SeaDuke appeared in October 2014, after the disclosure of most of the Duke campaigns. Like the majority of the Duke family, SeaDuke exclusively targets government organizations. The main difference between Seaduke and its sister campaigns is that SeaDuke focuses on a small number of high-value targets. Additionally, of the Duke malware, SeaDuke alone is programmed in python. This developers’ choice could indicate that the group is expanding their victim pool to Linux systems as well as Windows hosts. The overall framework of the malware remains similar to CozyDuke.

SeaDuke is a highly configurable trojan and backdoor that is often installed onto victim systems through CozyDuke or via a compromised website. It has hundreds of possible configurations  According to Symantec, the threat actor behind CozyDuke may only deploy SeaDuke in systems belonging to “major government-level targets.” SeaDuke primarily allows the attacker to upload, to download, and to delete files on the victim machine as well as to retrieve bot/ system information and to update the bot configuration. It is possible that the threat actor deploys the malware to remove the indicators of compromise from other campaigns after a successful breach. The trojan may also be used to conduct pass the ticket attacks on Kerberos systems, to steal emails from Microsoft Exchange servers using compromised credentials, to archive sensitive data, or to exfiltrate data through legitimate cloud services. The C&C infrastructure behind SeaDuke relies on over 200 compromised web servers and several layers of RC4 and AES encryption and Base 64 encoding techniques. These extra obfuscation measures may be an attempt to remain undiscovered and thereby remove the attention on the Duke campaigns. SeaDuke communicates with its C&C servers via HTTP(s).

Type: Nation-State Sponsor

Status: Believed actove

Other Names: SeaDaddy/ SeaDask

Active Since/Discovered: October 2014

Last Report: Spring 2015

Targets: Small number of high-value targets, major-government targets, Diplomatic targets

Target Sectors: Government

  • SeaDuke – Secondary backdoor for CozyCar infections
    • HTTP(s) C2 communication
      • Traffic is Base64 encoded and encrypted with RC4 and AES
      • Data compressed with zlib
    • Focus on executing C2 commands
    • module to extract email from Microsoft Exchange servers using compromised credentials.
    • module to use pass the ticket with Kerberos for authentication
    • can securely delete files, including deleting itself from the victim
    • uses an event filter in WMI code to execute a previously dropped executable shortly after system startup
    • uses a module to execute Mimikatz with PowerShell to perform “Pass the Ticket” Kerberos attacks
    • persistence via the Registry Run key
    • persistence via .lnk file stored in the Startup directory.
    • uploading and downloading files, executing system commands and evaluating additional Python code
    • Hundreds of possible configurations
    • Download, and delete victim files

Preferred Attack Vector:  CozyDuke infection, watering-hole attack

  • Written in Python
  • Executes on both Windows and Linux
  • Used in pass-the-ticket Kerberos attacks
  • Used to steal Microsoft Exchange emails
  • C2 infrastructure- 200 compromised web servers behind layers of RC4 and AES encryption and Base 64 encoding techniques


  • Primarily a secondary backdoor for other Duke campaigns
  • May be used to remove other Duke campaign IoCs from victim systems
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google