S0049: GeminiDuke
GeminiDuke is malware that was used by APT29 from 2009 to 2012. [1]
Analyst context for executives and security teams
GeminiDuke matters less as a current malware headline and more as a coverage test for older Windows-focused espionage tradecraft: host discovery, local account and process enumeration, file discovery, service discovery, network configuration discovery, and web-protocol command-and-control. For leaders, the decision value is whether SOC and IR teams can still recognize these common behaviors when they appear as part of a known malware family historically used by APT29 from 2009 to 2012.
Executive priority
Prioritize this as a defensive validation item, not as evidence of current exposure. It supports resilience and audit conversations around Windows endpoint visibility, discovery-behavior monitoring, and web traffic inspection. Ask whether the organization can produce evidence for host process activity, account enumeration, service discovery, file enumeration, network configuration discovery, and suspicious HTTP/S-like command-and-control patterns during an investigation.
Technical view
The ATT&CK object has no official detection text, but relationships show GeminiDuke using discovery techniques T1007, T1016, T1057, T1083, T1087.001 and command-and-control over Web Protocols T1071.001. SOC teams should validate Windows endpoint logging and network telemetry that can correlate multiple discovery behaviors from the same host or process with outbound web-protocol traffic. Detection engineering should avoid relying on malware name alone and instead test behavior-based analytics mapped to the related techniques.
Likely telemetry
- Windows process creation and command-line telemetry
- Endpoint records for service, process, file, directory, local account, and network configuration enumeration
- Windows host inventory and local account/group data for investigation context
- Network proxy, firewall, DNS, and web traffic logs for outbound HTTP/S-like communications
- EDR alerts and raw event data that can link discovery activity to a parent process and destination infrastructure
Detection direction
- Validate correlation across the related discovery techniques rather than single noisy commands in isolation.
- Tune for unusual clustering of local account, process, service, file, and network configuration discovery on Windows endpoints.
- Review outbound web-protocol traffic from hosts showing discovery behavior, especially where destination, timing, or process context is unusual for that system.
- Account for false positives from administrators, software inventory tools, vulnerability scanners, and endpoint management agents.
- Confirm whether older malware-family names such as GeminiDuke are retained in threat-intelligence enrichment, while treating behavior telemetry as the primary evidence.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are sufficient to reconstruct process and discovery activity.
- Maintain network egress visibility for web protocols through proxy, DNS, firewall, or equivalent telemetry.
- Harden local account governance and reduce unnecessary local accounts or privileges where business operations allow.
- Document detection and response playbooks for discovery plus outbound web-protocol communication patterns.
- Use this object as part of ATT&CK-based control validation and compliance evidence for monitoring and incident response readiness.
Analyst notes and limits
MITRE identifies GeminiDuke as Windows malware used by APT29 from 2009 to 2012 and provides relationships to several discovery behaviors and web-protocol command-and-control. The most useful defensive takeaway is behavioral coverage validation across those related techniques, not an assumption that this specific malware is present.
Official detection guidance is not provided, tactics are not specified on the malware object, and the supplied data does not support claims of active exploitation or current targeting. Local environment baselines are required to distinguish legitimate administration and management activity from suspicious discovery behavior.
GeminiDuke
GeminiDuke is malware that was used by APT29 from 2009 to 2012. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.CitationF-Secure The Dukes |
| Enterprise | T1087.001 | Local Account Sub-technique | GeminiDuke collects information on local user accounts from the victim.CitationF-Secure The Dukes |
| Enterprise | T1057 | Process Discovery | GeminiDuke collects information on running processes and environment variables from the victim.CitationF-Secure The Dukes |
| Enterprise | T1016 | System Network Configuration Discovery | GeminiDuke collects information on network settings and Internet proxy settings from the victim.CitationF-Secure The Dukes |
| Enterprise | T1007 | System Service Discovery | GeminiDuke collects information on programs and services on the victim that are configured to automatically run at startup.CitationF-Secure The Dukes |
| Enterprise | T1071.001 | Web Protocols Sub-technique | GeminiDuke uses HTTP and HTTPS for command and control.CitationF-Secure The Dukes |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8151e0421b05… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[2]
mitre-attack S0049Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.