{ "id": "8d6f6b6e-5d75-45e4-b9df-93fb2f73a49a", "created_at": "2026-04-06T01:32:03.631686Z", "updated_at": "2026-04-10T03:32:56.153837Z", "deleted_at": null, "sha1_hash": "fc433042568bc703675504edf11256231536a7d9", "title": "Unit 42 Technical Analysis: Seaduke", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 995664, "plain_text": "Unit 42 Technical Analysis: Seaduke\r\nBy Josh Grunzweig\r\nPublished: 2015-07-14 · Archived: 2026-04-06 01:14:31 UTC\r\nEarlier this week Symantec released a blog post detailing a new Trojan used by the ‘Duke’ family of malware.\r\nWithin this blog post, a payload containing a function named ‘forkmeiamfamous’ was mentioned. While\r\nperforming some research online, Unit 42 was able to identify the following sample, which is being labeled as\r\n‘Trojan.Win32.Seadask’ by a number of anti-virus companies.\r\nMD5 A25EC7749B2DE12C2A86167AFA88A4DD\r\nSHA1 BB71254FBD41855E8E70F05231CE77FEE6F00388\r\nSHA256 3EB86B7B067C296EF53E4857A74E09F12C2B84B666FC130D1F58AEC18BC74B0D\r\nCompile\r\nTimestamp\r\n2013-03-23 22:26:55\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed\r\nOur analysis has turned up more technical details and indicators on the malware itself that aren’t mentioned in\r\nSymantec’s post. Here are some of our observations:\r\nFirst Layer of Obfuscation\r\nOnce the UPX packer is removed from the malware sample, it becomes quickly apparent that we’re dealing with a\r\nsample compiled using PyInstaller. This program allows an individual to write a program using the Python\r\nscripting language and convert it into an executable for the Microsoft Windows, Linux, Mac OSX, Solaris, or AIX\r\nplatform. The following subset of strings that were found within the UPX-unpacked binary confirms our\r\nsuspicions.\r\nsys.path.append(r\"%s\")\r\ndel sys.path[:]\r\nimport sys\r\nPYTHONHOME\r\nPYTHONPATH\r\nError in command: %s\r\nsys.path.append(r\"%s?%d\")\r\n_MEI%d\r\nINTERNAL ERROR: cannot create temporary directory!\r\nWARNING: file already exists but should not: %s\r\nError creating child process!\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 1 of 10\n\nCannot GetProcAddress for PySys_SetObject\r\nPySys_SetObject\r\nBecause the sample was written in Python originally, we’re able to extract the underlying code. A tool such as\r\n‘PyInstaller Extractor’ can be used to extract the underlying pyc files present within the binary.\r\nFigure 1. Extracted Python files from Seaduke\r\nWe can then use a tool such as uncompyle2 to convert the Python byte-code into the original source code. Once\r\nthis process is completed, we quickly realize that the underlying Python code has been obfuscated.\r\nFigure 2. Obfuscated Python code\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 2 of 10\n\nSecond Layer of Obfuscation\r\nTracing through the obfuscated code, we identify an ‘exec(ZxkBDKLakV)’ statement, which will presumably\r\nexecute some Python code. Tracing further, we discover that this string is generated via appending a number of\r\nstrings to the ‘ZxkBDKLakV’ variable. Finally, we find that after this string is created, it is base64-decoded and\r\nsubsequently decompressed using the ZLIB library.\r\nFigure 3. Second layer of obfuscation identified\r\nThe following simple Python code can be used to circumvent this layer of obfuscation:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nimport sys, re, base64, zlib\r\nif len(sys.argv) != 2:\r\nprint \"Usage: python %s [file]\" % __file__\r\nsys.exit(1)\r\nf = open(sys.argv[1], 'rb')\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 3 of 10\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\nfdata = f.read()\r\nf.close()\r\n# Set this accordingly\r\nvariable = \"ZxkBDKLakV\"\r\nregex = \"%s \\+= ([a-zA-Z0-9]+)\\n\" % variable\r\nout = \"\"\r\nfor x in re.findall(regex, fdata):\r\nregex2 = \"%s = \\\"([a-zA-Z0-9\\+\\/]+)\\\"\" % x\r\nfor x1 in re.findall(regex2, fdata):\r\nout += x1\r\no = base64.b64decode(out)\r\nprint zlib.decompress(o)\r\nThe remaining Python code still appears to be obfuscated, however, overall functionality can be identified.\r\nFinal Payload\r\nAs we can see below, almost all variable names and class names have been obfuscated using long unique strings.\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 4 of 10\n\nFigure 4. Obfuscation discovered in final payload\r\nUsing a little brainpower and search/replace, we can begin identifying and renaming functionality within the\r\nmalware. A cleaned up copy of this code can be found on GitHub. One of the first things we notice is a large blob\r\nof base64-encoded data, which is additionally decompressed using ZLIB. Once we decode and decompress this\r\ndata, we are rewarded with a JSON object containing configuration data for this malware:\r\nFigure 5. Base64-encoded / ZLIB compressed data\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 5 of 10\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n{\r\n\"first_run_delay\": 0,\r\n\"keys\": {\r\n\"aes\": \"KIjbzZ/ZxdE5KD2XosXqIbEdrCxy3mqDSSLWJ7BFk3o=\",\r\n\"aes_iv\": \"cleUKIi+mAVSKL27O4J/UQ==\"\r\n},\r\n\"autoload_settings\": {\r\n\"exe_name\": \"LogonUI.exe\",\r\n\"app_name\": \"LogonUI.exe\",\r\n\"delete_after\": false\r\n},\r\n\"host_scripts\": [\"http://monitor.syn[.]cn/rss.php\"],\r\n\"referer\": \"https://www.facebook.com/\",\r\n\"user_agent\": \"SiteBar/3.3.8 (Bookmark Server; http://sitebar.org/)\",\r\n\"key_id\": \"P4BNZR0\",\r\n\"enable_autoload\": false\r\n}\r\nThis configuration object provides a number of clues and indicators about the malware itself. After this data is\r\nidentified, we begin tracing execution of the malware from the beginning. When the malware is initially run, it\r\nwill determine on which operating system it is running. Should it be running on a non-Windows system, we see a\r\ncall to the infamous ‘forkmeiamfamous’ method. This method is responsible for configuring a number of Unix-specific settings, and forking the process.\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 6 of 10\n\nFigure 6. Main execution of malware\r\nContinuing along, we discover that this malware has the ability to persist using one of the following techniques:\r\n1. Persistence via PowerShell\r\n2. Persistence via the Run registry key\r\n3. Persistence via a .lnk file stored in the Startup directory\r\nThe malware copies itself to a file name referenced in the JSON configuration.\r\nFigure 7. Persistence techniques\r\nAfter the malware installs itself, it begins making network requests. All network communications are performed\r\nover HTTP for this particular sample; however, it appears to support HTTPS as well. When the malware makes\r\nthe initial outbound connection, a specific Cookie value is used.\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 7 of 10\n\nFigure 8. Initial HTTP request made\r\nIn actuality, this Cookie value contains encrypted data. The base64-encoded data is parsed from the Cookie value\r\n(padding is added as necessary).\r\nEBJhZTlKiqN8nYWejKh7UpDycPlcrGMEcTE=\r\nThe resulting decoded data is shown below.\r\n\\x10\\x12ae9J\\x8a\\xa3|\\x9d\\x85\\x9e\\x8c\\xa8{R\\x90\\xf2p\\xf9\\\\\\xacc\\x04q1\r\nThe underlying data has the following characteristics.\r\nFigure 9. Cookie data structure\r\nXORing the first single character against the second character identifies the length of the random string. Using the\r\nabove example, we get the following.\r\nFirst Character  : '\\x10'\r\nSecond Character : '\\x12'\r\nString Length (16 ^ 18) : 2\r\nRandom String    : 'ae'\r\nEncrypted Data   : '9J\\x8a\\xa3|\\x9d\\x85\\x9e\\x8c\\xa8{R\\x90\\xf2p\\xf9\\\\\\xacc\\x04q1'\r\nFinally, the encrypted data is encrypted using the RC4 algorithm. The key is generated by concatenating the\r\npreviously used random string with the new one, and taking the SHA1 hash of this data.\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 8 of 10\n\nThis same key is used to decrypt any response data provided by the server. The server attempts to mimic a HTML\r\npage and provides base64-encoded data within the response, as shown below.\r\nFigure 10. Server response\r\nData found within tags in the HTML response is joined together and the white space is removed. This data is then\r\nbase64-decoded with additional characters (‘-_’) prior to being decrypted via RC4 using the previously discussed\r\nkey. After decryption occurs, the previous random string used in key generation is updated with the random string.\r\nIn doing so, the attackers have ensured that no individual HTTP session can be decrypted without seeing the\r\nprevious session. If the decrypted data does not produce proper JSON data, Seaduke will discard it and enter a\r\nsleep cycle.\r\nOtherwise, this JSON data will be parsed for commands. The following commands have been identified in\r\nSeaduke.\r\nCommand Description\r\ncd Change working directory to one specified\r\npwd Return present working directory\r\ncdt Change working directory to %TEMP%\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 9 of 10\n\nautoload Install malware in specified location\r\nmigrate Migrate processes\r\nclone_time Clone file timestamp information\r\ndownload Download file\r\nexecw Execute command\r\nget Get information about a file\r\nupload Upload file to specified URL\r\nb64encode Base64-encode file data and return result\r\neval Execute Python code\r\nset_update_interval Update sleep timer between main network requests\r\nself_exit Terminate malware\r\nseppuku Terminate and uninstall malware\r\nIn order for the ‘self_exit’ or ‘seppuku’ commands to properly execute, the attackers must supply a secondary\r\nargument of ‘YESIAMSURE’.\r\nConclusion\r\nOverall, Seaduke is quite sophisticated. While written in Python, the malware employs a number of interesting\r\ntechniques for encrypting data over the network and persisting on the victim machine. WildFire customers are\r\nprotected against this threat. Additionally, Palo Alto Networks properly categorizes the URL used by Seaduke as\r\nmalicious.\r\nSource: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nhttp://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" ], "report_names": [ "unit-42-technical-analysis-seaduke" ], "threat_actors": [ { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439123, "ts_updated_at": 1775791976, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc433042568bc703675504edf11256231536a7d9.pdf", "text": "https://archive.orkl.eu/fc433042568bc703675504edf11256231536a7d9.txt", "img": "https://archive.orkl.eu/fc433042568bc703675504edf11256231536a7d9.jpg" } }