The sub-techniques beta is now live! Read the release blog post for more info.


MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. [1]

ID: S0051
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1008 Fallback Channels

MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.[2]

Enterprise T1105 Remote File Copy

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[2]

Enterprise T1071 Standard Application Layer Protocol

MiniDuke uses HTTP and HTTPS for command and control.[1]

Enterprise T1102 Web Service

Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.[1][2]

Groups That Use This Software

ID Name References
G0016 APT29 [1]