S0052: OnionDuke
Analyst context for executives and security teams
OnionDuke matters as a historical Windows malware family associated in ATT&CK with APT29 activity from 2013 to 2015. Its value for defenders is not a claim of current exposure, but a reminder to validate controls against common espionage-relevant behaviors: credential dumping, web-based command and control, one-way use of external web services, deobfuscation, and endpoint denial-of-service effects.
Executive priority
Treat this as a control-validation and readiness use case. Leaders should ask whether Windows endpoint visibility, credential protection, outbound web monitoring, and incident response playbooks can prove coverage for the behaviors ATT&CK associates with OnionDuke. Because MITRE provides no detection text for this malware object, audit and risk discussions should focus on evidence of behavioral coverage rather than malware-name detection.
Technical view
SOC and IR teams should map OnionDuke-related validation to the supplied ATT&CK relationships: OS Credential Dumping (T1003), Web Protocols for command and control (T1071.001), One-Way Communication through legitimate web services (T1102.003), Deobfuscate/Decode Files or Information (T1140), and Endpoint Denial of Service (T1499). For the Windows platform listed on the malware object, confirm collection of endpoint process, credential-access, file decoding/deobfuscation, and network egress evidence. Since no official detection guidance is supplied, detections should be behavior-led and tested against local baselines.
Likely telemetry
- Windows endpoint process execution and parent-child process context
- Credential-access indicators such as access to OS credential stores, memory, or authentication material
- File creation, modification, and decoding/deobfuscation activity on hosts
- Outbound HTTP/S or other web-protocol network metadata
- Proxy, DNS, firewall, and secure web gateway logs for external web service access
Detection direction
- Validate behavior-based detections for credential dumping rather than relying on malware family names.
- Baseline normal outbound web traffic so command-and-control over common web protocols can be investigated without excessive false positives.
- Review monitoring for legitimate external web services used in one-way communication patterns; these can be difficult to distinguish from normal browsing or application traffic.
- Correlate host deobfuscation or decoding activity with suspicious process ancestry and network activity to reduce false positives from administration or software installation tasks.
- Ensure endpoint availability and crash/resource telemetry is triaged with security context, not only as an IT operations event.
Mitigation priorities
- Prioritize credential protection and least-privilege controls for Windows systems because related behavior includes OS credential dumping.
- Harden and monitor outbound web access, including proxy controls, DNS visibility, and review of access to external web services where business-appropriate.
- Maintain endpoint logging and EDR-style visibility sufficient to investigate process execution, file decoding, and suspicious credential access.
- Prepare IR playbooks that connect credential compromise, web-based C2 investigation, and containment decisions.
- Use the OnionDuke mapping as a test case for ATT&CK-aligned control evidence in compliance and security program reviews.
Analyst notes and limits
The strongest supported context is that OnionDuke is a Windows malware object used by APT29 from 2013 to 2015 and mapped to several ATT&CK techniques. The practical defensive value is in validating coverage for those mapped behaviors, especially credential access and web-based command-and-control patterns.
MITRE supplies no official detection text, no aliases, no malware-specific tactics, and limited object detail in the provided fields. This take does not assert current exploitation, current customer exposure, or guaranteed detectability. Local telemetry, baselines, and control configurations are required to determine actual coverage.
OnionDuke
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003 | OS Credential Dumping | OnionDuke steals credentials from its victims.CitationF-Secure The Dukes |
| Enterprise | T1499 | Endpoint Denial of Service | OnionDuke has the capability to use a Denial of Service module.CitationESET Dukes October 2019 |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | OnionDuke uses Twitter as a backup C2.CitationF-Secure The Dukes |
| Enterprise | T1071.001 | Web Protocols Sub-technique | OnionDuke uses HTTP and HTTPS for C2.CitationF-Secure The Dukes |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | OnionDuke can use a custom decryption algorithm to decrypt strings.CitationESET Dukes October 2019 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | db55f72e99b2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[2]
mitre-attack S0052Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.