{ "id": "1a66d3b7-d284-4732-a5e5-23ae802b0769", "created_at": "2026-04-06T03:37:43.484506Z", "updated_at": "2026-04-10T13:11:25.093286Z", "deleted_at": null, "sha1_hash": "1710d964f747f5065ff1170cc2698971bbbd4349", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53306, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 03:23:41 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool HammerDuke\r\n Tool: HammerDuke\r\nNames\r\nHammerDuke\r\nHAMMERTOSS\r\nNetDuke\r\ntDiscoverer\r\nCategory Malware\r\nType Backdoor, Loader\r\nDescription\r\n(F-Secure) HammerDuke is a simple backdoor that is apparently designed for similar\r\nuse cases as SeaDuke. Specifically, the only known infection vector for HammerDuke is\r\nto be downloaded and executed by CozyDuke onto a victim that has already been\r\ncompromised by that toolset. This, together with HammerDuke’s simplistic backdoor\r\nfunctionality, suggests that it is primarily used by the Dukes group as a secondary\r\nbackdoor left on CozyDuke victims after CozyDuke performed the initial infection and\r\nstole any readily available information from them.\r\nHammerDuke is however interesting because it is written in .NET, and even more so\r\nbecause of its occasional use of Twitter as a C\u0026C communication channel. Some\r\nHammerDuke variants only contain a hardcoded C\u0026C server address from which they\r\nwill retrieve commands, but other HammerDuke variants will first use a custom\r\nalgorithm to generate a Twitter account name based on the current date. If the account\r\nexists, HammerDuke will then search for tweets from that account with links to image\r\nfiles that contain embedded commands for the toolset to execute.\r\nHammerDuke’s use of Twitter and crafted image files is reminiscent of other Duke\r\ntoolsets. Both OnionDuke and MiniDuke also use date-based algorithms to generate\r\nTwitter account names and then searched for any tweets from those accounts that linked\r\nto image files. In contrast however, for OnionDuke and MiniDuke the linked image files\r\ncontain embedded malware to be downloaded and executed, rather than instructions.\r\nInformation \u003chttps://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf\u003e\r\n\u003chttps://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/apt29-\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e6b6d4a-107d-4162-a46f-364df9138fc0\r\nPage 1 of 2\n\nhammertoss-stealthy-tactics-define-a.pdf\u003e\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool HammerDuke\nChanged Name Country Observed\nAPT groups\n APT 29, Cozy Bear, The Dukes 2008-Feb 2025\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e6b6d4a-107d-4162-a46f-364df9138fc0\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e6b6d4a-107d-4162-a46f-364df9138fc0\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1e6b6d4a-107d-4162-a46f-364df9138fc0" ], "report_names": [ "listgroups.cgi?u=1e6b6d4a-107d-4162-a46f-364df9138fc0" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446663, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1710d964f747f5065ff1170cc2698971bbbd4349.pdf", "text": "https://archive.orkl.eu/1710d964f747f5065ff1170cc2698971bbbd4349.txt", "img": "https://archive.orkl.eu/1710d964f747f5065ff1170cc2698971bbbd4349.jpg" } }