S0048: PinchDuke
Analyst context for executives and security teams
PinchDuke matters less as a current malware name and more as a compact example of the risks defenders must be ready to prove they can handle: Windows malware associated with historical APT29 use, credential theft, local data collection, host discovery, file discovery, and web-based command-and-control. For leaders, the practical question is whether the organization can quickly identify a compromised Windows endpoint, determine what credentials and local data may have been exposed, and contain follow-on access.
Executive priority
Treat this as a readiness check for credential exposure and incident scoping. The ATT&CK record ties PinchDuke to APT29 historical activity from 2008 to 2010 and to techniques that can affect identity trust, sensitive data exposure, and response timelines. Priority should be on validating Windows endpoint visibility, credential protection, web egress monitoring, and the ability to produce evidence for incident response and audit questions after suspected malware-driven credential access.
Technical view
ATT&CK lists PinchDuke as Windows malware with no official detection text and no tactics specified on the malware object. The relationship context maps it to OS Credential Dumping, Credentials from Password Stores, Credentials from Web Browsers, Data from Local System, System Information Discovery, File and Directory Discovery, and Web Protocols for command-and-control. SOC and IR teams should therefore validate coverage around Windows credential access behaviors, browser/password-store access, unusual local file enumeration or collection, host discovery commands or API activity, and HTTP/S-like outbound communications that may blend with normal traffic.
Likely telemetry
- Windows endpoint detection and response events, including process creation and command-line context where available
- Windows security and authentication logs relevant to credential misuse or suspicious account activity
- File system telemetry showing access to local sensitive files, directories, browser profile data, or password-store locations
- Host discovery evidence such as system information queries, inventory changes, or process activity associated with environment enumeration
- Network, proxy, firewall, and DNS logs for outbound web-protocol communications
Detection direction
- Do not rely on a PinchDuke signature alone; ATT&CK provides no official detection guidance for this object.
- Build detections around the related behaviors: credential dumping, password-store and browser credential access, local data collection, system discovery, file and directory discovery, and web-protocol command-and-control.
- Tune web traffic analytics carefully because HTTP/S-like traffic is common; prioritize rare destinations, unusual user-agent or timing patterns, endpoint context, and correlation with host-side discovery or credential-access activity.
- Validate that detections preserve enough context for IR scoping: affected user, host, accessed credential stores, accessed files, and outbound destinations.
- Account for false positives from legitimate administration, backup, inventory, browser management, and security tools that may enumerate systems or access files at scale.
Mitigation priorities
- Prioritize credential protections on Windows endpoints, including least privilege, reduction of unnecessary local admin rights, and controls that limit exposure of cached or stored credentials.
- Reduce dependence on saved browser passwords and unmanaged password stores where feasible; align credential storage practices with identity and access management policy.
- Ensure endpoint protection, logging, and response tooling can capture credential-access, discovery, and collection behaviors, not only known malware names.
- Apply egress control and monitoring for web-protocol outbound traffic so suspicious command-and-control patterns can be investigated with endpoint context.
- Prepare IR playbooks for malware cases involving credential exposure, including password resets, token/session review, lateral movement checks, and data-access scoping.
Analyst notes and limits
The most useful defensive framing is behavior-based. PinchDuke is a historical Windows malware entry associated by ATT&CK with APT29 use and several credential, discovery, collection, and web C2 techniques. This makes it valuable for testing whether SOC and IR teams can connect endpoint activity, identity risk, and network egress into a coherent incident assessment.
The official ATT&CK object provides a short description and no official detection text. The malware object itself has no tactics specified, so tactic framing here is derived from supplied relationship context. Local environment validation is required before making claims about exposure, detection coverage, or control effectiveness.
PinchDuke
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.CitationF-Secure The Dukes |
| Enterprise | T1003 | OS Credential Dumping | PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).CitationF-Secure The Dukes |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.CitationF-Secure The Dukes |
| Enterprise | T1082 | System Information Discovery | PinchDuke gathers system configuration information.CitationF-Secure The Dukes |
| Enterprise | T1555 | Credentials from Password Stores | PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.CitationF-Secure The Dukes |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer. CitationF-Secure The Dukes |
| Enterprise | T1005 | Data from Local System | PinchDuke collects user files from the compromised host based on predefined file extensions.CitationF-Secure The Dukes |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 51c32430d892… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[2]
mitre-attack S0048Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.