{ "id": "bcf25d9f-e57d-4c54-92b8-c90863448d18", "created_at": "2026-04-06T00:18:33.321486Z", "updated_at": "2026-04-10T13:11:55.955285Z", "deleted_at": null, "sha1_hash": "ecb09de946c87cc4460ea67bcfc52e9e1f3041d8", "title": "The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 159201, "plain_text": "The MiniDuke Mystery: PDF 0-day Government Spy Assembler\r\n0x29A Micro Backdoor\r\nBy GReAT\r\nPublished: 2013-02-27 · Archived: 2026-04-05 18:45:16 UTC\r\n(or, how many cool words can you fit into one title)\r\nOn Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a\r\npreviously unknown, advanced piece of malware. We called this new malware ?ItaDuke because it reminded us of\r\nDuqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri-s ?Divine\r\nComedy.\r\nSince the original announcement, we have observed several new attacks using the same exploit (CVE-2013-\r\n0640) which drop other malware. Between these, we’ve observed a couple of incidents which are so unusual in\r\nmany ways that we-ve decided to analyse them in depth.\r\nTogether with our partner CrySyS Lab, we-ve performed a detailed analysis of these unusual incidents which\r\nsuggest a new, previously unknown threat actor. For the CrySyS Lab analysis, please read [here]. For our analysis,\r\nplease read below.\r\nKey findings include:\r\n• The MiniDuke attackers are still active at this time and have created malware as recently as February 20, 2013.\r\nTo compromise the victims, the attackers used extremely effective social engineering techniques which involved\r\nsending malicious PDF documents to their targets. The PDFs were highly relevant and well-crafted content that\r\nfabricated human rights seminar information (ASEM) and Ukraine-s foreign policy and NATO membership plans.\r\nhttps://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/\r\nPage 1 of 4\n\nThese malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10 and 11, bypassing its\r\nsandbox.\r\n• Once the system is exploited, a very small downloader is dropped onto the victim-s disc that-s only 20KB in\r\nsize. This downloader is unique per system and contains a customized backdoor written in Assembler. When\r\nloaded at system boot, the downloader uses a set of mathematical calculations to determine the computer-s unique\r\nfingerprint, and in turn uses this data to uniquely encrypt its communications later.\r\n• If the target system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the\r\nuser) and start looking for specific tweets from pre-made accounts. These accounts were created by\r\nMiniDuke-s Command and Control (C2) operators and the tweets maintain specific tags labeling encrypted URLs\r\nfor the backdoors.\r\nhttps://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/\r\nPage 2 of 4\n\nThese URLs provide access to the C2s, which then provide potential commands and encrypted transfers of\r\nadditional backdoors onto the system via GIF files.\r\n• Based on the analysis, it appears that the MiniDuke-s creators provide a dynamic backup system that also can fly\r\nunder the radar – if Twitter isn-t working or the accounts are down, the malware can use Google Search to find\r\nthe encrypted strings to the next C2. This model is flexible and enables the operators to constantly change how\r\ntheir backdoors retrieve further commands or malcode as needed.\r\n• Once the infected system locates the C2, it receives encrypted backdoors that are obfuscated within GIF files\r\nand disguised as pictures that appear on a victim-s machine.\r\nOnce they are downloaded to the machine, they can fetch a larger backdoor which carries out the cyberespionage\r\nactivities, through functions such as copy file, move file, remove file, make directory, kill process and of course,\r\ndownload and execute new malware and lateral movement tools.\r\nhttps://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/\r\nPage 3 of 4\n\n• The final stage backdoor connects to two servers, one in Panama and one in Turkey to receive the\r\ninstructions from the attackers.\r\n• The attackers left a small clue in the code, in the form of the number 666 (0x29A hex) before one of the\r\ndecryption subroutines:\r\n• By analysing the logs from the command servers, we have observed 59 unique victims in 23 countries:\r\nBelgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon,\r\nLithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United\r\nKingdom and United States.\r\nFor the detailed analysis and information on how to protect against the attack, please read:\r\n[The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor.PDF]\r\nSource: https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/\r\nhttps://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/" ], "report_names": [ "31112" ], "threat_actors": [ { "id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8", "created_at": "2023-01-06T13:46:39.131811Z", "updated_at": "2026-04-10T02:00:03.2252Z", "deleted_at": null, "main_name": "ItaDuke", "aliases": [ "DarkUniverse", "SIG27" ], "source_name": "MISPGALAXY:ItaDuke", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434713, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ecb09de946c87cc4460ea67bcfc52e9e1f3041d8.pdf", "text": "https://archive.orkl.eu/ecb09de946c87cc4460ea67bcfc52e9e1f3041d8.txt", "img": "https://archive.orkl.eu/ecb09de946c87cc4460ea67bcfc52e9e1f3041d8.jpg" } }