OnionDuke is malware that was used by APT29 from 2013 to 2015. [1]

ID: S0052
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 23 September 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OnionDuke uses HTTP and HTTPS for C2.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

OnionDuke can use a custom decryption algorithm to decrypt strings.[2]

Enterprise T1499 Endpoint Denial of Service

OnionDuke has the capability to use a Denial of Service module.[2]

Enterprise T1003 OS Credential Dumping

OnionDuke steals credentials from its victims.[1]

Enterprise T1102 .003 Web Service: One-Way Communication

OnionDuke uses Twitter as a backup C2.[1]

Groups That Use This Software

ID Name References
G0016 APT29