Skip to content

S0052 OnionDuke

OnionDuke is malware that was used by APT29 from 2013 to 2015. 1

Item Value
ID S0052
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 23 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OnionDuke uses HTTP and HTTPS for C2.1
enterprise T1140 Deobfuscate/Decode Files or Information OnionDuke can use a custom decryption algorithm to decrypt strings.2
enterprise T1499 Endpoint Denial of Service OnionDuke has the capability to use a Denial of Service module.2
enterprise T1003 OS Credential Dumping OnionDuke steals credentials from its victims.1
enterprise T1102 Web Service -
enterprise T1102.003 One-Way Communication OnionDuke uses Twitter as a backup C2.1

Groups That Use This Software

ID Name References
G0016 APT29 123


Back to top