SYMBOLCOMMON_NAMEaka. SYNONYMS

APT29  (Back to overview)

aka: Group 100, COZY BEAR, The Dukes, Minidionis, SeaDuke, YTTRIUM, IRON HEMLOCK, Grizzly Steppe, G0016, ATK7, Cloaked Ursa, TA421, Blue Kitsune, ITG11, BlueBravo

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '


Associated Families
win.boombox win.cloud_duke win.cosmicduke win.cozyduke win.fatduke win.gdrive win.halfrig win.liteduke win.miniduke win.newpass win.onionduke win.pinchduke win.polyglotduke win.seadaddy win.tdiscoverer win.unidentified_098 win.unidentified_099 win.vapor_rage win.graphical_neutrino win.quarterrig win.beatdrop

References
2023-07-27Recorded FutureInsikt Group
@techreport{group:20230727:bluebravo:b456f7d, author = {Insikt Group}, title = {{BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware}}, date = {2023-07-27}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf}, language = {English}, urldate = {2023-07-28} } BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
GraphDrop GraphicalNeutrino QUARTERRIG
2023-07-26WeixinAnheng Threat Intelligence Center
@online{center:20230726:apt29:dec5309, author = {Anheng Threat Intelligence Center}, title = {{APT29 recently faked the German embassy and issued a malicious PDF file}}, date = {2023-07-26}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745}, language = {Chinese}, urldate = {2023-07-28} } APT29 recently faked the German embassy and issued a malicious PDF file
BEATDROP Unidentified 107 (APT29)
2023-06-02MSSP Labcocomelonc
@online{cocomelonc:20230602:malware:6b0c57b, author = {cocomelonc}, title = {{Malware analysis report: SNOWYAMBER (+APT29 related malwares)}}, date = {2023-06-02}, organization = {MSSP Lab}, url = {https://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html}, language = {English}, urldate = {2023-06-05} } Malware analysis report: SNOWYAMBER (+APT29 related malwares)
GraphicalNeutrino
2023-04-13GOV.PLMilitary Counterintelligence Service, CERT.PL
@online{service:20230413:snowyamber:f5404f6, author = {Military Counterintelligence Service and CERT.PL}, title = {{SNOWYAMBER - Malware Analysis Report}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d}, language = {English}, urldate = {2023-06-01} } SNOWYAMBER - Malware Analysis Report
GraphicalNeutrino
2023-04-13GOV.PLMilitary Counterintelligence Service, CERT.PL
@online{service:20230413:halfrig:787dcfb, author = {Military Counterintelligence Service and CERT.PL}, title = {{HALFRIG - Malware Analysis Report}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb}, language = {English}, urldate = {2023-06-01} } HALFRIG - Malware Analysis Report
HALFRIG
2023-04-13CERT.PLCERT.PL
@online{certpl:20230413:cert:fbd2671, author = {CERT.PL}, title = {{CERT Polska and SKW warn against the activities of Russian spies}}, date = {2023-04-13}, organization = {CERT.PL}, url = {https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/}, language = {Polish}, urldate = {2023-05-25} } CERT Polska and SKW warn against the activities of Russian spies
BOOMBOX EnvyScout SUNBURST
2023-04-13GOV.PLMilitary Counterintelligence Service, CERT.PL
@online{service:20230413:quarterrig:0435e72, author = {Military Counterintelligence Service and CERT.PL}, title = {{QUARTERRIG - Malware Analysis Report}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77}, language = {English}, urldate = {2023-06-01} } QUARTERRIG - Malware Analysis Report
QUARTERRIG
2023-03-27GoogleGoogle Cybersecurity Action Team
@techreport{team:20230327:threat:4aae33b, author = {Google Cybersecurity Action Team}, title = {{Threat Horizons: April 2023 Threat Horizons Report}}, date = {2023-03-27}, institution = {Google}, url = {https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf}, language = {English}, urldate = {2023-04-22} } Threat Horizons: April 2023 Threat Horizons Report
Gdrive APT41
2023-03-14BlackberryBlackBerry Research & Intelligence Team
@online{team:20230314:nobelium:f35029b, author = {BlackBerry Research & Intelligence Team}, title = {{NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine}}, date = {2023-03-14}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine}, language = {English}, urldate = {2023-03-14} } NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine
EnvyScout GraphicalNeutrino
2023-03-10MrtiepoloGianluca Tiepolo
@online{tiepolo:20230310:sophisticated:2892d3e, author = {Gianluca Tiepolo}, title = {{Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission}}, date = {2023-03-10}, organization = {Mrtiepolo}, url = {https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58}, language = {English}, urldate = {2023-03-14} } Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission
BEATDROP EnvyScout GraphicalNeutrino tDiscoverer VaporRage
2023-01-26Recorded FutureInsikt Group
@techreport{group:20230126:bluebravo:9d6aa62, author = {Insikt Group}, title = {{BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware}}, date = {2023-01-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf}, language = {English}, urldate = {2023-02-02} } BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware
GraphicalNeutrino APT29
2022-11-30Qianxin Threat Intelligence CenterRed Raindrop Team
@online{team:20221130:analysis:aa1ce2e, author = {Red Raindrop Team}, title = {{Analysis of APT29's attack activities against Italy}}, date = {2022-11-30}, organization = {Qianxin Threat Intelligence Center}, url = {https://ti.qianxin.com/blog/articles/analysis-of-apt29%27s-attack-activities-against-italy/}, language = {Chinese}, urldate = {2022-12-20} } Analysis of APT29's attack activities against Italy
Unidentified 098 (APT29 Slack Downloader)
2022-09-21Check PointJiří Vinopal
@online{vinopal:20220921:native:e68056c, author = {Jiří Vinopal}, title = {{Native function and Assembly Code Invocation}}, date = {2022-09-21}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/}, language = {English}, urldate = {2022-09-26} } Native function and Assembly Code Invocation
MiniDuke
2022-09-06INCIBE-CERTINCIBE
@techreport{incibe:20220906:estudio:20f14b0, author = {INCIBE}, title = {{Estudio del análisis de Nobelium}}, date = {2022-09-06}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf}, language = {Spanish}, urldate = {2022-11-22} } Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-08-29Cyfirmacyfirma
@online{cyfirma:20220829:cosmicduke:9cecbd7, author = {cyfirma}, title = {{CosmicDuke Malware Analysis Report}}, date = {2022-08-29}, organization = {Cyfirma}, url = {https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/}, language = {English}, urldate = {2022-09-20} } CosmicDuke Malware Analysis Report
CosmicDuke
2022-07-20FreebufQi Anxin Threat Intelligence Center
@online{center:20220720:abused:27d014d, author = {Qi Anxin Threat Intelligence Center}, title = {{Abused Slack Service: Analysis of APT29's Attack on Italy}}, date = {2022-07-20}, organization = {Freebuf}, url = {https://www.freebuf.com/articles/paper/339618.html}, language = {English}, urldate = {2022-10-19} } Abused Slack Service: Analysis of APT29's Attack on Italy
Unidentified 098 (APT29 Slack Downloader)
2022-07-19R136a1Dominik Reichel
@online{reichel:20220719:look:84e1e01, author = {Dominik Reichel}, title = {{A look into APT29's new early-stage Google Drive downloader}}, date = {2022-07-19}, organization = {R136a1}, url = {https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/}, language = {English}, urldate = {2022-10-19} } A look into APT29's new early-stage Google Drive downloader
BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader)
2022-07-19Palo Alto Networks Unit 42Mike Harbison, Peter Renals
@online{harbison:20220719:russian:acbf388, author = {Mike Harbison and Peter Renals}, title = {{Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive}}, date = {2022-07-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/}, language = {English}, urldate = {2022-07-19} } Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
Cobalt Strike EnvyScout Gdrive
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:cloaked:ae3f3ab, author = {Unit 42}, title = {{Cloaked Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/}, language = {English}, urldate = {2022-07-29} } Cloaked Ursa
APT29
2022-07-08Cert-AgIDCert-AgID
@online{certagid:20220708:il:c02e771, author = {Cert-AgID}, title = {{Il malware EnvyScout (APT29) è stato veicolato anche in Italia}}, date = {2022-07-08}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/}, language = {Italian}, urldate = {2022-10-19} } Il malware EnvyScout (APT29) è stato veicolato anche in Italia
EnvyScout Unidentified 098 (APT29 Slack Downloader)
2022-05-16Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20220516:malware:f716c6a, author = {Jiří Vinopal}, title = {{Malware Analysis Report – APT29 C2-Client Dropbox Loader}}, date = {2022-05-16}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md}, language = {English}, urldate = {2022-05-25} } Malware Analysis Report – APT29 C2-Client Dropbox Loader
Unidentified 099 (APT29 Dropbox Loader)
2022-04-29MandiantJohn Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby
@online{wolfram:20220429:trello:c078513, author = {John Wolfram and Sarah Hawley and Tyler McLellan and Nick Simonian and Anders Vejlby}, title = {{Trello From the Other Side: Tracking APT29 Phishing Campaigns}}, date = {2022-04-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns}, language = {English}, urldate = {2022-10-19} } Trello From the Other Side: Tracking APT29 Phishing Campaigns
BEATDROP VaporRage
2022-04-20cocomelonccocomelonc
@online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2021-09-29CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20210929:how:b7fbf82, author = {CyberMasterV}, title = {{How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear}}, date = {2021-09-29}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/}, language = {English}, urldate = {2021-10-14} } How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear
MiniDuke
2021-05-28MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20210528:breaking:f55e372, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Breaking down NOBELIUM’s latest early-stage toolset}}, date = {2021-05-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/}, language = {English}, urldate = {2022-05-17} } Breaking down NOBELIUM’s latest early-stage toolset
BOOMBOX Cobalt Strike
2020-07-14TelsyTelsy
@online{telsy:20200714:turla:ef6592e, author = {Telsy}, title = {{Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene}}, date = {2020-07-14}, organization = {Telsy}, url = {https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/}, language = {English}, urldate = {2020-07-16} } Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene
NewPass Turla
2020-07-14Cyborg SecurityAustin Jackson
@online{jackson:20200714:python:6b03611, author = {Austin Jackson}, title = {{PYTHON MALWARE ON THE RISE}}, date = {2020-07-14}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/}, language = {English}, urldate = {2020-12-23} } PYTHON MALWARE ON THE RISE
Poet RAT PyLocky SEADADDY
2020-05-18One Night in NorfolkKevin Perlow
@online{perlow:20200518:looking:eaa7bde, author = {Kevin Perlow}, title = {{Looking Back at LiteDuke}}, date = {2020-05-18}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/looking-back-at-liteduke/}, language = {English}, urldate = {2020-05-18} } Looking Back at LiteDuke
LiteDuke
2020-05-06F-Secure LabsMelissa Michael, Artturi Lehtiö
@online{michael:20200506:039:49d4744, author = {Melissa Michael and Artturi Lehtiö}, title = {{039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29}}, date = {2020-05-06}, organization = {F-Secure Labs}, url = {https://blog.f-secure.com/podcast-dukes-apt29/}, language = {English}, urldate = {2020-07-06} } 039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29
OnionDuke
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchESET Research
@online{research:20191017:operation:812f836, author = {ESET Research}, title = {{Operation Ghost: The Dukes aren’t back – they never left}}, date = {2019-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/}, language = {English}, urldate = {2020-01-09} } Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
2019-10-17ESET ResearchMatthieu Faou, Mathieu Tartare, Thomas Dupuy
@techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } OPERATION GHOST The Dukes aren’t back — they never left
FatDuke
2019-08-12Kindred SecurityKindred Security
@online{security:20190812:overview:0726c0a, author = {Kindred Security}, title = {{An Overview of Public Platform C2’s}}, date = {2019-08-12}, organization = {Kindred Security}, url = {https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/}, language = {English}, urldate = {2021-07-20} } An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:dukes:3e4d497, author = {Cyber Operations Tracker}, title = {{The Dukes}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/dukes}, language = {English}, urldate = {2019-12-20} } The Dukes
APT29
2018-12-03MicrosoftMicrosoft Defender ATP Research Team
@online{team:20181203:analysis:828df29, author = {Microsoft Defender ATP Research Team}, title = {{Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers}}, date = {2018-12-03}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/}, language = {English}, urldate = {2020-01-09} } Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers
APT29
2018-11-18Stranded on Pylos BlogJoe
@online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } CozyBear – In from the Cold?
Cobalt Strike APT29
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:apt29:27ed60c, author = {MITRE ATT&CK}, title = {{APT29}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0016}, language = {English}, urldate = {2022-07-13} } APT29
APT29
2017-04-03FireEyeMatthew Dunwoody
@online{dunwoody:20170403:dissecting:65071e7, author = {Matthew Dunwoody}, title = {{Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)}}, date = {2017-04-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html}, language = {English}, urldate = {2019-12-20} } Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)
POSHSPY APT29
2017-02-20Contagio DumpMila Parkour
@online{parkour:20170220:part:c54b5de, author = {Mila Parkour}, title = {{Part I. Russian APT - APT28 collection of samples including OSX XAgent}}, date = {2017-02-20}, organization = {Contagio Dump}, url = {https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html}, language = {English}, urldate = {2019-11-26} } Part I. Russian APT - APT28 collection of samples including OSX XAgent
X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel
2017-02-10Department of Homeland SecurityNational Cybersecurity, Communications Integration Center
@techreport{cybersecurity:20170210:ar1720045:43c91fd, author = {National Cybersecurity and Communications Integration Center}, title = {{AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity}}, date = {2017-02-10}, institution = {Department of Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf}, language = {English}, urldate = {2019-11-05} } AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity
APT29
2016-06-15CrowdStrikeDmitri Alperovitch
@online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2022-03-14} } Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel APT28
2015-09-28SecurityIntelligenceDavid Strom
@online{strom:20150928:hammertoss:b643bfe, author = {David Strom}, title = {{Hammertoss: What, Me Worry?}}, date = {2015-09-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/hammertoss-what-me-worry/}, language = {English}, urldate = {2021-02-10} } Hammertoss: What, Me Worry?
tDiscoverer
2015-09-17F-SecureF-Secure Labs
@online{labs:20150917:dukes:767fbef, author = {F-Secure Labs}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/}, language = {English}, urldate = {2020-01-13} } The Dukes: 7 Years Of Russian Cyber-Espionage
APT29
2015-09F-SecureF-Secure Labs
@techreport{labs:201509:dukes:035f864, author = {F-Secure Labs}, title = {{The Dukes - 7 Years of Russian Cyberespionage}}, date = {2015-09}, institution = {F-Secure}, url = {https://blog.f-secure.com/wp-content/uploads/2020/03/F-Secure_Dukes_Whitepaper.pdf}, language = {English}, urldate = {2022-10-20} } The Dukes - 7 Years of Russian Cyberespionage
PinchDuke
2015-08-17F-Secure LabsNoora Hyvärinen, F-Secure Threat Intelligence Team
@techreport{hyvrinen:20150817:dukes:4a0e858, author = {Noora Hyvärinen and F-Secure Threat Intelligence Team}, title = {{THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE}}, date = {2015-08-17}, institution = {F-Secure Labs}, url = {https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf}, language = {English}, urldate = {2022-11-15} } THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE
COZYDUKE GeminiDuke
2015-07-29Youtube (FireEye Inc.)FireEye
@online{fireeye:20150729:hammertoss:96456d6, author = {FireEye}, title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}}, date = {2015-07-29}, organization = {Youtube (FireEye Inc.)}, url = {https://www.youtube.com/watch?v=UE9suwyuic8}, language = {English}, urldate = {2021-02-10} } HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group
tDiscoverer
2015-07-22F-SecureArtturi Lehtiö
@online{lehti:20150722:duke:8f54e8b, author = {Artturi Lehtiö}, title = {{Duke APT group's latest tools: cloud services and Linux support}}, date = {2015-07-22}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002822.html}, language = {English}, urldate = {2019-10-15} } Duke APT group's latest tools: cloud services and Linux support
CloudDuke
2015-07-13SymantecA L Johnson
@online{johnson:20150713:forkmeiamfamous:64957d9, author = {A L Johnson}, title = {{“Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory}}, date = {2015-07-13}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-08-19} } “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory
SEADADDY
2015-07FireEyeFireEye Threat Intelligence
@techreport{intelligence:201507:hammertoss:9275999, author = {FireEye Threat Intelligence}, title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}}, date = {2015-07}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf}, language = {English}, urldate = {2019-10-23} } HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group
tDiscoverer APT29
2014-11-15Contagio DumpMila Parkour
@online{parkour:20141115:onionduke:6c548c4, author = {Mila Parkour}, title = {{OnionDuke samples}}, date = {2014-11-15}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2014/11/onionduke-samples.html}, language = {English}, urldate = {2019-12-20} } OnionDuke samples
OnionDuke
2014-11-14F-SecureF-Secure Labs
@online{labs:20141114:onionduke:dc56d5c, author = {F-Secure Labs}, title = {{OnionDuke: APT Attacks Via the Tor Network}}, date = {2014-11-14}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002764.html}, language = {English}, urldate = {2020-01-09} } OnionDuke: APT Attacks Via the Tor Network
OnionDuke
2014-07-15Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20140715:unit:0cf98cb, author = {Josh Grunzweig}, title = {{Unit 42 Technical Analysis: Seaduke}}, date = {2014-07-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/}, language = {English}, urldate = {2020-08-19} } Unit 42 Technical Analysis: Seaduke
SEADADDY
2014-07-03F-SecureF-Secure Labs
@techreport{labs:20140703:cosmicduke:dbbee08, author = {F-Secure Labs}, title = {{COSMICDUKE: Cosmu with a twist of MiniDuke}}, date = {2014-07-03}, institution = {F-Secure}, url = {https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf}, language = {English}, urldate = {2022-09-20} } COSMICDUKE: Cosmu with a twist of MiniDuke
CosmicDuke
2013-05-30CIRCLCIRCL
@techreport{circl:20130530:analysis:e828e08, author = {CIRCL}, title = {{Analysis of a stage 3 Miniduke sample}}, date = {2013-05-30}, institution = {CIRCL}, url = {https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf}, language = {English}, urldate = {2020-01-08} } Analysis of a stage 3 Miniduke sample
MiniDuke
2013-02-28FireEyeJames T. Bennett
@online{bennett:20130228:its:1534b7e, author = {James T. Bennett}, title = {{It's a Kind of Magic}}, date = {2013-02-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html}, language = {English}, urldate = {2020-04-24} } It's a Kind of Magic
MiniDuke

Credits: MISP Project