Home > List all groups > List all tools > List all groups using tool MiniDuke

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: MiniDuke

TypeDownloader, Backdoor
Description(F-Secure) The MiniDuke toolset consists of multiple downloader and backdoor components, which are commonly referred to as the MiniDuke “stage 1”, “stage 2”, and “stage 3” components as per Kaspersky’s original MiniDuke whitepaper. Additionally, a specific loader is often associated with the MiniDuke toolset and is referred to as the “MiniDuke loader”.

While the loader has often been used together with other MiniDuke components, it has also commonly been used in conjunction with CosmicDuke and PinchDuke. In fact, the oldest samples of the loader that we have found were used with PinchDuke. To avoid confusion however, we have decided to continue referring to the loader as the “MiniDuke loader”.

Two details about MiniDuke components are worth noting. Firstly, some of the MiniDuke components were written in Assembly language. While many malware were written in Assembly during the ‘old days‘ of curiosity-driven virus writing, it has since become a rarity. Secondly, some of the MiniDuke components do not contain a hardcoded C&C server address, but instead obtain the address of a current C&C server via Twitter. The use of Twitter either to initially obtain the address of a C&C server (or as a backup if no hardcoded primary C&C server responds) is a feature also found in OnionDuke, CozyDuke, and HammerDuke.
AlienVault OTX<>

Last change to this tool card: 22 April 2020

Download this tool card in JSON format

All groups using tool MiniDuke


APT groups

 APT 29, Cozy Bear, The DukesRussia2008-Jul 2021 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key