CosmicDuke is believed to have been developed and deployed by the same team as PinchDuke. It was compiled on January 16, 2010 and was still active as of June 2015. It superseded the PinchDuke campaign and its toolkit surpasses the functionality of the PinchDuke exploit kit. Unlike PinchDuke, CosmicDuke appears to be entirely custom written to the adversary’s specifications. The techniques that CosmicDuke uses to extract user credentials and detect analysis tools may be based on PinchDuke. At a high-level, CosmicDuke’s persistence techniques resemble those of GeminiDuke. Despite the similarities to the other Duke malware, CosmicDuke does not share any code with its sibling campaigns. CosmicDuke was most famously deployed against individuals believed to be trafficking illicit substances in Russia. It is possible that Russia’s law enforcement agencies used the malware as spyware in their war against drugs.

It deploys from a series of loaders and the malware is built around an information stealer that is augmented by persistence components and a privilege escalation tool. Early variants of the privilege escalation module attempted to exploit CVE-2010-0232 or CVE-2010-4398. The malware authors likely chose which persistence and escalation tools to include in each variant of the malware in order to exploit known vulnerabilities in the target environment. For instance, in 2014, after the exposure of MiniDuke, Kaspersky noted the appearance of a CosmicDuke variant that featured a backdoor and the ability to start via Windows Task Scheduler.

The information stealer contains components to log keystrokes, capture screenshots, copy the contents of the clipboard, copy cached user credentials from web browsers and chat clients, export cryptographic certificates and private keys, and exfiltrate user files whose file extension corresponded to a predefined list. Additionally, CosmicDuke occasionally infected hosts with PinchDuke, GeminiDuke, or MiniDuke; though, CosmicDuke code never interoperated with the redundant malware code. After execution, the two malware ran concurrently and independent of one another. Typically, the malware even utilized different C&C infrastructure. F-Secure postulates that CosmicDuke may have deployed the other malware to allow the adversary to field test CosmicDuke while relying on the redundant malware to capture mission critical data should CosmicDuke not function correctly on the infected machine. It can exfiltrate the stolen data to hardcoded C&C servers via HTTP(s), FTP, or WebDav.

Type: Believed Nation State Sponsored

Status: Active

Other Names: Tinybaron/ BotgenStudios/ NemesisGemina

Active Since/Discovered: January 2010

Last Report: Summer 2015

Targets: Georgia, Russia, USA, Great Britain, Kazakhstan, India, Belarus, Cyprus, Ukraine, Lithuania. Others include Azerbaijan, Greece and Ukraine

Target Sectors:

  • Diplomatic organizations/embassies
  • Energy, oil and gas companies
  • Telecoms
  • Military
  • Specific individuals


  • CosmicDuke/ TinyBaron – custom backdoor and information stealer
    • Compiled using a customizable framework called “BotGenStudio”
      • Flexibility enough to enable/disable components when the bot is constructed
    • Entirely custom toolset code
      • Code not shared with other Duke campaigns
      • Based on techniques developed by PinchDuke, etc
    • Information stealer
      • Bundle of Deep Web tools
      • Keylogging
      • Screen Capture
      • Stealing clipboard contents
      • Stealing user files with file extensions that match a
      • predefined list
      • Exporting the users cryptographic certificates including private keys
      • Collecting user credentials
      • Collecting passwords for a variety of popular chat applications, web browsers, and email
    • Multiple loaders
    • Privilege escalation component
    • Multiple persistence components
      • uses scheduled tasks typically named “Watchmon Service” for persistence
      • uses Windows services typically named “javamtsup” for persistence
    • Copies clipboard and screenshots every 30 seconds
    • contains a custom version of the RC4 algorithm that includes a programming error
  • May embed PinchDuke, GeminiDuke, or MiniDuke components
    • Malware written to disk and executed
    • Does not otherwise interact with CosmicDuke code

Preferred Attack Vector:  Trojanized software installers


  • Data Theft
  • Strong self-protection to prevent antimalware solutions from analyzing the implant and detecting its malicious functionality via an emulator
  • English used in several places of the malware development
  • Communicates with hardcoded C2 via HTTP(S), FTP, or WebDav
  • CVE-2010-0232 or CVE-2010-4398 (privilege escalation vulnerabilities)
  • May spoof compilation timestamps


  • Was used to target individuals involved in the traffic and selling of illegal and controlled substances in Russia
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google