Duqu
Duqu is a highly sophisticated modular malware platform used in targeted espionage attacks. Multiple sources in the provided content describe it as an information-stealing Trojan closely related to Stuxnet, with researchers early on connecting it to Stuxnet development through shared code and developmental links, while also noting that some technical evidence for direct authorship overlap was considered inconclusive at the time by some analysts. Unlike Stuxnet, Duqu did not include PLC functionality; instead, it was described as gathering information about industrial systems and other high-value targets, and as a possible precursor to a future Stuxnet-like attack.
The malware was delivered through exploitation and installed kernel drivers plus encrypted DLL payloads. Its driver-based injection component was reported as very similar to Stuxnet’s, using a kernel driver to decrypt and load encrypted DLLs into processes. McAfee reported associated driver filenames cmi4432.sys and jminet7.sys, with one sample digitally signed using a certificate belonging to C-Media Electronics in Taipei; VeriSign later revoked that certificate. Duqu used encrypted configuration and payload files, remote command-and-control, and could receive additional modules after compromise. Reported capabilities included remote installation of new code, keylogging, monitoring running processes and window messages, hiding files with a user-mode rootkit, copying data to a staging area, compressing it, XOR-encrypting it, and executing pushed modules.
The content also states that adversaries could instruct Duqu to spread laterally by using compromised credentials to schedule a task on remote machines that executed the malware. Kaspersky reported that a key part of the Payload DLL framework was written in an unknown programming language rather than standard C++, describing it as object-oriented and highly event-driven; this unusual framework was presented as a major distinguishing feature from Stuxnet and as evidence of substantial resources, possibly a nation-state or similarly well-funded organization.
Targeting described in the content includes Certificate Authorities, small CAs, industry systems, and other key sites. Reported Duqu attacks were noted in Iran and Sudan, and only a small number of victim sites were known at the time in some reporting. The malware communicated with at least one command server in India, which was later blacklisted by the ISP. Additional indicators and artifacts explicitly mentioned in the content include the filenames cmi4432.sys and jminet7.sys, encrypted PNF payload files, sortXXXX.nls modules, and the broader 'tilded platform' naming convention associated with Duqu and Stuxnet. The content also references a temporary file ~DEB93D.tmp in related investigative context and notes that Duqu has been widely discussed alongside Stuxnet, Flame, and later variants such as Duqu 2.0 and an intermediate Duqu 1.5.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2011-3402 (Windows TrueType Font Parsing RCE) Vulnerability in the Windows kernel’s TrueType font parsing engine (win32k.sys)... Used in attacks linked to targeted threats (e.g., Duqu malware family). ... patched in December 2011. | Used in attacks linked to targeted threats (e.g., Duqu malware family).
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe discoveries of the Stuxnet virus – and then the Duqu and Flame viruses – herald a new era of highly complex weaponised software made by powerful states to attack weaker states.
Initial Access
1 techniqueExecution
3 techniques"used a valid account to maintain persistence via scheduled task"; "schedule a task on remote machines that executes the malware"
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Instead, the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code.
Persistence
4 techniques"used a valid account to maintain persistence via scheduled task"; "schedule a task on remote machines that executes the malware"
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
"actors leverage legitimate credentials to log into external remote services"; "used legitimate credentials to gain initial access, maintain access, and exfiltrate data"; "used valid accounts for initial access and privilege escalation"
“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
Privilege Escalation
7 techniques"used a valid account to maintain persistence via scheduled task"; "schedule a task on remote machines that executes the malware"
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The PNF file is an encrypted DLL that is decrypted and injected into arbitrary system processes.
Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an “injection” engine to load these DLLs into a specific process.
"Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code." / "Astaroth can create a new process in a suspended state... unmap its memory and replace it with malicious code." / "Emotet uses a copy of certutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code."
"actors leverage legitimate credentials to log into external remote services"; "used legitimate credentials to gain initial access, maintain access, and exfiltrate data"; "used valid accounts for initial access and privilege escalation"
“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
Stealth
10 techniquesThe kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files.
“Duqu… a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.”
installs drivers and encrypted DLLs... The PNF file is an encrypted DLL that is decrypted and injected into arbitrary system processes.
temporary Windows files generated by Wiper begin with a tilde character (~), followed by the letter d (either capital or lower case), followed by other letters or numbers. This “tilded platform,” as researchers have come to call the convention, is also found in both Stuxnet and Duqu.
The PNF file is an encrypted DLL that is decrypted and injected into arbitrary system processes.
Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an “injection” engine to load these DLLs into a specific process.
"Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code." / "Astaroth can create a new process in a suspended state... unmap its memory and replace it with malicious code." / "Emotet uses a copy of certutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code."
"actors leverage legitimate credentials to log into external remote services"; "used legitimate credentials to gain initial access, maintain access, and exfiltrate data"; "used valid accounts for initial access and privilege escalation"
“AppleJeus delivered components using a Windows Installer package (.msi)… executed the 3CXDesktopApp.exe…”, “APT38 has used msiexec.exe to execute malicious files.”, “Rancor has used msiexec to download and execute malicious installer files over HTTP.”, “TA505 has used msiexec to download and execute malicious Windows Installer files.”
This file is hidden using the same method as the other modules.
Defense Impairment
1 techniqueAnd while Stuxnet and Duqu each “have variants where the kernel driver file is digitally signed using a software signing certificate,” Dell says this commonality is insufficient evidence of a connection “because compromised signing certificates can be obtained from a number of sources.”
Credential Access
1 techniqueDiscovery
6 techniquesMultiple malware families are described as identifying/enumerating open windows or capturing foreground window titles (e.g., via EnumWindows, GetForegroundWindow, GetWindowText) to understand user activity and provide context for keylogging/screencapture.
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
“actors used the following commands… to enumerate user accounts: net user >> %temp%\download; net user /domain >> %temp%\download … APT1 used the commands net localgroup, net user, and net group to find accounts… APT32 enumerated administrative users using the commands net localgroup administrators … OilRig has run net user, net user /domain, net group "domain admins" /domain …”
"spread laterally by copying itself to shares it has enumerated"
Lateral Movement
2 techniques"spread laterally by copying itself to shares... for which it has obtained legitimate credentials"; "hard-coded credentials to gain access to a network share"
Duqu ... spread laterally by copying itself to shares it has enumerated ... The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.
Collection
3 techniquesThese include keyloggers, which can monitor all actions on systems: running processes, window messages, and so on.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Command and Control
5 techniquesIt communicates with a command server in India... Both groups above also contain another module, sortXXXX.nls... It seems to be responsible for the malware’s malicious activities, such as command and control communications.
The code in question is part of the Payload DLL, a section of the trojan that sends and receives instructions from an outside source once it has infiltrated a system.
Duqu provides attackers with remote access to compromised computers with the ability to run arbitrary programs, and can theoretically be used to target any organization, Dell said.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Other
1 techniqueRecent activity
56 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Listed among historically significant sophisticated malware families that drew deep technical analysis.
An information-stealing rootkit described as having been based on Stuxnet.
Malware used to gather information on industrial systems.
An information-stealing malware related to Stuxnet, apparently tailored to steal information from industrial control systems rather than sabotage them.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.