Home
Software
RegDuke

RegDuke

RegDuke is a first stage implant written in .NET and used byAPT29 since at least 2017.RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.^[1]

ID: S0511

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 23 September 2020

Last Modified: 16 April 2025

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.001	Command and Scripting Interpreter:PowerShell	RegDuke can extract and execute PowerShell scripts from C2 communications.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.^[1]
Enterprise	T1546	.003	Event Triggered Execution:Windows Management Instrumentation Event Subscription	RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.^[1]
Enterprise	T1105		Ingress Tool Transfer	RegDuke can download files from C2.^[1]
Enterprise	T1112		Modify Registry	RegDuke can create seemingly legitimate Registry key to store its encryption key.^[1]
Enterprise	T1027		Obfuscated Files or Information	RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.^[1]
		.003	Steganography	RegDuke can hide data in images, including use of the Least Significant Bit (LSB).^[1]
		.011	Fileless Storage	RegDuke can store its encryption key in the Registry.^[1]
Enterprise	T1102	.002	Web Service:Bidirectional Communication	RegDuke can use Dropbox as its C2 server.^[1]

Groups That Use This Software

ID	Name	References
G0016	APT29	^[1]^[2]

Campaigns

ID	Name	Description
C0023	Operation Ghost	ForOperation Ghost,APT29 usedRegDuke as a first-stage implant.^[1]

References

Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.

Movatterモバイル変換