APT reports

The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns

New zero-day used for effective kernel memory injection and stealth

Duqu 2.0: Frequently Asked Questions
Duqu 2.0 Technical Paper (PDF)
Indicators of Compromise (IOC)
Yara rules
Press release

Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our internal systems.

Following this finding, we launched a large scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project – until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform “Duqu 2.0”.

Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.

From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.

At Kaspersky Lab, we strongly believe in transparency, which is why we are going public with this information. Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.

Duqu 2.0 – Indicators of Compromise (IOCs)


Action loaders:





To check your network for Duqu’s 2.0 presence, you can also use the open IOC file available here.

Subscribe now For Kaspersky Lab's APT Intelligence Reports

The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns

Your email address will not be published. Required fields are marked *


  1. Denis V

    “the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.”

    What does that even mean?

    1. Bb

      There was a large event in Poland, near Krakow and the camps. I suspect they mean the related conferences or events were targeted.

    2. Craig

      Try the Wired article for a non technical explanation focused on what was done & why.

    3. X

      It means that attendees at the event were targeted by the malware.

    4. leon

      It was a concentration camp during WWII where many jews and other not “arians” were murdered by nazis

      1. Cody

        If this appears twice I apologise. I had scripts disabled and it didn’t show up after posting, so I’m trying with scripts enabled.

        Firstly, you’re ignoring context. Context is rather important. He means what does this attack or any malware attack have to do with a historical event (or similar such thing). That is to say, he didn’t ask what it was; he asked what it means, here.

        Secondly, it is Aryan and not ‘arian’. Why do I point this out? Because you’re ignoring context and then being pedantic over your statements (that would be irrelevant if you paid attention to the context). So why shouldn’t I be pedantic over things that are relevant to what you state (although you’re also wrong in some other parts, see below)? Also, while it is true it was during WW 2, the fact is it was more specifically part of the Holocaust. In addition, concentration camps were opened before the war started, just as an aside (not that Auschwitz is one of them).

        Finally, it wasn’t just those who weren’t Aryans. Remember that Hitler wasn’t an Aryan himself, and remember also that they accepted those who were very convenient to them. For example, they were fine with the fact that Ernst Röhm (and he was a Nazi, part of the SA!) was a homosexual until he wasn’t needed or useful. Then came Night of the Long Knives. They also held political prisoners.

        Of course, none of that is actually relevant to this article, is it? No, it isn’t but since you brought it up, I figured I’d finish it (actually, there’s a lot more so I use the word ‘finish’ loosely) for your proper.

        1. Arnie Shore

          Re why bother with ‘Aryan’ versus ‘arian’? IMO if you can’t get the easy stuff right, including spelling, why should we trust you on the difficult stuff?

    5. Googleit

      It is a subtle implication for the origins of duqu and duqu2. think who cares about the liberation of Auschwitz Birkenau. of course this could be considered a conspiracy, but hey – blame it on the Jews, who cares, right?

      1. Vin

        Leave the politics elsewhere, nobody cares.

  2. Robert Fay


  3. Barry

    Greate job!

    Did you use EMET on your workstations to be more protected against unknown exploits?

    Should we expect code changes or new features in KL products to be protected against technic used by Duqu 2?

    How to protect corporate networks against such threads if AV companies are not able to protect own networks? :-/

    1. Kaspersky Labs Supporter

      Nothing is 100% secured in this world. Start using your brain first.

      Their software, Kaspersky Internet Security, will detect the Duqu malware so customers are protected. It was definitely a dumb thing to think that such a large, reputable company wouldn’t uncover this.

      Like Kaspersky said: whoever created the malware will be licking their wounds now that such a ‘valuable’ virus has been detected and blocked.

      For something so complicated it has to be a state actor. Going public was definitely the right thing to do. Who knows other AV companies may have been attacked and have chosen not to go public.

    2. Dio

      I’m also wondering if you guys (or patient zero) were using EMET at the time of the attack – for Microsoft apps.

      1. Costin Raiu

        Unfortunately, there are no mitigation strategies for cve-2015-2360 – EMET can’t stop it either.

    3. ropchain

      EMET will not stop a TTF 0day like CVE-2014-4148, although Kaspersky did not provide information about a possible infection method.

      One way to prevent the exploitation of TTF zero-day vulnerabilities is by disabling the loading of custiom fonts in IE and Office. Microsoft posted a way of denying access to T2EMBED.DLL in their MS14-058 patch advisory: https://technet.microsoft.com/en-us/library/security/ms14-058.aspx

      From the MS Advisory:
      For 32-bit systems, enter the following command at an administrative command prompt:
      Takeown.exe /f “%windir%\system32\t2embed.dll”
      Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

      For 64-bit systems, enter the following command at an administrative command prompt:
      Takeown.exe /f “%windir%\system32\t2embed.dll”
      Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)
      Takeown.exe /f “%windir%\syswow64\t2embed.dll”
      Icacls.exe “%windir%\syswow64\t2embed.dll” /deny everyone:(F)

  4. Steven Rapone

    You need to have several layers of advanced defenses in place starting at the e-mail gateway since ~90% of all malware attacks are delivered via e-mail. Signature based AV simply doesn’t work.

  5. Bongo the Dragon

    Any slightly aware person will realize by now all computing is compromised, even and especially those running fancy anti-virus technology.

    As for the average person…

  6. Jahangir Alam

    Awsome! Keep it up.

  7. Stuart Smith

    Next Gen doesnt rely on signatures, I’d be interested to see if it can get past Cylance


APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox