| SYMBOL | COMMON_NAME | aka. SYNONYMS |
A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '
| 2025-04-15
⋅
Checkpoint
⋅
Renewed APT29 Phishing Campaign Against European Diplomats GRAPELOADER WINELOADER |
| 2024-08-29
⋅
Google
⋅
State-backed attackers and commercial surveillance vendors repeatedly use the same exploits ANDROSNATCH Unidentified APK 009 (Chrome Recon) COOKIESNATCH VALIDVICTOR |
| 2024-07-29
⋅
Mandiant
⋅
UNC4393 Goes Gently into the SILENTNIGHT Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393 |
| 2024-06-19
⋅
ANSSI
⋅
Malicious activities linked to the Nobelium intrusion set WINELOADER |
| 2024-06-03
⋅
Binary Defense
⋅
Wineloader – Analysis of the Infection Chain WINELOADER |
| 2024-03-22
⋅
Mandiant
⋅
APT29 Uses WINELOADER to Target German Political Parties WINELOADER |
| 2024-03-02
⋅
Twitter (@SinghSoodeep)
⋅
Tweet on WINELOADER targeting with German embassy themed lure WINELOADER |
| 2024-02-27
⋅
Twitter (@greglesnewich)
⋅
Tweet with context on TA421 / APT29 / Midnight Blizzard / BlueBravo / Cozy Bear WINELOADER |
| 2024-02-27
⋅
Zscaler
⋅
European diplomats targeted by SPIKEDWINE with WINELOADER WINELOADER SPIKEDWINE |
| 2023-12-13
⋅
CISA
⋅
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally GraphDrop |
| 2023-12-13
⋅
Fortinet
⋅
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 GraphDrop |
| 2023-09-29
⋅
ESET Research
⋅
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company CLOUDBURST LightlessCan miniBlindingCan sRDI |
| 2023-09-28
⋅
CIP
⋅
Russia's Cyber Tactics H1' 2023 APT29 Sandworm Turla XakNet Zarya |
| 2023-09-22
⋅
Mandiant
⋅
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29) |
| 2023-07-27
⋅
Recorded Future
⋅
BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware GraphDrop GraphicalNeutrino QUARTERRIG |
| 2023-07-26
⋅
⋅
Weixin
⋅
APT29 recently faked the German embassy and issued a malicious PDF file BEATDROP Unidentified 107 (APT29) |
| 2023-07-25
⋅
Avertium
⋅
EVOLUTION OF RUSSIAN APT29 – NEW ATTACKS AND TECHNIQUES UNCOVERED GraphDrop |
| 2023-07-12
⋅
Palo Alto Networks Unit 42
⋅
Diplomats Beware: Cloaked Ursa Phishing With a Twist GraphDrop |
| 2023-06-02
⋅
MSSP Lab
⋅
Malware analysis report: SNOWYAMBER (+APT29 related malwares) GraphicalNeutrino |
| 2023-04-13
⋅
GOV.PL
⋅
QUARTERRIG - Malware Analysis Report QUARTERRIG |
| 2023-04-13
⋅
⋅
CERT.PL
⋅
CERT Polska and SKW warn against the activities of Russian spies BOOMBOX EnvyScout SUNBURST |
| 2023-04-13
⋅
GOV.PL
⋅
HALFRIG - Malware Analysis Report HALFRIG |
| 2023-04-13
⋅
GOV.PL
⋅
SNOWYAMBER - Malware Analysis Report GraphicalNeutrino |
| 2023-03-27
⋅
Google
⋅
Threat Horizons: April 2023 Threat Horizons Report Gdrive APT41 |
| 2023-03-14
⋅
Blackberry
⋅
NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine EnvyScout GraphicalNeutrino |
| 2023-03-10
⋅
Mrtiepolo
⋅
Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission BEATDROP EnvyScout GraphicalNeutrino tDiscoverer VaporRage |
| 2023-01-26
⋅
Recorded Future
⋅
BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware GraphicalNeutrino APT29 |
| 2022-11-30
⋅
⋅
Qianxin Threat Intelligence Center
⋅
Analysis of APT29's attack activities against Italy Unidentified 098 (APT29 Slack Downloader) |
| 2022-09-21
⋅
Check Point
⋅
Native function and Assembly Code Invocation MiniDuke |
| 2022-09-14
⋅
Mandiant
⋅
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp BLINDINGCAN miniBlindingCan sRDI |
| 2022-09-06
⋅
⋅
INCIBE-CERT
⋅
Estudio del análisis de Nobelium BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage |
| 2022-08-29
⋅
Cyfirma
⋅
CosmicDuke Malware Analysis Report CosmicDuke |
| 2022-07-20
⋅
Freebuf
⋅
Abused Slack Service: Analysis of APT29's Attack on Italy Unidentified 098 (APT29 Slack Downloader) |
| 2022-07-19
⋅
Palo Alto Networks Unit 42
⋅
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive Cobalt Strike EnvyScout Gdrive |
| 2022-07-19
⋅
R136a1
⋅
A look into APT29's new early-stage Google Drive downloader BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader) |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Cloaked Ursa APT29 |
| 2022-07-08
⋅
⋅
Cert-AgID
⋅
Il malware EnvyScout (APT29) è stato veicolato anche in Italia EnvyScout Unidentified 098 (APT29 Slack Downloader) |
| 2022-06-17
⋅
Github (monoxgas)
⋅
sRDI - Shellcode Reflective DLL Injection sRDI |
| 2022-05-16
⋅
Github (Dump-GUY)
⋅
Malware Analysis Report – APT29 C2-Client Dropbox Loader Unidentified 099 (APT29 Dropbox Loader) |
| 2022-04-29
⋅
Mandiant
⋅
Trello From the Other Side: Tracking APT29 Phishing Campaigns BEATDROP VaporRage |
| 2022-04-20
⋅
cocomelonc
⋅
Malware development: persistence - part 1. Registry run keys. C++ example. Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky |
| 2021-09-29
⋅
CYBER GEEKS All Things Infosec
⋅
How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear MiniDuke |
| 2021-05-28
⋅
Microsoft
⋅
Breaking down NOBELIUM’s latest early-stage toolset BOOMBOX Cobalt Strike |
| 2020-07-14
⋅
Telsy
⋅
Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene NewPass Turla |
| 2020-07-14
⋅
Cyborg Security
⋅
PYTHON MALWARE ON THE RISE Poet RAT PyLocky SEADADDY |
| 2020-05-18
⋅
One Night in Norfolk
⋅
Looking Back at LiteDuke LiteDuke |
| 2020-05-06
⋅
F-Secure Labs
⋅
039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29 OnionDuke |
| 2020-03-26
⋅
VMWare Carbon Black
⋅
The Dukes of Moscow Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
| 2020-02-13
⋅
Qianxin
⋅
APT Report 2019 Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
| 2020-01-01
⋅
Secureworks
⋅
IRON HEMLOCK FatDuke MiniDuke OnionDuke PolyglotDuke APT29 |
| 2019-10-17
⋅
ESET Research
⋅
OPERATION GHOST The Dukes aren’t back — they never left FatDuke |
| 2019-10-17
⋅
ESET Research
⋅
Operation Ghost: The Dukes aren’t back – they never left PolyglotDuke |
| 2019-08-12
⋅
Kindred Security
⋅
An Overview of Public Platform C2’s HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT |
| 2019-01-01
⋅
Council on Foreign Relations
⋅
The Dukes APT29 |
| 2018-12-03
⋅
Microsoft
⋅
Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers APT29 |
| 2018-11-18
⋅
Stranded on Pylos Blog
⋅
CozyBear – In from the Cold? Cobalt Strike APT29 |
| 2017-05-31
⋅
MITRE
⋅
APT29 APT29 |
| 2017-04-03
⋅
FireEye
⋅
Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) POSHSPY APT29 |
| 2017-02-20
⋅
Contagio Dump
⋅
Part I. Russian APT - APT28 collection of samples including OSX XAgent X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel |
| 2017-02-10
⋅
Department of Homeland Security
⋅
AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity APT29 |
| 2016-06-15
⋅
CrowdStrike
⋅
Bears in the Midst: Intrusion into the Democratic National Committee X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel APT28 |
| 2015-09-28
⋅
SecurityIntelligence
⋅
Hammertoss: What, Me Worry? tDiscoverer |
| 2015-09-17
⋅
F-Secure
⋅
The Dukes: 7 Years Of Russian Cyber-Espionage APT29 |
| 2015-09-01
⋅
F-Secure
⋅
The Dukes - 7 Years of Russian Cyberespionage PinchDuke |
| 2015-08-17
⋅
F-Secure Labs
⋅
THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE COZYDUKE GeminiDuke |
| 2015-07-29
⋅
Youtube (FireEye Inc.)
⋅
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group tDiscoverer |
| 2015-07-22
⋅
F-Secure
⋅
Duke APT group's latest tools: cloud services and Linux support CloudDuke |
| 2015-07-13
⋅
Symantec
⋅
“Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory SEADADDY |
| 2015-07-01
⋅
FireEye
⋅
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group tDiscoverer APT29 |
| 2014-11-15
⋅
Contagio Dump
⋅
OnionDuke samples OnionDuke |
| 2014-11-14
⋅
F-Secure
⋅
OnionDuke: APT Attacks Via the Tor Network OnionDuke |
| 2014-07-15
⋅
Palo Alto Networks Unit 42
⋅
Unit 42 Technical Analysis: Seaduke SEADADDY |
| 2014-07-03
⋅
F-Secure
⋅
COSMICDUKE: Cosmu with a twist of MiniDuke CosmicDuke |
| 2013-05-30
⋅
CIRCL
⋅
Analysis of a stage 3 Miniduke sample MiniDuke |
| 2013-02-28
⋅
FireEye
⋅
It's a Kind of Magic MiniDuke |