S0054: CloudDuke
Analyst context for executives and security teams
CloudDuke matters because ATT&CK records it as Windows malware used by APT29 in 2015, with related command-and-control behavior over web protocols, legitimate web services, and tool transfer. For leaders, the practical issue is not just this specific malware family; it is whether the organization can see and investigate Windows hosts that use normal-looking web traffic or cloud/web services for covert command channels and file movement.
Executive priority
Prioritize this as a validation case for command-and-control visibility and incident response readiness. Security leaders should ask whether SOC teams can distinguish expected business web/cloud usage from suspicious bidirectional communications and inbound tool transfers on Windows endpoints. It also supports audit and compliance evidence around network monitoring, endpoint logging, proxy/cloud service visibility, and documented response playbooks for suspected malware using legitimate web channels.
Technical view
ATT&CK provides no dedicated detection text for CloudDuke, so defenders should validate coverage through the related behaviors: T1071.001 Web Protocols, T1102.002 Bidirectional Communication, and T1105 Ingress Tool Transfer. Focus on Windows endpoint and network evidence that can correlate process activity, outbound HTTP/S or web-service use, unusual external destinations, file downloads, and post-download execution. Because web protocols and legitimate services are common, detection should be behavior- and context-driven rather than based only on destination category or protocol.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships
- Endpoint file creation, download, and execution events
- Network proxy, secure web gateway, firewall, and DNS logs
- HTTP/S metadata such as destination, user agent, request patterns, volume, and timing where available
- Cloud or web service access logs where legitimate external services are used for bidirectional communication
Detection direction
- Validate that Windows endpoint telemetry can be joined with proxy/DNS/network logs to identify which process initiated suspicious web traffic.
- Tune for uncommon or newly observed external web destinations, repeated beacon-like patterns, unusual user agents, or web-service access inconsistent with the host or user role.
- Look for file transfer followed by execution or staging activity, aligned with the related Ingress Tool Transfer behavior.
- Treat legitimate web and cloud services as a blind spot: allowlisting by service name alone may hide bidirectional C2 patterns.
- Account for false positives from software updaters, collaboration tools, browsers, backup agents, and administrative scripts that legitimately transfer files or communicate frequently over HTTP/S.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are deployed and retained for investigation.
- Centralize proxy, DNS, firewall, and cloud/web service logs so SOC and IR teams can correlate endpoint processes to outbound web activity.
- Review egress controls and web access policy to reduce unnecessary direct outbound communication from endpoints.
- Maintain response playbooks for suspected web-based C2 and tool transfer, including host isolation, evidence preservation, and scoping by destination, file hash, process lineage, and user context.
- Use threat intelligence from the supplied ATT&CK references as enrichment, while avoiding assumptions that indicators from 2015 remain sufficient for detection.
Analyst notes and limits
The supplied ATT&CK object identifies CloudDuke as Windows malware used by APT29 in 2015 and links it to command-and-control related techniques: Web Protocols, Bidirectional Communication, and Ingress Tool Transfer. The most useful defensive takeaway is to test whether normal-looking web traffic and legitimate web-service use can be investigated at the endpoint-process level.
Official ATT&CK detection guidance is not provided for this malware object, and tactics are not specified on the object itself. The related techniques provide defensive direction, but local telemetry, baselines, and business-approved web service usage are required to determine practical detection logic. No claim is made about active exploitation or current exposure.
CloudDuke
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | One variant of CloudDuke uses HTTP and HTTPS for C2.CitationF-Secure The Dukes |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.CitationF-Secure The Dukes |
| Enterprise | T1105 | Ingress Tool Transfer | CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.CitationF-Secure The Dukes |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 3f6950183f46… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[2]
Securelist Minidionis July 2015
Lozhkin, S.. (2015, July 16). Minidionis – one more APT with a usage of cloud drives. Retrieved April 5, 2017.
Open source URL -
[3]
mitre-attack S0054Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.