Skip to content

S0051 MiniDuke

MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. 1

Item Value
ID S0051
Associated Names
Version 1.3
Created 31 May 2017
Last Modified 14 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols MiniDuke uses HTTP and HTTPS for command and control.12
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms MiniDuke can use DGA to generate new Twitter URLs for C2.2
enterprise T1008 Fallback Channels MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.3
enterprise T1083 File and Directory Discovery MiniDuke can enumerate local drives.2
enterprise T1105 Ingress Tool Transfer MiniDuke can download additional encrypted backdoors onto the victim via GIF files.32
enterprise T1027 Obfuscated Files or Information MiniDuke can use control flow flattening to obscure code.2
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines.2
enterprise T1082 System Information Discovery MiniDuke can gather the hostname on a compromised machine.2
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.132

Groups That Use This Software

ID Name References
G0016 APT29 124


Back to top