S0050: CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]
Analyst context for executives and security teams
CosmicDuke is a Windows malware entry associated in ATT&CK with historical APT29 use from 2010 to 2015. Its decision value is less about the age of the named malware and more about the behavior cluster ATT&CK links to it: credential theft, persistence through scheduled tasks and services, local/email/share/removable-media collection, screen/clipboard capture, and exfiltration over web or other protocols. For leaders, this is a useful coverage test for whether Windows endpoint, identity, and network monitoring can prove control over post-compromise data theft paths.
Executive priority
Treat this as a resilience and evidence question: can the organization demonstrate that privileged credential stores, local email data, network shares, removable media, and outbound data movement are monitored and governed on Windows systems? Because the official ATT&CK object has no detection guidance, priority should be on validating existing control coverage and audit evidence rather than assuming a specific malware signature will be enough.
Technical view
SOC and IR teams should map coverage to the related ATT&CK techniques: SAM and LSA secret access, password store and browser credential access, scheduled task and Windows service persistence, file and directory discovery, collection from local systems, local email, removable media, and network shares, keylogging, screen capture, clipboard collection, web-protocol command and control, symmetric-encrypted C2, and automated or unencrypted-protocol exfiltration. Since the object platform is Windows and official detection is not provided, validation should focus on Windows endpoint and network telemetry that can expose these behaviors independent of the CosmicDuke name.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows registry access or modification involving SAM, SECURITY, LSA secrets, services, and scheduled task locations
- Security event logs and EDR alerts for credential dumping, privilege escalation, service creation, and task creation
- File access telemetry for user documents, local email stores, browser credential stores, password stores, removable media, and network shares
- USB/removable media connection and file read activity
Detection direction
- Do not rely solely on malware family signatures; the supplied ATT&CK object has no official detection text.
- Validate behavior-based detections for scheduled task creation, Windows service creation or modification, and suspicious privilege escalation on Windows endpoints.
- Tune credential-access detections around SAM, LSA secrets, password stores, and browser credential stores, with attention to administrative tools and backup/security software that may create false positives.
- Correlate file discovery and collection from local paths, network shares, removable media, and local email stores with subsequent outbound network activity.
- Review egress monitoring for unusual HTTP/S or other unencrypted protocol transfers, while recognizing that symmetric encryption may limit payload inspection.
Mitigation priorities
- Harden Windows credential exposure by limiting local administrator rights, protecting privileged accounts, and reducing access to SAM, LSA secrets, browser credentials, and password stores.
- Restrict and monitor creation or modification of scheduled tasks and Windows services, especially on sensitive workstations and servers.
- Apply vulnerability management discipline for Windows and application privilege-escalation paths referenced by the related Exploitation for Privilege Escalation technique.
- Limit unnecessary access to network shares, local email archives, and removable media; enforce least privilege and data handling controls.
- Strengthen outbound network controls, proxy logging, and data exfiltration monitoring for web and non-C2 protocols.
Analyst notes and limits
ATT&CK describes CosmicDuke as malware used by APT29 from 2010 to 2015 and provides a single external source, F-Secure’s Dukes whitepaper. The relationship set is rich enough to guide defensive validation, but the official object does not provide detection logic, aliases, labels, or tactics directly on the malware object. Use this take as a coverage and readiness lens, not as a claim of current activity.
This assessment is constrained to the supplied ATT&CK fields and relationships. It does not establish active exploitation, current targeting, customer exposure, or guaranteed detectability. Local environment evidence is required to determine whether the relevant Windows telemetry, identity controls, data access monitoring, and egress visibility are actually present and usable.
CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.003 | Windows Service Sub-technique | CosmicDuke uses Windows services typically named "javamtsup" for persistence.CitationF-Secure Cosmicduke |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | CosmicDuke collects LSA secrets.CitationF-Secure The Dukes |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.CitationF-Secure Cosmicduke |
| Enterprise | T1039 | Data from Network Shared Drive | CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.CitationF-Secure Cosmicduke |
| Enterprise | T1555 | Credentials from Password Stores | CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.CitationF-Secure The Dukes |
| Enterprise | T1083 | File and Directory Discovery | CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.CitationF-Secure Cosmicduke |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.CitationF-Secure The Dukes |
| Enterprise | T1068 | Exploitation for Privilege Escalation | CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.CitationF-Secure The Dukes |
| Enterprise | T1115 | Clipboard Data | CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.CitationF-Secure Cosmicduke |
| Enterprise | T1056.001 | Keylogging Sub-technique | CosmicDuke uses a keylogger.CitationF-Secure The Dukes |
| Enterprise | T1113 | Screen Capture | CosmicDuke takes periodic screenshots and exfiltrates them.CitationF-Secure Cosmicduke |
| Enterprise | T1071.001 | Web Protocols Sub-technique | CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.CitationF-Secure The DukesCitationF-Secure Cosmicduke |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.CitationF-Secure Cosmicduke |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | CosmicDuke collects Windows account hashes.CitationF-Secure The Dukes |
| Enterprise | T1020 | Automated Exfiltration | CosmicDuke exfiltrates collected files automatically over FTP to remote servers.CitationF-Secure Cosmicduke |
| Enterprise | T1005 | Data from Local System | CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.CitationF-Secure Cosmicduke |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.CitationF-Secure Cosmicduke |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.CitationF-Secure Cosmicduke |
| Enterprise | T1025 | Data from Removable Media | CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.CitationF-Secure Cosmicduke |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 748bb62a7826… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[2]
mitre-attack S0050Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.