360 Threat Intelligence Center captured several lure Excel documents written in Arabic in January 9, 2019. A backdoor dropped by macro in the lure documents can communicate with C2 server through DNS tunnel, as well as Google Drive API.

https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/