Duqu is a family of modular espionage malware first publicly reported in September 2011 by the Laboratory of Cryptography and System Security (CrySyS Lab) at the Budapest University of Technology and Economics, after samples were found on systems belonging to a European industrial company. The name derives from the prefix "~DQ" used in the filenames of temporary files the malware created.
Analysts at Symantec, Kaspersky Lab, and CrySyS quickly observed that Duqu shared substantial portions of its codebase with Stuxnet, the worm that disrupted uranium enrichment centrifuges at Iran's Natanz facility. Whereas Stuxnet was a sabotage tool targeting Siemens industrial control systems, Duqu was built primarily for intelligence gathering: keylogging, screen capture, file exfiltration, and reconnaissance of network configurations. Researchers concluded the two were likely developed by the same actor or closely cooperating actors, widely reported in press accounts to be the United States and Israel, though no government has officially claimed responsibility.
Duqu spread in part through a zero-day vulnerability in the Windows kernel (CVE-2011-3402) exploited via a malicious Microsoft Word document. Command-and-control servers were located across multiple countries and used encrypted HTTP traffic, often disguising stolen data inside what appeared to be JPEG image files.
A successor, Duqu 2.0, was disclosed by Kaspersky Lab in June 2015 after the company discovered the malware on its own internal networks. Duqu 2.0 was notable for residing almost entirely in memory, leaving minimal disk artifacts, and for targeting venues connected to the P5+1 negotiations with Iran over the nuclear program, as well as events marking the 70th anniversary of the liberation of Auschwitz.
For IR researchers, Duqu is a key case study in state-sponsored cyber-espionage, the blurred line between sabotage and intelligence operations, and the difficulty of attribution under international law.
Example
In June 2015, Kaspersky Lab announced that Duqu 2.0 had infiltrated its corporate network and the venues hosting P5+1 talks on Iran's nuclear program.
Frequently asked questions
Stuxnet was designed to sabotage Iranian centrifuges by manipulating Siemens PLCs, while Duqu was built for intelligence gathering—stealing keystrokes, files, and network data—despite sharing much of Stuxnet's code.
Keep learning