S0513: LiteDuke
Analyst context for executives and security teams
LiteDuke matters because it represents a Windows backdoor associated in ATT&CK with later-stage access, discovery, stealth, persistence, and command-and-control behaviors. Even though MITRE describes its primary use as 2014–2015, the defensive value is current: organizations should validate whether they can see the behaviors it used, not just whether they have a signature for this specific malware family.
Executive priority
Treat this as a coverage-validation case for resilient Windows monitoring and incident response readiness. The key business question is whether the organization can detect and investigate a compromised host that profiles the system and user, checks for security tooling or analysis environments, persists through Registry Run Keys or Startup Folder mechanisms, communicates over web protocols, transfers tools, and deletes evidence. This supports budget and audit discussions around endpoint logging, network visibility, malware analysis capability, and SOC playbooks for stealthy backdoor activity.
Technical view
ATT&CK provides no official detection text for LiteDuke, so SOC teams should map coverage to the related techniques: Query Registry, System Network Configuration Discovery, System Owner/User Discovery, System Information Discovery, Security Software Discovery, Time Based Checks, Software Packing, Steganography, Deobfuscate/Decode Files or Information, File Deletion, Web Protocols, Ingress Tool Transfer, and Registry Run Keys / Startup Folder. Prioritize Windows host telemetry because the malware object platform is Windows, while using the related techniques to guide behavioral analytics and triage rather than assuming a single indicator-based detection will be sufficient.
Likely telemetry
- Windows process creation and command-line telemetry
- Windows Registry read/write monitoring, especially Run Keys and startup-related locations
- File creation, modification, deletion, and download evidence on endpoints
- Endpoint security alerts and sensor health/configuration telemetry
- Network proxy, DNS, TLS, and HTTP/S metadata for outbound web-protocol communication
Detection direction
- Validate behavioral coverage for the related ATT&CK techniques instead of relying only on malware-family names or historical indicators.
- Tune detections for unusual Registry discovery or persistence changes, while accounting for legitimate software installers and administrative tooling.
- Correlate discovery behaviors across system, user, network configuration, and security software enumeration; single events may be benign, but clustered discovery followed by outbound web traffic or file transfer is higher value.
- Review visibility into file deletion and tool transfer because those behaviors can reduce forensic evidence and complicate incident scoping.
- Assess whether packed, obfuscated, encoded, or steganographic content would be escalated to malware analysis or sandboxing workflows; time-based checks may reduce sandbox effectiveness.
Mitigation priorities
- Harden and monitor Windows persistence locations such as Registry Run Keys and Startup Folders.
- Ensure endpoint logging, EDR, and network monitoring are retained long enough to support backdoor investigations and file-deletion recovery timelines.
- Restrict unnecessary outbound web access and inspect proxy/DNS patterns where policy and privacy requirements allow.
- Control tool ingress paths through application control, download restrictions, and least-privilege execution policies.
- Maintain defensible inventories of security tooling and endpoint coverage so discovery of defensive software can be interpreted during triage.
Analyst notes and limits
MITRE identifies LiteDuke as a third-stage backdoor used by APT29 and notes overlap with PolyglotDuke and MiniDuke. The most useful defender takeaway is the behavior chain exposed by relationships: discovery, stealth/evasion, persistence, command-and-control, ingress transfer, and cleanup. Local telemetry and environment baselines are required to decide which events are suspicious.
The supplied ATT&CK object has no official detection guidance, no aliases, and no malware-specific procedure details beyond the description and relationships. Claims about current exploitation, affected customers, exact indicators, or guaranteed detection cannot be made from the supplied fields.
LiteDuke
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.CitationESET Dukes October 2019 |
| Enterprise | T1082 | System Information Discovery | LiteDuke can enumerate the CPUID and BIOS version on a compromised system.CitationESET Dukes October 2019 |
| Enterprise | T1027.003 | Steganography Sub-technique | LiteDuke has used image files to hide its loader component.CitationESET Dukes October 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera.CitationESET Dukes October 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | LiteDuke can use HTTP GET requests in C2 communications.CitationESET Dukes October 2019 |
| Enterprise | T1012 | Query Registry | LiteDuke can query the Registry to check for the presence of |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | LiteDuke can create persistence by adding a shortcut in the |
| Enterprise | T1070.004 | File Deletion Sub-technique | LiteDuke can securely delete files by first writing random data to the file.CitationESET Dukes October 2019 |
| Enterprise | T1027.002 | Software Packing Sub-technique | LiteDuke has been packed with multiple layers of encryption.CitationESET Dukes October 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | LiteDuke has the ability to download files.CitationESET Dukes October 2019 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | LiteDuke can wait 30 seconds before executing additional code if security software is detected.CitationESET Dukes October 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | LiteDuke has the ability to check for the presence of Kaspersky security software.CitationESET Dukes October 2019 |
| Enterprise | T1033 | System Owner/User Discovery | LiteDuke can enumerate the account name on a targeted system.CitationESET Dukes October 2019 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fe2ddd61133c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Dukes October 2019
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Open source URL -
[2]
mitre-attack S0513Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.