{
	"id": "4c74beac-2bc8-4e5a-a2f7-5b8804e21824",
	"created_at": "2026-04-06T00:14:47.272198Z",
	"updated_at": "2026-04-10T03:20:25.937517Z",
	"deleted_at": null,
	"sha1_hash": "f45eb0a338753af8cb6d1e15341df1a59603292d",
	"title": "LiteDuke (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28464,
	"plain_text": "LiteDuke (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:51:28 UTC\r\nAccording to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as\r\nPolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke\r\nsupports a large number of individual commands including host information retrieval, file upload and download,\r\nand the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware\r\ncommunicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in\r\nbetter with normal HTTP traffic.\r\nESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.\r\n[TLP:WHITE] win_liteduke_auto (20251219 | Detects win.liteduke.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
	],
	"report_names": [
		"win.liteduke"
	],
	"threat_actors": [],
	"ts_created_at": 1775434487,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f45eb0a338753af8cb6d1e15341df1a59603292d.pdf",
		"text": "https://archive.orkl.eu/f45eb0a338753af8cb6d1e15341df1a59603292d.txt",
		"img": "https://archive.orkl.eu/f45eb0a338753af8cb6d1e15341df1a59603292d.jpg"
	}
}