Duqu is a highly sophisticated malware platform and associated threat activity widely linked in the provided content to Stuxnet through shared development lineage, including similarities between Stuxnet kernel drivers such as mrxcls.sys and Duqu’s Tilde-D platform. The content describes Duqu as one of the most skilled and powerful APT groups and notes Kaspersky identified a later iteration, “Duqu 2.0,” as an updated version of the 2011 Duqu malware. The provided material describes Duqu 2.0 as a modular, in-memory-focused espionage platform with more than 100 plugin variants. Reported capabilities include remote deployment via malicious MSI packages executed through services or Task Scheduler, lateral movement using pass-the-hash and behavior consistent with exploitation of CVE-2014-6324 (MS14-068), and kernel exploitation using CVE-2015-2360 to load unsigned kernel-mode components. The platform supported multiple command-and-control transports including HTTP, HTTPS, SMB named pipes, and custom TCP, and could conceal C2 traffic inside JPEG or GIF files while varying HTTP User-Agent strings. Kaspersky also reported a malicious NDIS filter driver used to redirect traffic and tunnel access inside victim networks. Targets and victimology mentioned in the content include Kaspersky Lab internal systems in early 2015, victims in western countries, the Middle East, and Asia, and infections linked to venues associated with the P5+1 nuclear negotiations with Iran as well as an event marking the liberation of Auschwitz-Birkenau. The content also describes a “Duqu 1.5” infection reconstructed from artifacts found during an intrusion at a diplomatic talks venue, presenting it as an intermediate stage between Duqu 1.0 and Duqu 2.0. That loading chain reportedly used a trojanized floppy kernel driver signed with a stolen certificate, a registry-based virtual file system, an in-memory orchestrator, an on-disk virtual file system, and plugins. Aliases directly mentioned in the content include “Duqu 2.0” for the later platform iteration. The content does not provide definitive public attribution to a specific nation-state, although it repeatedly places Duqu in the context of advanced state-linked cyber operations and its relationship to Stuxnet.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Connected to Stuxnet development through the Tilde-D platform; the article also discusses Duqu 1.5 as an intermediate evolution between Duqu 1.0 and Duqu 2.0 discovered in a diplomatic venue intrusion.
A Stuxnet-linked espionage actor/platform family whose Tilde-D platform shared developmental links with Stuxnet; the article also describes an intermediate Duqu 1.5 stage between Duqu 1.0 and Duqu 2.0 discovered at a diplomatic venue.
Highly sophisticated cyber-espionage activity cluster operating the Duqu 2.0 in-memory modular platform, using multiple Windows zero-days for initial access and lateral movement, extensive internal reconnaissance and credential/token theft, stealthy process injection/migration, and flexible C2 (HTTP/HTTPS, SMB pipes, custom encrypted protocols) including traffic hiding in image files and use of tunneling drivers for resilient access.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.