RegDuke

RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.^[1]

ID: S0511

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 23 September 2020

Last Modified: 16 April 2025

Version Permalink

Live Version

Enterprise Layer

download view 👁 Image

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	RegDuke can extract and execute PowerShell scripts from C2 communications.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.^[1]
Enterprise	T1546	.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.^[1]
Enterprise	T1105		Ingress Tool Transfer	RegDuke can download files from C2.^[1]
Enterprise	T1112		Modify Registry	RegDuke can create seemingly legitimate Registry key to store its encryption key.^[1]
Enterprise	T1027		Obfuscated Files or Information	RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.^[1]
.003	Steganography	RegDuke can hide data in images, including use of the Least Significant Bit (LSB).^[1]
.011	Fileless Storage	RegDuke can store its encryption key in the Registry.^[1]
Enterprise	T1102	.002	Web Service: Bidirectional Communication	RegDuke can use Dropbox as its C2 server.^[1]

Groups That Use This Software

ID	Name	References
G0016	APT29	^[1]^[2]

Campaigns

ID	Name	Description
C0023	Operation Ghost	For Operation Ghost, APT29 used RegDuke as a first-stage implant.^[1]

References

Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.

URL: https://attack.mitre.org/software/S0511/