Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study

This report analyzes the Saitama DNS-tunnelling implant (linked to an APT campaign), describing how the client encodes data using a shuffled alphabet seeded by a counter and Mersenne Twister PRNG, its long randomized sleep intervals and multi-domain distribution to evade detection, and how a server-side proof-of-concept was developed to reproduce traffic. The authors present detection guidance including a Suricata signature and behavioral detection combining randomness classification and hourly thresholds, and provide GitHub resources with the server implementation and PCAP/Zeek captures to enable testing and tuning of defensive controls.