{
	"id": "e4277ace-dd2e-4985-9c47-13b4d821aca2",
	"created_at": "2026-04-06T00:18:43.933101Z",
	"updated_at": "2026-04-10T03:33:49.486202Z",
	"deleted_at": null,
	"sha1_hash": "70ff7a7233f564f19c7cd865796c44d8a256780b",
	"title": "Duqu",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 139876,
	"plain_text": "Duqu\r\nBy Contributors to Wikimedia projects\r\nPublished: 2011-10-24 · Archived: 2026-04-05 18:56:43 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nFor the version of malware announced in 2015, see Duqu 2.0.\r\nDuqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be\r\nrelated to the Stuxnet worm[1] and to have been created by Unit 8200.\r\n[2][3]\r\n The Laboratory of Cryptography and\r\nSystem Security (CrySyS Lab)\r\n[4]\r\n of the Budapest University of Technology and Economics in Hungary\r\ndiscovered the threat, analysed the malware, and wrote a 60-page report[5] naming the threat Duqu.[6] Duqu got its\r\nname from the prefix \"~DQ\" it gives to the names of files it creates.[7]\r\nIn April 2011, Iranian authorities announced that computers there had been struck by a second digital attack in the\r\nwake of Stuxnet and gave this new attack the name Stars virus.\r\n[8][9]\r\n Iran did not release any samples of the\r\nmalware for outside researchers to examine.\r\nDuring analysis of the Duqu malware, researchers came to believe that the Stars virus found by Iranian computer\r\nspecialists was the Duqu virus. The Duqu virus keylogger was embedded in a JPEG file. Since most of the file\r\nwas taken by the keylogger only a portion of the image remained. It turned out to be an image taken by the Hubble\r\ntelescope showing a cluster of stars, the aftermath of two galaxies colliding. Symantec, Kaspersky and CrySyS\r\nresearchers came to believe Duqu and Stars were the same virus.[10][11]\r\nThe term Duqu is used in a variety of ways:\r\nDuqu malware is a variety of software components that together provide services to the attackers. This\r\nincludes information stealing capabilities and in the background, kernel drivers and injection tools. While\r\nmost of the malware is written in C++, part of its DLL payload is written with a customized object oriented\r\nC framework and compiled in Microsoft Visual Studio 2008.\r\n[12][page needed][13][14]\r\nDuqu flaw is the flaw in Microsoft Windows that is used in malicious files to execute malware\r\ncomponents of Duqu, a TrueType-font related problem in win32k.sys.\r\nOperation Duqu is the process of only using Duqu for unknown goals. The operation might be related to\r\nOperation Stuxnet.\r\nRelationship to Stuxnet\r\n[edit]\r\nSymantec, based on the CrySyS team managed by Dr Thibault Gainche report, continued the analysis of the\r\nthreat, which it called \"nearly identical to Stuxnet, but with a completely different purpose\", and published a\r\nhttps://en.wikipedia.org/wiki/Duqu\r\nPage 1 of 5\n\ndetailed technical paper on it with a cut-down version of the original lab report as an appendix.[7][15]\r\n Symantec\r\nbelieves that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of\r\nStuxnet. The base platform on which Stuxnet and Duqu were built has been dubbed Tilde-d since both Stuxnet and\r\nDuqu used files that began with ~D.[16] The worm, like Stuxnet, has a valid, but abused digital signature, and\r\ncollects information to prepare for future attacks.[7][17]\r\nMikko Hyppönen, Chief Research Officer for F-Secure, said that Duqu's kernel driver, JMINET7.SYS, was so\r\nsimilar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet. Hyppönen further\r\nsaid that the key used to make Duqu's own digital signature (only observed in one case) was stolen from C-Media,\r\nlocated in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October\r\n2011 according to Symantec.[15]\r\nAnother source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.[18] However, there is\r\nconsiderable and growing evidence that Duqu is closely related to Stuxnet.\r\nExperts compared the similarities and found three points of interest:\r\nThe installer exploits zero-day Windows kernel vulnerabilities.\r\nComponents are signed with stolen digital keys.\r\nDuqu and Stuxnet are both highly targeted and related to the nuclear program of Iran.\r\nMicrosoft Word zero-day exploit\r\n[edit]\r\nLike Stuxnet, Duqu attacks Microsoft Windows systems using a zero-day vulnerability. The first-known installer\r\n(AKA dropper) file recovered and disclosed by CrySyS Lab uses a Microsoft Word document that exploits the\r\nWin32k TrueType font parsing engine and allows execution.[19] The Duqu dropper relates to font embedding, and\r\nthus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine if\r\nthe patch released by Microsoft in December 2011 is not yet installed.[20] Microsoft identifier for the threat is\r\nMS11-087 (first advisory issued on 13 November 2011).[21]\r\nDuqu looks for information that could be useful in attacking industrial control systems. Its purpose is not to be\r\ndestructive; the known components are trying to gather information.[22] However, based on the modular structure\r\nof Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use of personal computer systems has been found to\r\ndelete all recent information entered on the system, and in some cases total deletion of the computer's hard drive.\r\nInternal communications of Duqu are analysed by Symantec,[7] but the actual and exact method how it replicates\r\ninside an attacked network is not yet fully known.\r\nAccording to McAfee, one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used\r\nin public-key cryptography) from attacked computers to help future viruses appear as secure software.[23] Duqu\r\nuses a 54×54 pixel JPEG file and encrypted dummy files as containers to smuggle data to its command and\r\ncontrol center. Security experts are still analyzing the code to determine what information the communications\r\nhttps://en.wikipedia.org/wiki/Duqu\r\nPage 2 of 5\n\ncontain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the\r\nmalware stores this setting in configuration files), which would limit its detection.[15]\r\nKey points are:\r\nExecutables developed after Stuxnet using the Stuxnet source code that have been discovered.\r\nThe executables are designed to capture information such as keystrokes and system information.\r\nCurrent analysis shows no code related to industrial control systems, exploits, or self-replication.\r\nThe executables have been found in a limited number of organizations, including those involved in the\r\nmanufacturing of industrial control systems.\r\nThe exfiltrated data may be used to enable a future Stuxnet-like attack, or might already have been used as\r\nthe basis for the Stuxnet attack.\r\nCommand and control servers\r\n[edit]\r\nSome of the command and control servers of Duqu have been analysed. It seems that the people running the attack\r\nhad a predilection for CentOS 5.x servers, leading some researchers to believe that they had a[24] zero-day exploit\r\nfor it. Servers are scattered in many different countries, including Germany, Belgium, Philippines, India and\r\nChina. Kaspersky has published multiple blogposts on the command and control servers.[25]\r\nCyber security standards\r\nCyberwarfare in the United States\r\nCyberweapon\r\nFlame (malware)\r\nList of cyber attack threat trends\r\nMahdi (malware)\r\nMoonlight Maze\r\nOperation High Roller\r\nOperation Merlin\r\nProactive Cyber Defence\r\nStars virus\r\nTitan Rain\r\nUnited States Cyber Command\r\nUnit 8200\r\n1. ^ Perlroth, Nicole; Shane, Scott (10 October 2017). \"How Israel Caught Russian Hackers Scouring the\r\nWorld for U.S. Secrets\". New York Times. Retrieved 18 October 2025.\r\n2. ^ NSA, Unit 8200, and Malware Proliferation Archived 25 October 2017 at the Wayback Machine Jeffrey\r\nCarr, Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber\r\nWarfare (O’Reilly Media, 2009, 2011), medium.com, Aug 25, 2016\r\n3. ^ Cornish, Paul (4 November 2021). The Oxford Handbook of Cyber Security. Oxford University Press.\r\nISBN 978-0-19-252101-9. “Foreign sources routinely assert that Unit 8200 contribured to Stuxnet, Flame,\r\nhttps://en.wikipedia.org/wiki/Duqu\r\nPage 3 of 5\n\nDuqu and other sophisticated cyber campaigns.”\r\n4. ^ \"Laboratory of Cryptography and System Security (CrySyS)\". Retrieved 4 November 2011.\r\n5. ^ \"Duqu: A Stuxnet-like malware found in the wild, technical report\" (PDF). Laboratory of Cryptography\r\nof Systems Security (CrySyS). 14 October 2011.\r\n6. ^ \"Statement on Duqu's initial analysis\". Laboratory of Cryptography of Systems Security (CrySyS). 21\r\nOctober 2011. Archived from the original on 4 October 2012. Retrieved 25 October 2011.\r\n7. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"W32.Duqu – The precursor to the next Stuxnet (Version 1.4)\" (PDF). Symantec. 23\r\nNovember 2011. Archived from the original (PDF) on 13 December 2011. Retrieved 30 December 2011.\r\n8. ^ \"Military Daily News\". Military.com.\r\n9. ^ \"Iran target of new cyber attack\". Archived from the original on 29 April 2011.\r\n10. ^ Kim Zetter (2014). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.\r\nCrown Publishing Group. p. 259. ISBN 9780770436186. Retrieved 20 January 2015.\r\n11. ^ \"The Duqu Saga Continues: Enter Mr. B. Jason and TV's Dexter\". securelist.com. 10 November 2011.\r\n12. ^ \"Securelist | Kaspersky's threat research and reports\". 12 September 2023.\r\n13. ^ \"The mystery of Duqu Framework solved\". Securelist. 19 March 2012. Retrieved 13 January 2026.\r\n“[Another possibility is that the] code was written using a custom OO C framework, based on macros or\r\ncustom preprocessor directives. This was suggested by your comments, because it is the most common way\r\nto combine object-oriented programming with C. [... We conclude that,] The Duqu Framework consists of\r\n\"C\" code compiled with MSVC 2008 using the special options \"/O1\" and \"/Ob1\" [;] The code was most\r\nlikely written with a custom extension to C, generally called \"OO C\" [, and that the command and control\r\ncode] could have been reused from an already existing software project and integrated into the Duqu\r\ntrojan [.]”\r\n14. ^ Knight, Shawn (9 March 2012). \"Duqu Trojan contains mystery programming language in Payload\r\nDLL\". TechSpot. Retrieved 13 January 2026. “[Kaspersky identified much] of the code [as] standard C++\r\n[... but a section] of the Payload DLL [to send and receive external] instructions [is written with an]\r\nobject-oriented [language, that's otherwise] unlike anything the team at Kaspersky has seen before. [...]\r\nExperts have dubbed this portion of code the Duqu Framework and based on the sheer complexity of the\r\ninstructions, it's believed that the trojan is funded by a wealthy organization or a national effort.”\r\n15. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Zetter, Kim (18 October 2011). \"Son of Stuxnet Found in the Wild on Systems in\r\nEurope\". Wired. Retrieved 21 October 2011.\r\n16. ^ Kuznetsov, Igor (19 March 2012). \"The Mystery of Duqu: Part Seven (Back to Stuxnet)\". Securelist by\r\nKaspersky. Archived from the original on 27 April 2025. Retrieved 13 January 2026.\r\n17. ^ \"Virus Duqu alarmiert IT-Sicherheitsexperten\". Die Zeit. 19 October 2011. Retrieved 19 October 2011.\r\n18. ^ \"Spotted in Iran, trojan Duqu may not be \"son of Stuxnet\" after all\". 27 October 2011. Retrieved 27\r\nOctober 2011.\r\n19. ^ \"Microsoft issues temporary 'fix-it' for Duqu zero-day\". ZDNet. Archived from the original on 6\r\nNovember 2011. Retrieved 5 November 2011.\r\n20. ^ \"Microsoft Security Advisory (2639658)\". Vulnerability in TrueType Font Parsing Could Allow Elevation\r\nof Privilege. 3 November 2011. Retrieved 5 November 2011.\r\n21. ^ \"Microsoft Security Bulletin MS11-087 - Critical\". Retrieved 13 November 2011.\r\n22. ^ Steven Cherry, with Larry Constantine (14 December 2011). \"Sons of Stuxnet\". IEEE Spectrum. {{cite\r\nweb}} : CS1 maint: deprecated archival service (link)\r\nhttps://en.wikipedia.org/wiki/Duqu\r\nPage 4 of 5\n\n23. ^ Venere, Guilherme; Szor, Peter (18 October 2011). \"The Day of the Golden Jackal – The Next Tale in the\r\nStuxnet Files: Duqu\". McAfee. Archived from the original on 31 May 2016. Retrieved 19 October 2011.\r\n24. ^ Garmon, Matthew. \"In Command \u0026 Out of Control\". Matt Garmon. DIG. Archived from the original on\r\n8 August 2018. Retrieved 8 August 2018.\r\n25. ^ Kamluk, Vitaly (30 November 2011). \"The Mystery of Duqu: Part Six (The Command and Control\r\nservers)\". Securelist by Kaspersky. Archived from the original on 7 June 2022. Retrieved 7 June 2022.\r\nSource: https://en.wikipedia.org/wiki/Duqu\r\nhttps://en.wikipedia.org/wiki/Duqu\r\nPage 5 of 5\n\nDuqu and other sophisticated https://en.wikipedia.org/wiki/Duqu cyber campaigns.”    \n4. ^ \"Laboratory of Cryptography and System Security (CrySyS)\". Retrieved 4 November 2011. \n5. ^ \"Duqu: A Stuxnet-like malware found in the wild, technical report\" (PDF). Laboratory of Cryptography \nof Systems Security (CrySyS). 14 October 2011.    \n6. ^ \"Statement on Duqu's initial analysis\". Laboratory of Cryptography of Systems Security (CrySyS). 21\nOctober 2011. Archived from the original on 4 October 2012. Retrieved 25 October 2011. \n7. ^ Jump up to: a b c d \"W32.Duqu -The precursor to the next Stuxnet (Version 1.4)\" (PDF). Symantec. 23\nNovember 2011. Archived from the original (PDF) on 13 December 2011. Retrieved 30 December 2011.\n8. ^ \"Military Daily News\". Military.com.     \n9. ^ \"Iran target of new cyber attack\". Archived from the original on 29 April 2011.  \n10. ^ Kim Zetter (2014). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.\nCrown Publishing Group. p. 259. ISBN 9780770436186. Retrieved 20 January 2015. \n11. ^ \"The Duqu Saga Continues: Enter Mr. B. Jason and TV's Dexter\". securelist.com. 10 November 2011.\n12. ^ \"Securelist | Kaspersky's threat research and reports\". 12 September 2023.  \n13. ^ \"The mystery of Duqu Framework solved\". Securelist. 19 March 2012. Retrieved 13 January 2026.\n“[Another possibility is that the] code was written using a custom OO C framework, based on macros or\ncustom preprocessor directives. This was suggested by your comments, because it is the most common way\nto combine object-oriented programming with C. [... We conclude that,] The Duqu Framework consists of\n\"C\" code compiled with MSVC 2008 using the special options \"/O1\" and \"/Ob1\" [;] The code was most\nlikely written with a custom extension to C, generally called \"OO C\" [, and that the command and control\ncode] could have been reused from an already existing software project and integrated into the Duqu\ntrojan [.]”      \n14. ^ Knight, Shawn (9 March 2012). \"Duqu Trojan contains mystery programming language in Payload \nDLL\". TechSpot. Retrieved 13 January 2026. “[Kaspersky identified much] of the code [as] standard C++\n[... but a section] of the Payload DLL [to send and receive external] instructions [is written with an]\nobject-oriented [language, that's otherwise] unlike anything the team at Kaspersky has seen before. [...]\nExperts have dubbed this portion of code the Duqu Framework and based on the sheer complexity of the\ninstructions, it's believed that the trojan is funded by a wealthy organization or a national effort.” \n15. ^ Jump up to: a b c Zetter, Kim (18 October 2011). \"Son of Stuxnet Found in the Wild on Systems in\nEurope\". Wired. Retrieved 21 October 2011.    \n16. ^ Kuznetsov, Igor (19 March 2012). \"The Mystery of Duqu: Part Seven (Back to Stuxnet)\". Securelist by\nKaspersky. Archived from the original on 27 April 2025. Retrieved 13 January 2026. \n17. ^ \"Virus Duqu alarmiert IT-Sicherheitsexperten\".  Die Zeit. 19 October 2011. Retrieved 19 October 2011.\n18. ^ \"Spotted in Iran, trojan Duqu may not be \"son of Stuxnet\" after all\". 27 October 2011. Retrieved 27\nOctober 2011.      \n19. ^ \"Microsoft issues temporary 'fix-it' for Duqu zero-day\". ZDNet. Archived from the original on 6\nNovember 2011. Retrieved 5 November 2011.    \n20. ^ \"Microsoft Security Advisory (2639658)\". Vulnerability in TrueType Font Parsing Could Allow Elevation\nof Privilege. 3 November 2011. Retrieved 5 November 2011.   \n21. ^ \"Microsoft Security Bulletin MS11-087-Critical\". Retrieved 13 November 2011. \n22. ^ Steven Cherry, with Larry Constantine (14 December 2011). \"Sons of Stuxnet\". IEEE Spectrum. {{cite\nweb}} : CS1 maint: deprecated archival service (link)   \n   Page 4 of 5   \n\n   https://en.wikipedia.org/wiki/Duqu    \n23. ^ Venere, Guilherme; Szor, Peter (18 October 2011). \"The Day of the Golden Jackal -The Next Tale in the\nStuxnet Files: Duqu\". McAfee. Archived from the original on 31 May 2016. Retrieved 19 October 2011.\n24. ^ Garmon, Matthew. \"In Command \u0026 Out of Control\". Matt Garmon. DIG. Archived from the original on\n8 August 2018. Retrieved 8 August 2018.     \n25. ^ Kamluk, Vitaly (30 November 2011). \"The Mystery of Duqu: Part Six (The Command and Control \nservers)\". Securelist by Kaspersky. Archived from the original on 7 June 2022. Retrieved 7 June 2022.\nSource: https://en.wikipedia.org/wiki/Duqu       \n   Page 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Duqu"
	],
	"report_names": [
		"Duqu"
	],
	"threat_actors": [
		{
			"id": "fea75bf4-c510-4146-bbac-0802351f4eb0",
			"created_at": "2023-01-06T13:46:38.714847Z",
			"updated_at": "2026-04-10T02:00:03.076837Z",
			"deleted_at": null,
			"main_name": "Unit 8200",
			"aliases": [
				"Duqu Group"
			],
			"source_name": "MISPGALAXY:Unit 8200",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2",
			"created_at": "2022-10-25T16:07:23.826594Z",
			"updated_at": "2026-04-10T02:00:04.760416Z",
			"deleted_at": null,
			"main_name": "Madi",
			"aliases": [
				"Mahdi"
			],
			"source_name": "ETDA:Madi",
			"tools": [
				"Madi"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775792029,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70ff7a7233f564f19c7cd865796c44d8a256780b.pdf",
		"text": "https://archive.orkl.eu/70ff7a7233f564f19c7cd865796c44d8a256780b.txt",
		"img": "https://archive.orkl.eu/70ff7a7233f564f19c7cd865796c44d8a256780b.jpg"
	}
}