VOOZH about

URL: https://attack.mitre.org/software/S0052/

⇱ OnionDuke, Software S0052 | MITRE ATT&CK®

ATT&CKcon 7.0 is coming October 27-28, 2026. Learn more about ATT&CKcon 7.0 and submit your proposal.
  1. Home
  2. Software
  3. OnionDuke

OnionDuke

OnionDuke is malware that was used by APT29 from 2013 to 2015. [1]

ID: S0052
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 25 April 2025
Enterprise Layer
download view 👁 Image

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OnionDuke uses HTTP and HTTPS for C2.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

OnionDuke can use a custom decryption algorithm to decrypt strings.[2]
Enterprise T1499 Endpoint Denial of Service

OnionDuke has the capability to use a Denial of Service module.[2]
Enterprise T1003 OS Credential Dumping

OnionDuke steals credentials from its victims.[1]
Enterprise T1102 .003 Web Service: One-Way Communication

OnionDuke uses Twitter as a backup C2.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3]

References

×