various malicious IPs and domains have been added to PAN-DB based on the threat intelligence we have received. We urge users to Block on Malware domains, as well as proxy avoidance, and peer2peer. We also recommend using a "Continue page" on unknown category websites to prevent users and malware from automatically navigating to possibly newly created malicious domains.

8. **Focus on Prevention of Unknown and 0-day Malware using WildFire.**

* Forward all incoming PE files to Wildfire to determine if any malicious executables are downloaded
* Forward all high-risk targeted attack documents types to Wildfire incoming Office Documents, PDFs and Java files to Wildfire for analysis
* Ensure RTF files are blocked or forward to WildFire at a minimum.
* Wildfire will automatically see the malicious behavior and push out AV signatures, DNS and CnC signatures to prevent additional employees from being infected.

9. **Leverage the Botnet Report to find infected systems.** Look at the Botnet Report within PAN-OS to ensure you haven't missed already infected systems.

10. \*\*Create a Sinkhole to find infected systems.\*\*Use the Pan-OS 6.0 feature to ensure you are finding already infected systems easily.

11. **Pay attention to updates for software.** Recommend that employees not install Adobe Reader, Flash and Java updates if these pop-up. Consider installing all updates for users or have users visit the websites directly. Malware authors will prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates -- but these can be part of the infection vector. Look at removing widely vulnerable software such as Java or Flash if users do not need it.

For more on Palo Alto Networks solutions for this market, [visit our ICS and SCADA resource page](https://www.paloaltonetworks.com/industry/scada-and-industrial-control).

*** ** * ** ***

## Related Blogs

### [Application Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/application-analysis/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Mobility](https://www.paloaltonetworks.com/blog/category/mobility/?ts=markdown), [Threat Advisories - Advisories](https://www.paloaltonetworks.com/blog/category/threat-advisories-advisories/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Chinese Taomike Monetization Library Steals SMS Messages](https://origin-researchcenter.paloaltonetworks.com/blog/2015/10/chinese-taomike-monetization-library-steals-sms-messages/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### In OT Environments, Security Must Not Be an Afterthought](https://origin-researchcenter.paloaltonetworks.com/blog/2018/08/ot-environments-security-must-not-afterthought/)

### [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown)

[#### CrashOverride/Industroyer: Protections for Palo Alto Networks Customers](https://origin-researchcenter.paloaltonetworks.com/blog/2017/06/crashoverrideindustroyer-protections-palo-alto-networks-customers/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown)

[#### 2017 Cybersecurity Predictions: Sure Things and Long Shots](https://origin-researchcenter.paloaltonetworks.com/blog/2017/01/2017-cybersecurity-predictions-sure-things-long-shots/)

### [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown), [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown)

[#### 2017 Cybersecurity Predictions: Successful Ransomware Attack Causes Critical Infrastructure Downtime](https://origin-researchcenter.paloaltonetworks.com/blog/2017/01/2017-cybersecurity-predictions-successful-ransomware-attack-causes-critical-infrastructure-downtime/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Top Three Ways Organizations Were Unprepared for Cyberattacks in 2023](https://origin-researchcenter.paloaltonetworks.com/blog/2024/11/top-three-ways-organizations-were-unprepared-for-cyberattacks-in-2023/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language