S0512: FatDuke
Analyst context for executives and security teams
FatDuke matters because ATT&CK describes it as a Windows backdoor used by APT29 since at least 2016 and associated through relationships with Operation Ghost. For leaders, the practical issue is not a single indicator but a behavior set: persistence through registry startup locations, discovery of systems and files, local data collection, obfuscated or packed code, and resilient web-based command-and-control. This combination can turn a compromised Windows endpoint into a durable access point for intelligence gathering unless endpoint, registry, file, PowerShell, and network telemetry are retained and correlated.
Executive priority
Prioritize FatDuke as a validation case for Windows endpoint resilience, incident response evidence quality, and C2 visibility rather than as a standalone malware signature problem. Ask whether the organization can prove coverage for registry-based persistence, suspicious rundll32 and PowerShell execution, file discovery and deletion, and abnormal outbound web traffic with fallback or encrypted channels. This is especially relevant for government, diplomatic, research, and policy-adjacent environments given the supplied APT29 and Operation Ghost context, but local exposure should be determined from the organization’s own threat model and telemetry.
Technical view
ATT&CK provides no official detection text for FatDuke, so SOC and detection teams should build validation around the mapped techniques. On Windows, focus on registry query and Run Key or Startup Folder changes, PowerShell execution, rundll32 proxy execution, process and system discovery, file and directory enumeration, access to local data, file deletion, and signs of obfuscated, packed, or decoded payloads. Network teams should validate visibility into HTTP/S web protocol use, user-agent or browser-fingerprint-like blending, fallback C2 paths, internal proxy behavior, and encrypted application-layer traffic that does not match expected enterprise patterns. IR teams should preserve host artifacts and network logs early because the mapped behaviors include file deletion, obfuscation, and time-based sandbox or analysis checks.
Likely telemetry
- Windows process creation and command-line telemetry for PowerShell, rundll32.exe, discovery utilities, and unusual parent-child process chains
- Windows Registry auditing or EDR telemetry for registry queries and Run Key or Startup Folder persistence changes
- Endpoint file telemetry for file and directory enumeration, local data access, dropped files, packed or obfuscated binaries, decoding activity, and file deletion
- PowerShell logging where available, including script block, module, and command invocation evidence
- EDR behavioral telemetry for native API use, process discovery, anti-analysis timing checks, and in-memory execution indicators
Detection direction
- Do not rely only on static malware signatures; the mapped techniques include packing, junk code insertion, obfuscation, and deobfuscation behavior.
- Correlate registry persistence with nearby suspicious execution, especially PowerShell, rundll32, newly written files, or unusual user-context startup entries.
- Tune discovery detections to distinguish administrative inventory activity from suspicious clusters of process discovery, system information discovery, network configuration discovery, registry query, and file enumeration on the same host.
- Review web traffic detections for command-and-control patterns that blend into normal HTTP/S, including unusual user-agent values, uncommon destination patterns, encrypted payloads inside otherwise normal web sessions, and fallback destination changes.
- Hunt for internal proxy behavior where one compromised system appears to relay communications for another, especially if outbound access is concentrated through unexpected endpoints.
Mitigation priorities
- First, ensure Windows endpoint logging and EDR coverage can preserve process, registry, PowerShell, file, and network context long enough for investigation.
- Harden and monitor persistence locations such as Registry Run Keys and Startup Folders, with change review for unusual user-context entries.
- Apply least privilege and administrative control discipline so discovery, local data access, and persistence attempts have reduced reach.
- Control and monitor script and proxy execution paths, including PowerShell and rundll32, without assuming these legitimate tools can simply be blocked everywhere.
- Strengthen egress governance: require outbound web traffic to use approved paths, monitor anomalous destinations, and investigate fallback or internally proxied communications.
Analyst notes and limits
The supplied ATT&CK object identifies FatDuke as a Windows backdoor used by APT29 since at least 2016, with relationships to Operation Ghost and multiple ATT&CK techniques spanning execution, persistence, privilege escalation, discovery, collection, stealth, and command-and-control. The most useful defensive value is to treat FatDuke as a behavioral coverage test for Windows endpoint and web C2 monitoring. The ESET Operation Ghost report and MITRE S0512 page are the supplied external references.
ATT&CK provides no official detection guidance for this object, and the object-level tactics are not specified. The take above is derived from the official description, platform field, external references, and supplied relationships only. It does not establish current activity, local exposure, successful compromise, or guaranteed detection coverage. Organizations must validate applicability against their own Windows estate, logging architecture, network controls, and threat model.
FatDuke
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1012 | Query Registry | FatDuke can get user agent strings for the default browser from |
| Enterprise | T1036.012 | Browser Fingerprint Sub-technique | FatDuke has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser.CitationESET Dukes October 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | FatDuke can be controlled via a custom C2 protocol over HTTP.CitationESET Dukes October 2019 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | FatDuke can turn itself on or off at random intervals.CitationESET Dukes October 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | FatDuke can identify the MAC address on the target computer.CitationESET Dukes October 2019 |
| Enterprise | T1008 | Fallback Channels | FatDuke has used several C2 servers per targeted organization.CitationESET Dukes October 2019 |
| Enterprise | T1082 | System Information Discovery | FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host.CitationESET Dukes October 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | FatDuke has used |
| Enterprise | T1106 | Native API | FatDuke can call |
| Enterprise | T1027.002 | Software Packing Sub-technique | FatDuke has been regularly repacked by its operators to create large binaries and evade detection.CitationESET Dukes October 2019 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | FatDuke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts.CitationESET Dukes October 2019 |
| Enterprise | T1057 | Process Discovery | FatDuke can list running processes on the localhost.CitationESET Dukes October 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.CitationESET Dukes October 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | FatDuke can secure delete its DLL.CitationESET Dukes October 2019 |
| Enterprise | T1005 | Data from Local System | FatDuke can copy files and directories from a compromised host.CitationESET Dukes October 2019 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | FatDuke can execute via rundll32.CitationESET Dukes October 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | FatDuke has the ability to execute PowerShell scripts.CitationESET Dukes October 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | FatDuke can AES encrypt C2 communications.CitationESET Dukes October 2019 |
| Enterprise | T1083 | File and Directory Discovery | FatDuke can enumerate directories on target machines.CitationESET Dukes October 2019 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | FatDuke has been packed with junk code and strings.CitationESET Dukes October 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | FatDuke can decrypt AES encrypted C2 communications.CitationESET Dukes October 2019 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0023: Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0beb94badc13… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Dukes October 2019
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Open source URL -
[2]
mitre-attack S0512Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.