Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Dunihi by Houdini—Middle East Coffee & Spice Company Targeted

Does malware take a coffee break? Perhaps not.

Dunihi malware was found this time embedded in an execute file intended for a leading Middle Eastern purveyor of coffee and spices named Badri & Hania ( This malware is compiled in Microsoft intermediate language (MSIL) and has an icon that looks just like the logo for Badri & Hania:

When the icon is clicked, the user sees a box where they are asked to enter their name and mobile number.

(Snapshot of the Application)

CYREN first received this sample which is named “b&d.exe” on 17 November and at that time were the only company detecting it with our generic signature “W32/MSIL_Agent.Y.gen!Eldorado” as shown in the MetaScan-Online by OPSWAT. In static analysis of the application, we found this obfuscated VBScript code embedded into it.

(Embedded Obfuscated VBScript)

It reveals the code of Dunihi malware upon deobfuscation of the VBScript. We’ve not seen any significant changes to this new variant from the last Dunihi aside from its initial configuration. We detect this as VBS/Dunihi.T. The New Dunihi server is “” a subdomain of “” and uses port 4152. as seen in the code snippet below.

(Initial Configuration of Dunihi)

The IP addresses ( belongs to “Hadara Technologies Private Shareholding Company”.

We recommend blocking the IP address ( and keeping your antivirus definitions up to date to protect you from malware such as this.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...