HOMETHREATSCOZYDUKE
APT / THREAT GROUP

COZYDUKE

6
aliases
Last seen:Mar 17, 2026

Intelligence Profile

CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around

a core backdoor component. This component can be instructed by the C&C server to download

and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array

of functionality. Known CozyDuke modules include:

• Command execution module for executing arbitrary Windows Command Prompt commands

• Password stealer module

• NT LAN Manager (NTLM) hash stealer module

• System information gathering module

• Screenshot module

Threat Analysis

COZYDUKE is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases6

Also Known As

win.cozydukeCOZYDUKECozyCarEuroAPTCozyBearCozer

External Intelligence

Malpedia: win.cozyduke

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.