{ "id": "29afd962-4fcb-4511-872a-12ee8f62d812", "created_at": "2026-04-06T00:18:32.903396Z", "updated_at": "2026-04-10T03:33:35.698819Z", "deleted_at": null, "sha1_hash": "70a3d212e1a010bc34fc07d342c6ef195a143020", "title": "Miniduke is back: Nemesis Gemina and the Botgen Studio", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 716544, "plain_text": "Miniduke is back: Nemesis Gemina and the Botgen Studio\r\nBy GReAT\r\nPublished: 2014-07-03 · Archived: 2026-04-02 10:37:52 UTC\r\nA 2014 update on one of the world’s most unusual APT operations\r\nIn 2013, together with our partner CrySyS Lab, we announced our research on a new APT actor we dubbed\r\n“Miniduke”. It stood out from the “APT bunch” for several reasons, including:\r\nIts use of a customized backdoor written in Assembler (who still writes in Assembler in the age of Java and\r\n.NET?)\r\nA unique command and control mechanism that uses multiple redundancy paths, including Twitter\r\naccounts\r\nStealthy transfer of updates as executables hidden inside GIF files (a form of steganography)\r\nWe have pointed out that this threat actor used malware developed using “old-school” virus writing techniques\r\nand habits.\r\nOur analysis was continued later by researchers from CIRCL/Luxembourg and several other AV companies.\r\nRecently, we became aware of an F-Secure publication on the same topic (under the name “CosmicDuke”).\r\nIn the wake of our publications from 2013, the Miniduke campaigns have stopped or at least decreased in\r\nintensity. However, in the beginning of 2014 they resumed attacks in full force, once again grabbing our attention.\r\nWe believe it’s time to uncover more information on their operations.\r\n“Old” Miniduke in 2014\r\nThe old style Miniduke implants from 2013 are still around and being used during the current campaigns.\r\nIt still relies on Twitter accounts which contain a hardcoded C\u0026C URL pointing to the command and control\r\nserver. One such account was the following, observed in February 2014:\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 1 of 11\n\nAlthough the format of the C\u0026C URL was changed from previous variants, the encoding algorithm is the same.\r\nThe line above can be decoded into the full C\u0026C URL:\r\nhxxp://algherolido.it/img/common/thumb/thumb.php\r\nThis decoded URL was an active C\u0026C, from which several updates have been collected:\r\nUpdate 1:\r\nMD5 93382e0b2db1a1283dbed5d9866c7bf2\r\nSize 705536 bytes\r\nCompilation Sat Dec 14 18:44:11 2013\r\nThis Trojan is a large package, due to the use of a custom packer. The bundle has a specific debug string inside:\r\nC:Projectsnemesis-geminanemesisbincarriersezlzma_x86_exe.pdb\r\nThe package executes a smaller Trojan module:\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 2 of 11\n\nMD5 b80232f25dbceb6953994e45fb7ff749\r\nSize 27648 bytes\r\nCompilation timestamp Wed Mar 05 09:44:36 2014\r\nC\u0026C hxxp://rtproductionsusa.com/wp-includes/images/smilies/icon_gif.php\r\nAnother update that has been observed on the C\u0026C server was:\r\nUpdate 2:\r\nMD5 7fcf05f7773dc3714ebad1a9b28ea8b9\r\nSize 28160 bytes\r\nCompilation timestamp Fri Mar 07 10:04:58 2014\r\nC\u0026C hxxp://tangentialreality.com/cache/template/yoo_cache.php\r\nWe have observed another similar Trojan, although not on the C\u0026Cs directly:\r\nMD5\r\nedf7a81dab0bf0520bfb8204a010b730,\r\nba57f95eba99722ebdeae433fc168d72 (dropped)\r\nSize 700K, 28160 (dropped)\r\nCompilation timestamps\r\nSat Dec 14 18:44:11 2013 (top)\r\nFri Jan 10 12:59:36 2014 (dropped)\r\nC\u0026C hxxp://store.extremesportsevents.net/index.php?i=62B…[snip]\r\nThe use of the Nemesis Gemina packer in the Miniduke payloads made us look for further samples in our\r\ncollection. This led us to several new findings.\r\nThe “New” Miniduke Malware (the “CosmicDuke”)\r\nAfter the 2013 exposure, the actor behind Miniduke appears to have switched to using another custom backdoor,\r\ncapable of stealing various types of information.\r\nThe malware spoofs popular applications designed to run in the background, including file information, icons and\r\neven file size:\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 3 of 11\n\nThe main “new” Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customizable\r\nframework called “BotGenStudio”, which has flexibility to enable/disable components when the bot is\r\nconstructed.\r\nThe components can be divided into 3 groups\r\n1. 1 Persistence\r\n2. 2 Reconnaissance\r\n3. 3 Exfiltration\r\nPersistence\r\nMiniduke/CosmicDuke is capable of starting via Windows Task Scheduler, via a customized service binary that\r\nspawns a new process set in the special registry key, or is launched when the user is away and the screensaver is\r\nactivated.\r\nReconnaissance\r\nThe malware can steal a variety of information, including files based on extensions and file name keywords:\r\n*.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*;\r\n*login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js\r\nNote: we believe the “*sifr*” and “*sifer*” keywords above refer to the transliteration of the English word\r\n“Cypher” in some languages.\r\nAlso, the backdoor has many other capabilities including:\r\nKeylogger\r\nSkype password stealer\r\nGeneral network information harvester\r\nScreen grabber (grabs images every 5 minutes)\r\nClipboard grabber (grabs clipboard contents every 30 seconds)\r\nMicrosoft Outlook, Windows Address Book stealer\r\nGoogle Chrome password stealer\r\nGoogle Talk password stealer\r\nOpera password stealer\r\nTheBat! password stealer\r\nFirefox, Thunderbird password stealer\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 4 of 11\n\nDrives/location/locale/installed software harvester\r\nWiFi network/adapter information harvester\r\nLSA secrets harvester\r\nProtected Storage secrets harvester\r\nCertificate/private keys exporter\r\nURL History harvester\r\nInteliForms secrets harvester\r\nIE Autocomplete, Outlook Express secrets harvester\r\nand more…\r\nExfiltration\r\nThe malware implements several methods to exfiltrate information, including uploading data via FTP and three\r\nvariants of HTTP-based communication mechanisms. A number of different HTTP connectors act as helpers,\r\ntrying various methods in case one of them is restricted by local security policies or security software. These three\r\nmethods are:\r\nDirect TCP connection and HTTP session via Winsock library\r\nHTTP session via Urlmon.dll\r\nHTTP session via invisible instance of Internet Explorer as OLE object\r\nImplementation Specifics\r\nEach victim is assigned a unique ID, making it possible to push specific updates to an individual victim. As we\r\nnoted, Miniduke/CosmicDuke is protected with a custom obfuscated loader which heavily consumes CPU\r\nresources for 3-5 minutes before passing execution to the payload. This not only complicates analysis of the\r\nmalware but is also used to drain resources reserved for execution in emulators integrated in security software.\r\nBesides its own obfuscator, it makes heavy use of encryption and compression based on the RC4 and LZRW\r\nalgorithms respectively. Implementations of these algorithms have tiny differences from the standardized code\r\nwhich perhaps looks like a mistake in the code. Nevertheless, we believe that these changes were introduced on\r\npurpose to mislead researchers.\r\nOne of the more technically advanced parts of Miniduke is the data storage. The internal configuration of the\r\nmalware is encrypted, compressed and serialized as a complicated registry-like structure which has various record\r\ntypes including strings, integers and internal references.\r\nIn addition, Miniduke uses an unusual method to store the exfiltrated data. When a file is uploaded to the C\u0026C\r\nserver it is split into small chunks (~3KB), which are compressed, encrypted and placed in a container to be\r\nuploaded to the server. If the source file is large enough it may be placed into several hundred different containers\r\nthat are uploaded independently. These data chunks are probably parsed, decrypted, unpacked, extracted and\r\nreassembled on the attacker’ side. This method is used to upload screenshots made on the victim’s machine.\r\nCreating such a complicated storage might be an overhead; however, all those layers of additional processing\r\nguarantees that very few researchers will get to the original data while offering an increased reliability against\r\nnetwork errors.\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 5 of 11\n\nVictim geography and profiles\r\nBased on our analysis, the victims of Miniduke and CosmicDuke fall into these categories:\r\ngovernment\r\ndiplomatic\r\nenergy\r\ntelecom operators\r\nmilitary, including military contractors\r\nindividuals involved in the traffic and selling of illegal and controlled substances\r\nFrom one of the old style Miniduke servers we were able to extract a list of victims and their corresponding\r\ncountries. We were able to identify victims in three of these countries which belonged to the “government”\r\ncategory. Here’s the list of countries affected:\r\nAustralia\r\nBelgium\r\nFrance\r\nGermany\r\nHungary\r\nNetherlands\r\nSpain\r\nUkraine\r\nUnited States\r\nOne of the CosmicDuke servers we analyzed had a long list of victims dating back to April 2012. This server had\r\n265 unique identifiers assigned to victims from 139 unique IPs. Geographical distribution of the victims was as\r\nfollows (top10):\r\n84 Georgia\r\n61 Russia\r\n34 United States\r\n14 United Kingdom\r\n9 Kazakhstan\r\n8 India\r\n8 Belarus\r\n6 Cyprus\r\n4 Ukraine\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 6 of 11\n\n4 Lithuania\r\nAccording to our analysis, the attackers were more interested in expanding their operations and scanned IP ranges\r\nand servers in Azerbaijan, Greece and Ukraine.\r\nCommand and control server analysis and hacking tools\r\nDuring the analysis, we were able to obtain a copy of one of the CosmicDuke command and control servers. It\r\nappears it was also used for other operations by the group members, including hacking into other servers on the\r\ninternet.\r\nThe attackers have deployed a number of publicly available hacking tools on this server in order to scan and\r\ncompromise websites of victim organizations as well as collect information for future targeted attacks.\r\nHere is the list of hacking tools found on the server:\r\nHydra: “A very fast network logon cracker which support many different services”\r\nFierce2: “A semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space\r\nand hostnames for a specified domains using things like DNS, Whois and ARIN”\r\nThe Harvester: “The objective of this program is to gather emails, subdomains, hosts, employee names, open\r\nports and banners from different public sources like search engines, PGP key servers and SHODAN computer\r\ndatabase”\r\nRitX: “A Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all\r\ncurrently domains hosted on a server using multiple services and various techniques”\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 7 of 11\n\nJoomscan: “OWASP Joomla! Vulnerability Scanner”\r\nNcrack: “High-speed network authentication cracking tool. It allows for rapid, yet reliable large-scale auditing of\r\nmultiple hosts”\r\nSqlmap: “An open source penetration testing tool that automates the process of detecting and exploiting SQL\r\ninjection flaws and taking over of database servers”\r\nWPScan: “A black box WordPress vulnerability scanner”\r\nNote: tool descriptions were copied from their public websites\r\nAttribution and Artifacts, connections with other campaigns\r\nAlthough the attackers use English in several places, indicating knowledge of this language, there are certain\r\nindicators to suggest they are not native English speakers.\r\nThe following strings were discovered in a block of memory appended to the malware component used for\r\npersistence:\r\nwww.mirea.ru\r\ne.mail.ru\r\ngmt4\r\nc:documents and settingsвладимирlocal settings…\r\nThe C\u0026C hosts appear to have been compromised by the attackers, which uploaded a specific webshell.\r\nThe Miniduke attackers’ webshell on hacked hosts\r\nFor the webshell, it is interesting to point to the use of Codepage 1251, which is commonly used to render Cyrillic\r\ncharacters. The password used to protect the shell, is checked against the MD5 hash\r\n“35c7c2d1fe03f0eeaa4630332c242a36“. (BTW: can you crack it? It took us some days to solve it!)\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 8 of 11\n\nPerhaps it is noteworthy to say that the same webshell has been observed in the operations of another advanced\r\nthreat actor known as Turla, Snake or Uroburos.\r\nAnother interesting aspect is the debug path strings from the malware, which indicate several build environments\r\nor groups of “users” of the “Bot Gen Studio”, “NITRO” and “Nemesis Gemina”:\r\nc:botgenstudiogenerationsfdd88801binBot.pdb\r\nc:botgenstudiogenerationsfed14e50binBot.pdb\r\nD:SVANITROBotGenStudioInterfaceGenerations80051A85binbot.pdb\r\nd:svanitrobotgenstudiointerfacegenerations805f8183binBot.pdb\r\nd:productionnitrosvagenerations80deae99binBot.pdb\r\nC:Projectsnemesis-geminanemesisbincarriersezlzma_x86_exe.pdb\r\nC:ProjectsNEMESISnemesis-geminanemesisbincarriersezlzma-boost-kitchen_sink_x86_exe.pdb\r\nD:PRODUCTIONNITROSVAGenerations80911F82binbot.pdb\r\nBased on the compilation timestamps, we were able to put together the following chart indicating the activity of\r\nthe Miniduke/CosmicDuke attackers on a ‘Day of the Week’ basis:\r\nIt appears the attackers follow the Mon-Fri work week, however, they do work on the weekends from time to\r\ntime.\r\nIn terms of activity hours, the attackers appear to be working between 6am and 7pm GMT. Most of the work is\r\ndone between 6am and 4pm though.\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 9 of 11\n\nConclusions\r\nAlthough they stopped or at least decreased in intensity following our announcement last year, the Miniduke\r\nattacks are now back in force. The old style Miniduke malware is still being used, deploying previously known\r\nstages packed with a new obfuscator observed with the mysterious “Bot Gen Studio” for the “NITRO” and\r\n“Nemesis Gemina” projects.\r\nWhile the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke\r\nimplants have a somehow different typology of victims. The most unusual is the targeting of individuals that\r\nappear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and\r\nhormones. These victims in the NITRO project have been observed only in Russia. One possibility is that “Bot\r\nGen Studio” is a malware platform also available as a so-called “legal spyware” tool, similar to others, such as\r\nHackingTeam’s RCS, widely used by law enforcement agencies. Another possibility is that it’s simply available in\r\nthe underground and purchased by various competitors in the pharmaceutical business to spy on each other.\r\nAt the same time, the “Nemesis Gemina” project focuses on government, diplomatic, energy, military and telecom\r\noperators.\r\nOne of the big questions here is: Are the Miniduke attackers still “elite”? Though the old malware is still in use,\r\nthe new malware is no longer pure assembler; instead, it’s written in C/C++.\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 10 of 11\n\nThe new samples of Miniduke/CosmicDuke use a powerful obfuscator. For almost all of the samples we analyzed,\r\nit jumps to the beginning of dynamic PE loader – always from the same “l33t” address (if memory layout allowed\r\nit during the bot construction):\r\nHence, you could say that CosmicDuke is still “l33t”!\r\nSource: https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nhttps://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/" ], "report_names": [ "64107" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434712, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70a3d212e1a010bc34fc07d342c6ef195a143020.pdf", "text": "https://archive.orkl.eu/70a3d212e1a010bc34fc07d342c6ef195a143020.txt", "img": "https://archive.orkl.eu/70a3d212e1a010bc34fc07d342c6ef195a143020.jpg" } }