Skip to content

S0518 PolyglotDuke

PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.1

Item Value
ID S0518
Associated Names
Type MALWARE
Version 1.1
Created 23 September 2020
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols PolyglotDuke has has used HTTP GET requests in C2 communications.1
enterprise T1140 Deobfuscate/Decode Files or Information PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.1
enterprise T1105 Ingress Tool Transfer PolyglotDuke can retrieve payloads from the C2 server.1
enterprise T1112 Modify Registry PolyglotDuke can write encrypted JSON configuration files to the Registry.1
enterprise T1106 Native API PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code.1
enterprise T1027 Obfuscated Files or Information PolyglotDuke can custom encrypt strings.1
enterprise T1027.003 Steganography PolyglotDuke can use steganography to hide C2 information in images.1
enterprise T1027.011 Fileless Storage PolyglotDuke can store encrypted JSON configuration files in the Registry.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 PolyglotDuke can be executed using rundll32.exe.1
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL.1

Groups That Use This Software

ID Name References
G0016 APT29 12

References