The Seaduke trojan was first identified in 2014 and is part of the “Duke” malware family used by the cyber-espionage group Cozy Bear, also known as APT 29. It is a low-profile information-stealer, used against few high-value targets and deployed against government-level targets in the United States and Europe. The trojan is highly configurable and hides behind layers of encryption and obfuscation, facilitating the stealing and exfiltration of sensitive data from the compromised device, using over 200 compromised web servers for command and control. Victims are typically infected first with the Cozyduke malware to determine if the target is valuable before installing Seaduke. Attackers can retrieve bot/system information, update bot configuration, upload files, download files, and self-delete the malware from the infected system. Seaduke provides the attackers with the capability to impersonate using Kerberos pass-the-ticket attacks, extract emails from the Microsoft Exchange Server using compromised credentials, archive sensitive information, exfiltrate data via cloud services, and secure file deletion. The cyber-espionage group also uses the Miniduke and Cosmicduke backdoors in their operations.


  • July 2015: Seaduke, latest weapon in the Duke armory. (Symantec)

Technical Details

  • Palo Alto Networks provides technical details on Seaduke and the Duke family of malware, here.