PowerDuke is a backdoor trojan that has been delivered to victims through emails with Microsoft Word or Excel file attachments that contain legitimate reports from the organization the message claims to be sent from, yet also contain malicious macros that, when executed, installs a malware downloader onto the system. If successfully exploited, a PNG image is downloaded from the compromised web server. The PowerDuke trojan is hidden in the PNG images using steganography – the practice of concealing a file, message, image or video within another file, message, image, or video. The files are downloaded only in memory for increased stealth. Once the device is infected, the attackers can gain access to sensitive information on the affected machine.


  • November 2016: Advanced persistent threat (APT) group The Dukes, aka Cozy Bear or APT29, is believed to have used the PowerDuke trojan to target U.S. think tanks and non-governmental organizations (NGOs) following Donald Trump’s presidential win. (Volexity)