{ "id": "b3ff5db7-6122-4aed-8c46-7a8ef9f985b5", "created_at": "2026-04-06T01:30:12.841738Z", "updated_at": "2026-04-10T13:12:06.217471Z", "deleted_at": null, "sha1_hash": "4d638220f575b7d43e425d547d15e225da553d1d", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1175544, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-06 00:45:00 UTC\r\nSymantec has uncovered an elusive Trojan used by the cyberespionage group behind the “Duke” family of\r\nmalware. Seaduke (detected by Symantec as Trojan.Seaduke) is a low-profile information-stealing Trojan which\r\nappears to be reserved for attacks against a small number of high-value targets. \r\nSeaduke has been used in attacks against a number of major, government-level targets. The malware hides behind\r\nnumerous layers of encryption and obfuscation and is capable of quietly stealing and exfiltrating sensitive\r\ninformation such as email from the victim’s computer. Seaduke has a highly configurable framework and\r\nSymantec has already found hundreds of different configurations on compromised networks. Its creators are likely\r\nto have spent a considerable amount of time and resources in preparing these attacks and the malware has been\r\ndeployed against a number of high-level government targets.\r\nWhile the Duke group began to distribute Cozyduke in an increasingly aggressive manner, Seaduke installations\r\nwere reserved only for select targets. Seaduke victims are generally first infected with Cozyduke and, if the\r\ncomputer appears to be a target of interest, the operators will install Seaduke. \r\nBackground\r\nThe group behind Seaduke is a cyberespionage operation that is responsible for a series of attacks against high-profile individuals and organizations in government, international policy and private research in the United States\r\nand Europe. It has a range of malware tools at its disposal, known as the Dukes, including Cozyduke\r\n(Trojan.Cozer), Miniduke (Backdoor.Miniduke) and Cosmicduke (Backdoor.Tinybaron). \r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 7\n\nNews of the Duke group first emerged in  March and April of 2015, when reports detailing attacks involving a\r\nsophisticated threat actor variously called Office Monkeys, EuroAPT, Cozy Bear, and Cozyduke were published.\r\nSymantec believes that this group has a history of compromising governmental and diplomatic organizations since\r\nat least 2010.\r\nThe group began its current campaign as early as March 2014, when Trojan.Cozer (aka Cozyduke) was identified\r\non the network of a private research institute in Washington, D.C. In the months that followed, the Duke group\r\nbegan to target victims with “Office Monkeys”- and “eFax”-themed emails, booby-trapped with a Cozyduke\r\npayload. These tactics were atypical of a cyberespionage group. It’s quite likely these themes were deliberately\r\nchosen to act as a smokescreen, hiding the true intent of the adversary.\r\nFigure 1. Cozyduke campaign used an “Office Monkeys” video as a lure–July 2014\r\nThe Duke group has mounted an extended campaign targeting high-profile networks over extended periods,\r\nsomething which is far beyond the reach of the majority of threat actors. Its capabilities include:\r\nAttack infrastructure leveraging hundreds of compromised websites\r\nRapidly developed malware frameworks in concurrent use\r\nSophisticated operators with fine-tuned computer network exploitation (CNE) skills\r\nAlthough Cozyduke activity was first identified in March 2014, it wasn’t until July that the group managed to\r\nsuccessfully compromise high-profile government networks. Cozyduke was used throughout these attacks to\r\nharvest and exfiltrate sensitive information to the attackers. \r\nIn parallel, the Duke group was also installing separate malware onto these networks, namely Backdoor.Miniduke\r\nand the more elusive Trojan.Seaduke. It could use these payloads to exploit networks on multiple fronts and\r\nproviding it with additional persistence mechanisms.\r\nThe Miniduke payload\r\nIn July of 2014, the group instructed Cozyduke-infected computers to install Backdoor.Miniduke onto a\r\ncompromised network. Miniduke has been the group’s tool of choice for a number of years in espionage\r\noperations predominantly targeting government and diplomatic entities in Eastern Europe and ex-Soviet states.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 7\n\n“Nemesis Gemina” appears to be the internal name for the framework used by the group to identify the project,\r\npreviously reported by Kaspersky.\r\nThe following debug string was present in the sample used in these attacks:\r\nC:\\Projects\\nemesis-gemina\\nemesis\\bin\\carriers\\ezlzma_x86_exe.pdb\r\nThis project name has been seen in Backdoor.Tinybaron (aka Cosmicduke) samples, which Symantec also\r\nattributes to the Duke group. This deployment of Miniduke and the technical similarities with Cozyduke provided\r\nstrong indicators as to who was behind the attacks. \r\nThe Seaduke payload\r\nThese attacks were already well underway when another group began to deploy a previously unknown piece of\r\nmalware. In October 2014, the Seaduke payload began to appear within target networks. Although Seaduke was\r\ndeveloped in Python, the overall framework bears a striking resemblance to Cozyduke in terms of operation.  It’s\r\nunclear why the attackers waited until October to deploy Seaduke. Was it reserved for a more specific attack? Was\r\npart of their cover blown, necessitating the use of an alternative framework?\r\nThe Seaduke framework was designed to be highly configurable. Hundreds of reconfigurations were identified on\r\ncompromised networks. The communication protocol employed had many layers of encryption and obfuscation,\r\nusing over 200 compromised web servers for command and control. Seaduke required a significant investment of\r\ntime and resources in the preparatory and operational phases of the attack.\r\nSeaduke delivery\r\nThe attackers control Cozyduke via compromised websites, issuing instructions to infected machines by uploading\r\n“tasks” to a database file. Cozyduke will periodically contact these websites to retrieve task information to be\r\nexecuted on the local machine.  One such task (an encoded PowerShell script) instructed Cozyduke to download\r\nand execute Seaduke from a compromised website. \r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 7\n\nFigure 2. How the attacker tasks Cozer to install Seaduke\r\nSeaduke operation\r\nThe attackers can operate Seaduke in a broadly similar fashion to Cozyduke. The Seaduke control infrastructure is\r\nessentially distinct, opening up the possibility of sub-teams concurrently exploiting the target network. Unlike\r\nCozyduke, Seaduke operators upload “task” files directly to the command-and-control (C\u0026C) server; there is no\r\ndatabase as such present. Seaduke securely communicates with the C\u0026C server over HTTP/HTTPS beneath layers\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 7\n\nof encoding (Base64) and encryption (RC4, AES). To an untrained eye, the communications look fairly benign, no\r\ndoubt an effort to stay under the radar on compromised networks.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 7\n\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 6 of 7\n\nFigure 3. How Seaduke operates on the target network\r\nSeaduke has many inbuilt commands which are available to the attackers. They have the ability to retrieve detailed\r\nbot/system information, update bot configuration, upload files, download files, and self-delete the malware from\r\nthe system. The self-delete function is interestingly called “seppuku”. This is a form of Japanese ritual suicide. \r\nSeaduke payloads\r\nThe attackers have also developed a number of additional payloads. Operators can push these payloads onto\r\ninfected machines for very specific attacks. \r\nImpersonation using Kerberos pass-the-ticket attacks (Mimikatz PowerShell) \r\nEmail extraction from the MS Exchange Server using compromised credentials\r\nArchiving sensitive information\r\nData exfiltration via legitimate cloud services\r\nSecure file deletion\r\nWhat next?\r\nThe Duke group has brought its operational capability to the next level. Its attacks have been so bold and\r\naggressive, that a huge amount of attention has been drawn to it, yet it appears to be unperturbed.  Its success at\r\ncompromising such high-profile targets has no doubt added a few feathers to its cap. Even the developers reveled\r\nin this fact, naming one of Seaduke’s functions “forkmeiamfamous”. \r\nWhile the group is currently keeping a lower profile, there’s no doubt it will reappear. Some tools may have to be\r\nabandoned, some reworked and others built completely from scratch. This attack group is in it for the long haul.\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439012, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d638220f575b7d43e425d547d15e225da553d1d.pdf", "text": "https://archive.orkl.eu/4d638220f575b7d43e425d547d15e225da553d1d.txt", "img": "https://archive.orkl.eu/4d638220f575b7d43e425d547d15e225da553d1d.jpg" } }