FatDuke (Malware Family)
By Fraunhofer FKIE
Archived: 2026-04-06 02:13:01 UTC
According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the
most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the
operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this
malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on
May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time
with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries.
While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence
our name for this backdoor component: FatDuke.
[TLP:WHITE] win_fatduke_auto (20251219 | Detects win.fatduke.)
Source: https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke
https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke
Page 1 of 1