SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cozyduke (Back to overview)

COZYDUKE

aka: CozyCar, Cozer, CozyBear, EuroAPT

Actor(s): APT29


CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around
a core backdoor component. This component can be instructed by the C&C server to download
and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array
of functionality. Known CozyDuke modules include:
• Command execution module for executing arbitrary Windows Command Prompt commands
• Password stealer module
• NT LAN Manager (NTLM) hash stealer module
• System information gathering module
• Screenshot module

References
2022-04-20cocomelonccocomelonc
@online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2015-08-17F-Secure LabsNoora Hyvärinen, F-Secure Threat Intelligence Team
@techreport{hyvrinen:20150817:dukes:4a0e858, author = {Noora Hyvärinen and F-Secure Threat Intelligence Team}, title = {{THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE}}, date = {2015-08-17}, institution = {F-Secure Labs}, url = {https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf}, language = {English}, urldate = {2022-11-15} } THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE
COZYDUKE GeminiDuke

There is no Yara-Signature yet.