The sub-techniques beta is now live! Read the release blog post for more info.


CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]

ID: S0050
Associated Software: TinyBaron, BotgenStudios, NemesisGemina
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1020 Automated Exfiltration

CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2]

Enterprise T1115 Clipboard Data

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[2]

Enterprise T1003 Credential Dumping

CosmicDuke collects user credentials, including passwords, for various programs and browsers, including popular instant messaging applications, Web browsers, and email clients. Windows account hashes, domain accounts, and LSA secrets are also collected, as are WLAN keys.[1]

Enterprise T1024 Custom Cryptographic Protocol

CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[2]

Enterprise T1005 Data from Local System

CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[2]

Enterprise T1039 Data from Network Shared Drive

CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.[2]

Enterprise T1025 Data from Removable Media

CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.[2]

Enterprise T1114 Email Collection

CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[2]

Enterprise T1048 Exfiltration Over Alternative Protocol

CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.[2]

Enterprise T1068 Exploitation for Privilege Escalation

CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[1]

Enterprise T1083 File and Directory Discovery

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[2]

Enterprise T1056 Input Capture

CosmicDuke uses a keylogger and steals clipboard contents from victims.[1]

Enterprise T1050 New Service

CosmicDuke uses Windows services typically named "javamtsup" for persistence.[2]

Enterprise T1053 Scheduled Task

CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.[2]

Enterprise T1113 Screen Capture

CosmicDuke takes periodic screenshots and exfiltrates them.[2]

Enterprise T1071 Standard Application Layer Protocol

CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[1][2]

Groups That Use This Software

ID Name References
G0016 APT29 [1]