{ "id": "b9b5c5ee-6d51-46fb-a354-e52d9fdd5248", "created_at": "2026-04-06T00:09:23.79203Z", "updated_at": "2026-04-10T13:11:49.818429Z", "deleted_at": null, "sha1_hash": "1a3701992fb75c4331774ba383c9e120ca39bbdc", "title": "The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64276, "plain_text": "The Mystery of Duqu 2.0: a sophisticated cyberespionage actor\r\nreturns\r\nBy GReAT\r\nPublished: 2015-06-10 · Archived: 2026-04-05 17:09:05 UTC\r\nDuqu 2.0: Frequently Asked Questions\r\nDuqu 2.0 Technical Paper (PDF)\r\nIndicators of Compromise (IOC)\r\nYara rules\r\nPress release\r\nEarlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our\r\ninternal systems.\r\nFollowing this finding, we launched a large scale investigation, which led to the discovery of a new malware\r\nplatform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat\r\nactor went dark in 2012 and was believed to have stopped working on this project – until now. Our technical\r\nanalysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware,\r\nsometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform\r\n“Duqu 2.0”.\r\nSome of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations\r\nwith Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for\r\nsome of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in\r\nrelation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.\r\nIn the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to\r\ntwo other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed\r\nthat the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal\r\nprocesses. No interference with processes or systems was detected. More details can be found in our technical\r\npaper.\r\nFrom a threat actor point of view, the decision to target a world-class security company must be quite difficult. On\r\none hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed.\r\nSo the targeting of security companies indicates that either they are very confident they won’t get caught, or\r\nperhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers\r\nprobably took a huge bet hoping they’d remain undiscovered; and lost.\r\nAt Kaspersky Lab, we strongly believe in transparency, which is why we are going public with this information.\r\nKaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s\r\nhttps://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns\r\nPage 1 of 3\n\nproducts, technologies and services.\r\nDuqu 2.0 – Indicators of Compromise (IOCs)\r\nMD5s\r\nAction loaders:\r\n089a14f69a31ea5e9a5b375dc0c46e45\r\n16ed790940a701c813e0943b5a27c6c1\r\n26c48a03a5f3218b4a10f2d3d9420b97\r\na6dcae1c11c0d4dd146937368050f655\r\nacbf2d1f8a419528814b2efa9284ea8b\r\nc04724afdb6063b640499b52623f09b5\r\ne8eaec1f021a564b82b824af1dbe6c4d\r\n10e16e36fe459f6f2899a8cea1303f06\r\n48fb0166c5e2248b665f480deac9f5e1\r\n520cd9ee4395ee85ccbe073a00649602\r\n7699d7e0c7d6b2822992ad485caacb3e\r\n84c2e7ff26e6dd500ec007d6d5d2255e\r\n856752482c29bd93a5c2b62ff50df2f0\r\n85f5feeed15b75cacb63f9935331cf4e\r\n8783ac3cc0168ebaef9c448fbe7e937f\r\n966953034b7d7501906d8b4cd3f90f6b\r\na14a6fb62d7efc114b99138a80b6dc7d\r\na6b2ac3ee683be6fbbbab0fa12d88f73\r\ncc68fcc0a4fab798763632f9515b3f92\r\nCores:\r\n3f52ea949f2bd98f1e6ee4ea1320e80d\r\nc7c647a14cb1b8bc141b089775130834\r\nC\u0026C IPs\r\n182.253.220.29\r\n186.226.56.103\r\nTo check your network for Duqu’s 2.0 presence, you can also use the open IOC file available here.\r\nhttps://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns\r\nPage 2 of 3\n\nSource: https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns\r\nhttps://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns" ], "report_names": [ "the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434163, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a3701992fb75c4331774ba383c9e120ca39bbdc.pdf", "text": "https://archive.orkl.eu/1a3701992fb75c4331774ba383c9e120ca39bbdc.txt", "img": "https://archive.orkl.eu/1a3701992fb75c4331774ba383c9e120ca39bbdc.jpg" } }