CozyDuke
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 123 attack patterns (mitre), 41 malware, 7 sectors, 15 countries, 100 indicators, 1 vulnerabilities (cve), 14 tool
Aliases
IRON RITUAL IRON HEMLOCK NobleBaron Dark Halo NOBELIUM UNC2452 YTTRIUM The Dukes Cozy Bear SolarStorm Blue Kitsune UNC3524 Midnight Blizzard APT29
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- mitre-attack (G0016)
- FireEye SUNBURST Backdoor December 2020 (REF-667)
- FireEye APT29 Nov 2018
- Unit 42 SolarStorm December 2020
- Microsoft Threat Actor Naming July 2023
- PWC WellMess C2 August 2020
- F-Secure The Dukes
- PWC WellMess July 2020
- NSA Joint Advisory SVR SolarWinds April 2021
- MSTIC NOBELIUM May 2021
- NCSC APT29 July 2020
- GRIZZLY STEPPE JAR
- White House Imposing Costs RU Gov April 2021
- MSTIC Nobelium Toolset May 2021
- UK Gov UK Exposes Russia SolarWinds April 2021
- Crowdstrike DNC June 2016
- MSTIC NOBELIUM Mar 2021
- CrowdStrike SUNSPOT Implant January 2021
- SentinelOne NobleBaron June 2021
- MSRC Nobelium June 2021
- Secureworks IRON HEMLOCK Profile
- Mandiant APT29 Eye Spy Email Nov 22
- Volexity SolarWinds
- ESET Dukes October 2019
- CrowdStrike StellarParticle January 2022
- Microsoft Unidentified Dec 2018
- Cybersecurity Advisory SVR TTP May 2021
- UK NSCS Russia SolarWinds April 2021
- UK Gov Malign RIS Activity April 2021
- Secureworks IRON RITUAL Profile
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
AlienVault Confidence 100 1 CVE 9 Malwares 17 IOCs 17 Observables 1 APTPublished 13/04/2026 10:41 · Modified 13/04/2026 08:46 · threat-report
Attack patterns (MITRE) (123)
-
T1020 usesAutomated Exfiltration
-
T1078.003 usesLocal Accounts
-
T1090.002 usesExternal Proxy
-
T1090.004 usesDomain Fronting
-
T1007 usesSystem Service Discovery
-
T1608.004 usesDrive-by Target
-
T1566 usesPhishing
-
T1572 usesProtocol Tunneling
-
T1049 usesSystem Network Connections Discovery
-
T1497 usesVirtualization/Sandbox Evasion
-
T1055 usesProcess Injection
-
T1059.006 usesPython
-
T1553 usesSubvert Trust Controls
-
T1553.005 usesMark-of-the-Web Bypass
-
T1059.001 usesPowerShell
-
T1098 usesAccount Manipulation
-
T1571 usesNon-Standard Port
-
T1190 usesExploit Public-Facing Application
-
T1583.006 usesWeb Services
-
T1078 usesValid Accounts
-
T1204.001 usesMalicious Link
-
T1114.002 usesRemote Email Collection
-
T1587.001 usesMalware
-
T1037 usesBoot or Logon Initialization Scripts
-
T1140 usesDeobfuscate/Decode Files or Information
-
Hybrid Identity uses
-
T1059.003 usesWindows Command Shell
-
T1102 usesWeb Service
-
T1053.005 usesScheduled Task
-
T1192 uses
-
T1134 usesAccess Token Manipulation
-
T1105 usesIngress Tool Transfer
-
TA0002 uses
-
T1070 usesIndicator Removal
-
T1033 usesSystem Owner/User Discovery
-
T1219 usesRemote Access Tools
-
T1012 usesQuery Registry
-
T1030 usesData Transfer Size Limits
-
T1102.002 usesBidirectional Communication
-
T1112 usesModify Registry
-
LSA Secrets uses
-
T1586 usesCompromise Accounts
-
T1595 usesActive Scanning
-
T1027 usesObfuscated Files or Information
-
T1003.002 usesSecurity Account Manager
-
T1586.002 usesEmail Accounts
-
T1087.004 usesCloud Account
-
Password Spraying usesT1110.003
-
TA0043 uses
-
T1574.002 uses
-
T1574 usesHijack Execution Flow
-
T1110.001 usesPassword Guessing
-
T1547 usesBoot or Logon Autostart Execution
-
T1074 usesData Staged
-
T1106 usesNative API
-
T1555 usesCredentials from Password Stores
-
T1115 usesClipboard Data
-
Cloud API uses
-
T1218 usesSystem Binary Proxy Execution
-
T1070.006 usesTimestomp
-
T1021 usesRemote Services
-
T1584 usesCompromise Infrastructure
-
T1047 usesWindows Management Instrumentation
-
T1005 usesData from Local System
-
T1550.003 usesPass the Ticket
-
T1547.001 usesRegistry Run Keys / Startup Folder
-
T1136 usesCreate Account
-
T1534 usesInternal Spearphishing
-
T1027.002 usesSoftware Packing
-
T1053 usesScheduled Task/Job
-
T1027.001 usesBinary Padding
-
T1530 usesData from Cloud Storage
-
T1564 usesHide Artifacts
-
T1528 usesSteal Application Access Token
-
T1543 usesCreate or Modify System Process
-
Device Registration uses
-
T1114 usesEmail Collection
-
TA0042 uses
-
T1003 usesOS Credential Dumping
-
T1036 usesMasquerading
-
T1573 usesEncrypted Channel
-
TA0001 uses
-
T1505 usesServer Software Component
-
TA0006 uses
-
Multi-Stage Channels usesT1104
-
T1090.003 usesMulti-hop Proxy
-
T1098.002
-
TA0011 uses
-
T1199 usesTrusted Relationship
-
T1068 usesExploitation for Privilege Escalation
-
Cloud Services uses
-
T1218.005 usesMshta
-
T1119 usesAutomated Collection
-
Cloud Accounts uses
-
T1203 usesExploitation for Client Execution
-
T1057 usesProcess Discovery
-
T1127 usesTrusted Developer Utilities Proxy Execution
-
T1566.002 usesSpearphishing Link
-
T1608 usesStage Capabilities
-
T1059 usesCommand and Scripting Interpreter
-
T1070.004 usesFile Deletion
-
T1111 usesMulti-Factor Authentication Interception
-
T1566.003 usesSpearphishing via Service
-
T1016.001
-
T1518 usesSoftware Discovery
-
T1595.002 usesVulnerability Scanning
-
T1132 usesData Encoding
-
T1562 usesImpair Defenses
-
T1090 usesProxy
-
Hide Infrastructure uses
-
T1546.008
-
T1490 usesInhibit System Recovery
-
T1036.005 usesMatch Legitimate Resource Name or Location
-
T1588 usesObtain Capabilities
-
T1064 usesScripting
-
T1562.008
-
T1110 usesBrute Force
-
T1583 usesAcquire Infrastructure
-
T1059.007 usesJavaScript
-
T1082 usesSystem Information Discovery
Malware (41)
- CozyDuke
-
SeaDuke - S0053 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 13/04/2026 10:46 · Modified 29/05/2026 12:20
- JSObfuscated
- WellMail
- reGeorg
- OnionDuke
- LiteDuke
- FatDuke
- PowerDuke
- Raindrop
- ROOTSAW
-
HOMESTEEL usesFamilyPublished 26/10/2024 07:55 · Modified 26/10/2024 07:55
-
QUIETEXIT usesFamily The MITRE Corporation Confidence 100
[QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:36 · Modified 27/03/2026 01:03 -
CozyCar - S0046 usesFamilyPublished 13/04/2026 08:41 · Modified 13/04/2026 08:41
- BURNTBATTER
- NativeZone
- Sibot
- FoggyWeb
- APT29
- SUNSPOT
- GoldMax
- GoldFinder
-
HustleCon usesFamilyPublished 30/10/2024 22:04 · Modified 30/10/2024 22:04
-
CloudDuke - S0054 usesFamilyPublished 13/04/2026 08:41 · Modified 13/04/2026 08:41
- CosmicDuke
- PolyglotDuke
- SUNBURST
- TrailBlazer
- GeminiDuke
- WellMess
- EnvyScout
- POSHSPY
- MiniDuke
- SeaDesk
- RegDuke
- Detects
-
Forkmeimfamous usesFamilyPublished 13/04/2026 08:41 · Modified 13/04/2026 08:41
- HAMMERTOSS
-
GRAPELOADER usesFamilyPublished 15/04/2025 18:49 · Modified 15/04/2025 18:49
- TEARDROP
-
CloudLook usesFamilyPublished 13/04/2026 08:41 · Modified 13/04/2026 08:41
Sectors (7)
- Defense targets
- Diplomacy targets
- Defense ministries (including the military) targets
- Telecommunications targets
- Ministries of foreign affairs targets
- Technology targets
- Government targets
Countries (15)
- Italy targets
- South Georgia and the South Sandwich Islands targets
- Greece targets
- Peru targets
- France targets
- Denmark targets
- Belgium targets
- Ireland targets
- Russian Federation targets
- Spain targets
- Latvia targets
- Czechia targets
- Georgia targets
- United Kingdom of Great Britain and Northern Ireland targets
- Germany targets
Indicators (100)
-
eu-west-2-aws.s3-nato.cloudrelated -
https://waterforvoiceless.org/invite.phprelated -
eu-south-1-aws.gov-pl.cloudrelated -
eu-central-2-aws.mzv-sk.cloudrelated -
eu-central-1-aws.mindef-nl.cloudrelated -
eu-west-1.aws-ukraine.cloudrelated -
sseekk.xyzrelated -
eu-east-1-aws.dep-no.cloudrelated -
eu-central-1-aws.ncfta.cloudrelated -
central-2-aws.ukrtelecom.cloudrelated -
24c079b24851a5cc8f61565176bbf1157b9d5559c642e31139ab8d76bbb320f8related -
eu-west-1.msz-pl.cloudrelated -
eu-southeast-1-aws.aws-ukraine.cloudrelated -
edadmin.kearsney.comrelated -
siestakeying.comrelated -
eu-west-3.ukrtelecom.cloudrelated -
eu-north-1-aws.mil-pl.cloudrelated -
eu-southeast-1-aws.gov-sk.cloudrelated -
eu-west-3.mil-be.cloudrelated -
eu-east-1-aws.amazonsolutions.cloudrelated -
eu-central-1-aws.amazonsolutions.cloudrelated -
eu-central-1-aws.regeringskansliet-se.cloudrelated -
72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4related -
eu-north-1-aws.gov-pl.cloudrelated -
eu-west-2-aws.gov-pl.cloudrelated -
eu-central-1.s3-be.cloudrelated -
s3-nsa.cloudrelated -
eu-north-1-aws.quirinale.cloudrelated -
us-west-1-aws.gov-ua.cloudrelated -
761ed73512cb4392b98c84a34d3439240a73e389f09c2b4a8f0cce6a212f529crelated -
eu-west-2-aws.gv-at.cloudrelated -
eu-south-2-aws.gov-pl.cloudrelated -
s3-fbi.cloudrelated -
us-west-1-amazon.ua-energy.cloudrelated -
eu-north-1-aws.s3-be.cloudrelated -
e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bcrelated -
eu-west-3-aws.aws-ukraine.cloudrelated -
85484716a369b0bc2391b5f20cf11e4bd65497a34e7a275532b729573d6ef15erelated -
us-east-1-aws.mfa-gov.cloudrelated -
4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68brelated -
spffusa.orgrelated -
eu-south-2-aws.msz-pl.cloudrelated -
eu-west-3-aws.minbuza.cloudrelated -
https://literaturaelsalvador.com/Instructions.htmlrelated -
eu-south-2.gov-sk.cloudrelated -
a018f4d5245fd775a17dc8437ad55c2f74fb6152dd4fdf16709a60df2a063fffrelated -
eu-south-2-aws.mzv-sk.cloudrelated -
02214c0c7ee94e8efebd3bebe6f788ef3390d8a9related -
eu-central-2-aws.presidencia-pt.cloudrelated -
d61ff2430473f06fc42a1d452597c610027aace2related -
eu-central-1.regeringskansliet-se.cloudrelated -
ap-northeast-1-aws.s3-ua.cloudrelated -
dda686d6fda52c6ab3c084b7024cfc68dba60ae2143a1095659b795f84cf2329related -
eu-north-1-aws.dep-no.cloudrelated -
103.226.132.7related -
c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8related -
c62199ef9c2736d15255f5deaa663158a7bb3615ba9262eb67e3f4adada14111related -
crossfity.comrelated -
eu-north-1-aws.minbuza.cloudrelated -
eu-west-3-aws.gov-trust.cloudrelated -
eu-west-3-aws.mil-pl.cloudrelated -
visionresearch.comrelated -
eu-south-2.dep-no.cloudrelated -
totalconstruction.com.aurelated -
347715f967da5debfb01d3ba2ede6922801c24988c8e6ea2541e370ded313c8brelated -
eu-east-1-aws.mindef-nl.cloudrelated -
eu-south-2.ua-sec.cloudrelated -
ce9802b22a37ae26c02b1f2c3225955a7667495fce5b106113434ab5a87ae28arelated -
09f0ea9b239385eb22f794dcecaec1273be87f3f118a2da067551778971ca677related -
eu-south-2-aws.dep-no.cloudrelated -
eu-north-1.s3-ua.cloudrelated -
secure.hgl.comrelated -
eu-central-2-aws.s3-be.cloudrelated -
3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9related -
https://waterforvoiceless.org/util.phprelated -
62ce8e1489a8b87539792c07179faf1db1b46caa39b55902a4d82dcec44d72aerelated -
disknxt.comrelated -
eu-west-3-aws.s3-be.cloudrelated -
ca-central-1.ua-gov.cloudrelated -
122.228.193.115related -
eu-north-1-aws.ua-energy.cloudrelated -
eu-central-1.difesa-it.cloudrelated -
eu-west-2-aws.dep-no.cloudrelated -
eu-north-1.s3-be.cloudrelated -
7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083related -
us-west-1-amazon.ua-sec.cloudrelated -
eu-west-1-aws.gov-ua.cloudrelated -
773f0102720af2957859d6930cd09693824d87db705b3303cef9ee794375ce13related -
4ee70128c70d646c5c2a9a17ad05949cb1fbf1043e9d671998812b2dce75cf0frelated -
silry.comrelated -
adfe0ef4ef181c4b19437100153e9fe7aed119f5049e5489a36692757460b9f8related -
bc9ad574c42bc7b123baaafb3325ce2185e92e46979b2faaddd4bc80ddfac88arelated -
eu-west-1.gov-sk.cloudrelated -
eu-west-2-aws.amazonsolutions.cloudrelated -
eu-north-1.difesa-it.cloudrelated -
19442634bc2e0bfa6d08b7be333a351b932a517a1002c0e1c49fea8381372a6erelated -
eu-central-1-aws.msz-pl.cloudrelated -
eu-west-1-aws.s3-esa.cloudrelated -
c1ebaee855b5d9b67657f45d6d764f3c1e46c1fa6214329a3b51d14eba336256related -
eu-west-1-aws.ua-sec.cloudrelated
Vulnerabilities (CVE) (1)
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
Tool (14)
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
AADInternals usesThe MITRE Corporation Confidence 100
[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Published 01/02/2022 16:08 · Modified 27/03/2026 01:07 -
Tor usesThe MITRE Corporation Confidence 100
[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the …
Published 16/01/2018 17:13 · Modified 27/03/2026 01:07 -
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
SDelete usesThe MITRE Corporation Confidence 100
[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete …
Published 18/04/2018 19:59 · Modified 27/03/2026 01:07 -
meek usesThe MITRE Corporation Confidence 100
[meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
Systeminfo usesThe MITRE Corporation Confidence 100
[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07 -
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
ROADTools usesThe MITRE Corporation Confidence 100
[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)
Published 18/02/2022 14:29 · Modified 27/03/2026 01:07 -
Sliver usesThe MITRE Corporation Confidence 100
[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional …
Published 30/07/2021 17:43 · Modified 27/03/2026 01:07 -
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, …
Published 31/01/2019 02:39 · Modified 27/03/2026 01:07