Security Experts:

Connect with us

Hi, what are you looking for?



MiniDuke Malware Targets Government Organizations

Security researchers have uncovered a highly-customized piece of malware that has been leveraging a recently patched exploit in Adobe Reader.

Security researchers have uncovered a highly-customized piece of malware that has been leveraging a recently patched exploit in Adobe Reader.

Dubbed MiniDuke, the backdoor was spotted in the past week targeting government institutions and organizations worldwide. In cooperation with CrySys Lab, researchers at Kaspersky Lab analyzed the attack and discovered a number of high-profile targets in the government sector had been compromised in countries such as the Ukraine, Belgium, Ireland Portugal, Romania and the Czech Republic. Two think-tanks and a healthcare provider in the U.S. were also compromised, as was a research foundation in Hungary.

“This is a very unusual cyberattack,” said Eugene Kaspersky, CEO of Kaspersky Lab, in a statement.

“MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20kb,” added Kaspersky. 

To compromise the victims, the attackers relied on social engineering, sending the victims malicious PDF files that often involved fake content related to human rights seminar information, Ukraine’s foreign policy and NATO membership plans. These PDF files were rigged with exploits attacking Adobe Reader versions 11 and 10, and were capable of bypassing Adobe Reader’s sandbox.

Once on the system, a small downloader is dropped onto disc that is only 20 KBs in size. According to Kaspersky Lab, when the library is loaded, the downloader uses a set of mathematical calculations to determine the computer’s configuration. This information is in turn used to uniquely encrypt future communications.

“If the target system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts,” according to a blog post by Kaspersky Lab’s Global Research & Analysis Team (GReAT). “These accounts were created by MiniDuke’s Command and Control (C2) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors.”

These URLs provide access to C2s, which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files, according to the team.

“Based on the analysis, it appears that the MiniDuke’s creators provide a dynamic backup system that also can fly under the radar – if Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next C2,” the researchers blogged. “This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.”

Once the GIF files are downloaded onto the machine, they can carry out a number of malicious activities, including copying and moving files and downloading new malware.

“I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s,” Eugene Kaspersky noted.

“The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” he said.

*This story was updated.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.