Skip to content

S0052 OnionDuke

OnionDuke is malware that was used by APT29 from 2013 to 2015. 1

Item Value
ID S0052
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 23 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OnionDuke uses HTTP and HTTPS for C2.1
enterprise T1140 Deobfuscate/Decode Files or Information OnionDuke can use a custom decryption algorithm to decrypt strings.2
enterprise T1499 Endpoint Denial of Service OnionDuke has the capability to use a Denial of Service module.2
enterprise T1003 OS Credential Dumping OnionDuke steals credentials from its victims.1
enterprise T1102 Web Service -
enterprise T1102.003 One-Way Communication OnionDuke uses Twitter as a backup C2.1

Groups That Use This Software

ID Name References
G0016 APT29 123

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  2. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  3. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.