ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > List all tools > List all groups using tool GeminiDuke

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: GeminiDuke

TypeReconnaissance, Backdoor, Info stealer, Loader
Description(F-Secure) The GeminiDuke toolset consists of a core information stealer, a loader and multiple persistence-related components. Unlike CosmicDuke and PinchDuke, GeminiDuke primarily collects information on the victim computer’s configuration. The collected details include:
• Local user accounts
• Network settings
• Internet proxy settings
• Installed drivers
• Running processes
• Programs previously executed by users
• Programs and services configured to automatically run at startup
• Values of environment variables
• Files and folders present in any users home folder
• Files and folders present in any users My Documents
• Programs installed to the Program Files folder
• Recently accessed files, folders and programs

As is common for malware, the GeminiDuke infostealer uses a mutex to ensure that only one instance of itself is running at a time. What is less common is that the name used for the mutex is often a timestamp. We believe these timestamps to be generated during the compilation of GeminiDuke from the local time of the computer being used.
AlienVault OTX<>

Last change to this tool card: 22 April 2020

Download this tool card in JSON format

All groups using tool GeminiDuke


APT groups

XAPT 29, Cozy Bear, The DukesRussia2008-May 2022 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]