The PinchDuke campaign, which operated from November 2008 until summer 2010, is believed to be the first campaign of the Duke malware family. PinchDuke targeted political organizations in Georgia, Turkey, Uganda, and the United States. The PinchDuke campaigns began 11 days after President Obama’s April 5, 2008 speech concerning the deployment of missile defenses in Poland. In 2009 the PinchDuke campaign targeted the Ministry of Defense in Georgia, the ministries of foreign affairs in Turkey and Uganda, a United States foreign policy think tank, organizations associated with NATO exercises in Europe, and the Georgian Information Centre on NATO. In 2010, the group also targeted Kazakhstan, Kyrgyzstan, Azerbaijan, and Uzbekistan. The political nature of the targets suggests that the campaigns may have been state sponsored. The selection of targets closely mirrors those of the later APT28/ Sofacy campaigns, which is widely believed a Russian state sponsored threat actor.

The Uroburos rootkit is a very advanced and very sophisticated modular malware designed to infect entire networks and exfiltrate confidential data. The sophistication and flexibility of the Uroburos malware suggests that a highly skilled team, who had access to considerable resources, developed it. The significant monetary investment necessary to develop the Uroburos platform suggests that it was developed to target businesses, nation states, and intelligence agencies, rather than average citizens. Based on the exploit kit, the Uroburos group likely has a political or espionage agenda. The Uroburos malware typically infects 32-bit and 64-bit Microsoft Windows systems that belong to governments, embassies, defense industries, pharmaceutical companies, research and education facilities, and other large companies.

Like the rest of the Duke family of malware, the threat actor is attributed to Russia because error messages in the malware are written in Russian. Though many regions in Eastern Europe use Russian as their primary language, time stamps in the code suggest that the malware was developed in the same time zone as Moscow. The PinchDuke Trojan samples contain a text string that may serve as a campaign identifier to help the attackers differentiate between associated Duke malware campaigns that were run in parallel using similar exploitation kits.

The malware was delivered via phishing emails containing spoofed news articles from the BBC website or articles concerning NATO. The malware consists of multiple loaders and an information stealer trojan. The trojan is based around the source code of the information stealing malware, LdPinch, which has been available on underground forums since the early 2000s. PinchDuke’s information stealer targets system configuration files, user credentials, and user files that were created within a predefined timeframe or whose file extension corresponds to a predefined list. PinchDuke communicated with its C&C servers through HTTP(s). In early 2010, PinchDuke campaigns decreased as other Duke campaigns began. Afterwards, PinchDuke or its components were absorbed into other campaigns. Notably, its loaders were later associated with CosmicDuke and occasionally the newer malware would install PinchDuke in its entirety on a victim system as a redundancy infection.

Type: Nation-State sponsored

Status: Inactive

Active Since/Discovered: November 2008 to summer 2010

Targets: Georgia, Turkey, Uganda, the United States, Kazakhstan, Kyrgyzstan, Azerbaijan, and Uzbekistan.

Target Sectors: Political institutions, think tanks


  • PinchDuke  – Trojan
    • Contains Russian campaign identifier string
    • Multiple loaders
    • Stealer Trojan
      • Based on LdPinch
        • Available on Deep Web forums since early 2000’s
      • targets system configuration files, user credentials, and user files that were created within a predefined timeframe or whose file extension corresponds to a predefined list
    • searches for files created within a certain timeframe and whose file extension matches a predefined list
    • Communicates with C2 via HTTP(s)

Preferred Attack Vector:  

  • Spear-phishing
  • Watering-hole attack on news articles


  • Selection of targets mirrors the later APT28 campaign
  • Error messages written in Russian


  • Believed first of the Duke family of campaigns
  • Delivered via watering hole attacks on news articles – predecessor to fake news
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google