Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke
Essential information
- Published
- 13/04/2026 10:41
- Modified
- 13/04/2026 08:46
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cloudduke cloudlook cozer cozybear cozycar cozyduke euroapt forkmeimfamous government-targeting https-c2 json-configuration minidionis multi-stage-dropper seadaddy seadesk seaduke spear-phishing
- Tags
- 2026-04-13 cloudduke cloudlook cozer cozybear cozycar cozyduke euroapt forkmeimfamous government targeting https-c2 json-configuration minidionis multi-stage-dropper seadaddy seadesk seaduke spear-phishing
- Related entities
- 1 vulnerabilities (cve), 17 indicators, 17 observables, 1 intrusion sets (apt), 9 malware, 12 others
Description
A new campaign attributed to CozyDuke threat actors has been identified, utilizing malware called MiniDionis that appears related to Seaduke. The campaign began on July 7, 2015, targeting government organizations and think-tanks in democratic countries through spear phishing emails containing malicious links or attachments. The attack chain involves multi-stage droppers that deliver decoy media files while executing malicious payloads in the background. MiniDionis uses compromised legitimate websites for command and control, employs JSON-based configuration, and communicates over HTTPS using RC4 and AES encryption. The malware includes comprehensive command capabilities for system reconnaissance, file operations, and remote execution. The attackers demonstrate sophisticated techniques including manual HTTP redirection handling and cleanup mechanisms to evade forensic analysis.