The sub-techniques beta is now live! Read the release blog post for more info.


OnionDuke is malware that was used by APT29 from 2013 to 2015. [1]

ID: S0052
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

OnionDuke steals credentials from its victims.[1]

Enterprise T1071 Standard Application Layer Protocol

OnionDuke uses HTTP and HTTPS for C2.[1]

Enterprise T1102 Web Service

OnionDuke uses Twitter as a backup C2 method. It also has a module designed to post messages to the Russian VKontakte social media site.[1]

Groups That Use This Software

ID Name References
G0016 APT29 [1]