S0518: PolyglotDuke
PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[1]
Analyst context for executives and security teams
PolyglotDuke matters because it represents a Windows downloader historically used by APT29 in Operation Ghost to retrieve additional malware, including MiniDuke. For leaders, the practical issue is not just one malware family: it is whether Windows endpoint, proxy, and registry telemetry can expose a stealthy downloader that blends command-and-control into web traffic, uses obfuscation/steganography, and may rely on legitimate web services to locate infrastructure.
Executive priority
Prioritize this as a resilience and readiness question: can the organization detect and investigate suspicious downloader activity before follow-on tooling is introduced? The ATT&CK relationships point to command-and-control over web protocols, dead drop resolver behavior, ingress tool transfer, rundll32 abuse, registry modification, and fileless storage. These are control areas that often determine SOC and IR effectiveness, audit evidence quality, and incident scoping speed in Windows environments.
Technical view
Validate coverage around the Windows behaviors linked to PolyglotDuke rather than relying on a named-malware signature. ATT&CK provides no official detection text, so teams should map detections to the related techniques: obfuscated or steganographic content, decode/deobfuscation activity, suspicious web-based C2 patterns, access to legitimate external web services that may act as dead drop resolvers, inbound tool transfer, rundll32-mediated execution, Native API-heavy execution patterns where observable, and registry modifications associated with persistence or defense evasion.
Likely telemetry
- Windows process creation and command-line telemetry, especially rundll32.exe execution context
- Windows registry modification events and relevant EDR registry monitoring
- Endpoint file, memory, and EDR observations for downloaded payloads, obfuscated content, and fileless storage indicators
- Proxy, firewall, DNS, and HTTP/S metadata for outbound web traffic and unusual external web-service access
- Network security logs showing file downloads or tool transfer over web protocols
Detection direction
- Do not depend solely on the malware name; ATT&CK does not provide official detection guidance for S0518.
- Tune detections around behavior chains: suspicious web access followed by decode/deobfuscation, registry changes, rundll32 execution, or additional payload download.
- Review allowlists and suppressions for rundll32.exe and common web services, since these can hide malicious activity behind normal administrative or user behavior.
- Correlate endpoint and network telemetry; dead drop resolver and web-protocol C2 patterns may look benign if viewed only as outbound HTTPS traffic.
- Account for false positives from legitimate software installers, update mechanisms, scripts, and administrative registry changes.
Mitigation priorities
- Ensure Windows endpoints have logging and EDR coverage sufficient for process, registry, file, and network correlation.
- Harden and monitor abuse-prone execution paths such as rundll32.exe without assuming they can be universally blocked.
- Apply least-privilege and change-control practices around registry areas relevant to persistence and defense evasion.
- Use egress monitoring and proxy controls to improve visibility into unusual web-service access and external downloads.
- Prepare IR playbooks for downloader incidents that include searching for follow-on payloads, not just removing the initial artifact.
Analyst notes and limits
The supplied ATT&CK object identifies PolyglotDuke as a Windows downloader used by APT29 since at least 2013 and used to drop MiniDuke. Relationship context connects it to Operation Ghost and to techniques spanning obfuscation, steganography, fileless storage, web protocols, dead drop resolvers, ingress tool transfer, Native API use, registry modification, deobfuscation, and rundll32 abuse.
MITRE provides no official detection text, no aliases, no labels, and no object-level tactics for PolyglotDuke in the supplied fields. Local conclusions require environment-specific telemetry, baselines, and incident evidence; this summary should not be read as a claim of active exploitation or guaranteed detection coverage.
PolyglotDuke
PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | PolyglotDuke can write encrypted JSON configuration files to the Registry.CitationESET Dukes October 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | PolyglotDuke can custom encrypt strings.CitationESET Dukes October 2019 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | PolyglotDuke can store encrypted JSON configuration files in the Registry.CitationESET Dukes October 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | PolyglotDuke can retrieve payloads from the C2 server.CitationESET Dukes October 2019 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | PolyglotDuke can be executed using rundll32.exe.CitationESET Dukes October 2019 |
| Enterprise | T1106 | Native API | PolyglotDuke can use |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL.CitationESET Dukes October 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PolyglotDuke has has used HTTP GET requests in C2 communications.CitationESET Dukes October 2019 |
| Enterprise | T1027.003 | Steganography Sub-technique | PolyglotDuke can use steganography to hide C2 information in images.CitationESET Dukes October 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.CitationESET Dukes October 2019 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0023: Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e7c244509390… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Dukes October 2019
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Open source URL -
[2]
mitre-attack S0518Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.