S0053: SeaDuke
Analyst context for executives and security teams
SeaDuke matters less as a standalone malware name and more as a reminder that a mature intrusion may shift from an initial implant to a secondary backdoor with identity abuse, persistence, command execution, email collection, and concealed command-and-control. For leaders, the practical question is whether Windows endpoint, identity, email, and network monitoring can reconstruct that chain after an initial compromise.
Executive priority
Treat this as a resilience and incident-readiness use case: if an attacker already has a foothold, can the organization detect persistence, credential or ticket abuse, remote email access, tool transfer, and encrypted or encoded web-based C2 before sensitive information is collected? Priority should go to evidence quality across Windows hosts, identity systems, email access logs, and outbound network controls rather than to malware signature coverage alone.
Technical view
ATT&CK lists SeaDuke as Windows malware historically used by APT29 from 2014 to 2015, primarily as a secondary backdoor after CozyCar. No official detection text is provided, so validation should be relationship-driven: PowerShell and Windows command shell execution, packed binaries, file deletion, web-protocol C2 with standard encoding and symmetric cryptography, ingress tool transfer, WMI event subscription, Run key/startup folder and shortcut persistence, valid account use, Kerberos pass-the-ticket behavior, archiving via libraries, and remote email collection.
Likely telemetry
- Windows process creation and command-line telemetry for PowerShell and cmd.exe activity
- PowerShell script block/module logging where enabled
- Endpoint file creation, deletion, archive creation, and suspicious packed executable indicators
- Windows Registry, startup folder, shortcut, and WMI event subscription changes
- Authentication logs for valid account use and Kerberos ticket anomalies
Detection direction
- Validate detections for chained behavior rather than a single malware name: execution plus persistence plus outbound C2 or collection is higher value than isolated alerts.
- Tune PowerShell and cmd.exe analytics for suspicious parent/child processes, encoded content, unusual execution context, and post-compromise administration patterns while accounting for legitimate admin automation.
- Review WMI permanent event subscriptions, Run keys, startup folders, and shortcut changes for unauthorized persistence on Windows systems.
- Correlate valid account activity with endpoint events, Kerberos anomalies, unusual email access, and lateral movement indicators; credential misuse may look like normal login activity without context.
- Inspect outbound web traffic for unusual destinations, encoded payload patterns, uncommon user-agent or beacon-like behavior, and encrypted application traffic metadata, recognizing that encryption may limit content inspection.
Mitigation priorities
- Prioritize least privilege, strong authentication, and monitoring for accounts that can access Windows hosts, email, and administrative services.
- Harden and monitor PowerShell, Windows command shell usage, WMI persistence locations, Registry Run keys, startup folders, and shortcut execution paths.
- Ensure endpoint logging and EDR coverage can retain process, file, registry, and WMI evidence long enough for incident response.
- Strengthen email access monitoring and conditional access controls for remote mailbox access where applicable.
- Use network egress controls, proxy logging, and DNS/TLS visibility to reduce and investigate unauthorized web-based C2 and tool transfer.
Analyst notes and limits
The most useful defensive framing is post-compromise validation. SeaDuke is described as a secondary backdoor, so teams should test whether existing detections connect endpoint execution, persistence, identity misuse, email collection, and C2 into one investigation path. The APT29 relationship provides threat context, but defensive decisions should be based on the listed behaviors and local exposure.
The supplied ATT&CK object has no official detection guidance, no aliases or labels, and no malware-level tactic list. Historical use is stated for 2014 to 2015; this summary does not claim current activity or customer exposure. Technique relationships identify behaviors to validate, but exact indicators, infrastructure, and detection logic must come from local telemetry and approved intelligence sources.
SeaDuke
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SeaDuke is capable of executing commands.CitationUnit 42 SeaDuke 2015 |
| Enterprise | T1550.003 | Pass the Ticket Sub-technique | Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.CitationSymantec Seaduke 2015 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | SeaDuke C2 traffic is base64-encoded.CitationUnit 42 SeaDuke 2015 |
| Enterprise | T1078 | Valid Accounts | Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.CitationSymantec Seaduke 2015 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | SeaDuke compressed data with zlib prior to sending it over C2.CitationMandiant No Easy Breach |
| Enterprise | T1105 | Ingress Tool Transfer | SeaDuke is capable of uploading and downloading files.CitationUnit 42 SeaDuke 2015 |
| Enterprise | T1070.004 | File Deletion Sub-technique | SeaDuke can securely delete files, including deleting itself from the victim.CitationSymantec Seaduke 2015 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.CitationSymantec Seaduke 2015 |
| Enterprise | T1027.002 | Software Packing Sub-technique | SeaDuke has been packed with the UPX packer.CitationUnit 42 SeaDuke 2015 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SeaDuke uses HTTP and HTTPS for C2.CitationF-Secure The Dukes |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.CitationUnit 42 SeaDuke 2015 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | SeaDuke C2 traffic has been encrypted with RC4 and AES.CitationMandiant No Easy BreachCitationUnit 42 SeaDuke 2015 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.CitationUnit 42 SeaDuke 2015 |
| Enterprise | T1059.001 | PowerShell Sub-technique | SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.CitationSymantec Seaduke 2015 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.CitationFireEye WMI 2015 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | cfd056bdba27… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[2]
mitre-attack S0053Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.