In June 2019, we observed one of these overlapping domains, specifically, windows64x[.]com, being used as the C2 server for a new. backdoor that weve named CASHY200. This. backdoor used DNS tunneling to communicate with its C2. server, specifically by issuing DNS A queries to the actor controlled name server at the aforementioned domain. By analyzing the lineage of this tool, we found that actors may have used CASH.Y200 when targeting Kuwait government organizations starting in the spring of 2018 and continuing throughout 2019.”]