PowerDuke

PowerDuke achieves persistence by using various Registry Run keys.(Citation: Volexity PowerDuke November 2016)

PowerDuke runs cmd.exe /c and sends the output to its C2.(Citation: Volexity PowerDuke November 2016)

PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).(Citation: Volexity PowerDuke November 2016)

PowerDuke has a command to write random data across a file and delete it.(Citation: Volexity PowerDuke November 2016)

PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).(Citation: Volexity PowerDuke November 2016)

PowerDuke uses rundll32.exe to load.(Citation: Volexity PowerDuke November 2016)