OnionDuke (Malware Family)

OnionDuke

Actor(s): APT29

VTCollection

OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.

References

2020-05-06 ⋅ F-Secure Labs ⋅ Artturi Lehtiö, Melissa Michael
039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29
OnionDuke

2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29

2014-11-15 ⋅ Contagio Dump ⋅ Mila Parkour
OnionDuke samples
OnionDuke

2014-11-14 ⋅ F-Secure ⋅ F-Secure Labs
OnionDuke: APT Attacks Via the Tor Network
OnionDuke

Yara Rules

[TLP:WHITE] win_onionduke_auto (20260504 | Detects win.onionduke.)

rule win_onionduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.onionduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 42 3bd7 72b9 5e c6047800 5f 5d }
            // n = 7, score = 200
            //   42                   | inc                 edx
            //   3bd7                 | cmp                 edx, edi
            //   72b9                 | jb                  0xffffffbb
            //   5e                   | pop                 esi
            //   c6047800             | mov                 byte ptr [eax + edi*2], 0
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp

        $sequence_1 = { 5f 895e24 5b b801000000 5e }
            // n = 5, score = 200
            //   5f                   | pop                 edi
            //   895e24               | mov                 dword ptr [esi + 0x24], ebx
            //   5b                   | pop                 ebx
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi

        $sequence_2 = { 8a441103 3245ff 41 0fb6d0 6689544ffe 3bce }
            // n = 6, score = 200
            //   8a441103             | mov                 al, byte ptr [ecx + edx + 3]
            //   3245ff               | xor                 al, byte ptr [ebp - 1]
            //   41                   | inc                 ecx
            //   0fb6d0               | movzx               edx, al
            //   6689544ffe           | mov                 word ptr [edi + ecx*2 - 2], dx
            //   3bce                 | cmp                 ecx, esi

        $sequence_3 = { 7202 8b00 8b4d08 51 50 e8???????? }
            // n = 6, score = 200
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 8b03 7922 8b5008 56 }
            // n = 4, score = 200
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   7922                 | jns                 0x24
            //   8b5008               | mov                 edx, dword ptr [eax + 8]
            //   56                   | push                esi

        $sequence_5 = { 84c9 7421 8b55fc 8a12 }
            // n = 4, score = 200
            //   84c9                 | test                cl, cl
            //   7421                 | je                  0x23
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8a12                 | mov                 dl, byte ptr [edx]

        $sequence_6 = { 8b4604 8b4e08 2bc8 c1f903 3bcf 770a }
            // n = 6, score = 200
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   2bc8                 | sub                 ecx, eax
            //   c1f903               | sar                 ecx, 3
            //   3bcf                 | cmp                 ecx, edi
            //   770a                 | ja                  0xc

        $sequence_7 = { 83c40c 33c9 eb08 8b56d0 }
            // n = 4, score = 200
            //   83c40c               | add                 esp, 0xc
            //   33c9                 | xor                 ecx, ecx
            //   eb08                 | jmp                 0xa
            //   8b56d0               | mov                 edx, dword ptr [esi - 0x30]

        $sequence_8 = { 83c404 8903 85c0 7443 }
            // n = 4, score = 200
            //   83c404               | add                 esp, 4
            //   8903                 | mov                 dword ptr [ebx], eax
            //   85c0                 | test                eax, eax
            //   7443                 | je                  0x45

        $sequence_9 = { 33c9 c7070f000000 894ffc 880b 833e10 }
            // n = 5, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   c7070f000000         | mov                 dword ptr [edi], 0xf
            //   894ffc               | mov                 dword ptr [edi - 4], ecx
            //   880b                 | mov                 byte ptr [ebx], cl
            //   833e10               | cmp                 dword ptr [esi], 0x10

    condition:
        7 of them and filesize < 671744
}

Download all Yara Rules

OnionDuke Propose Change

References

Yara Rules

OnionDuke