APT / THREAT GROUP
COZYDUKE
6
aliases
Last seen:Mar 17, 2026
Intelligence Profile
CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around
a core backdoor component. This component can be instructed by the C&C server to download
and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array
of functionality. Known CozyDuke modules include:
• Command execution module for executing arbitrary Windows Command Prompt commands
• Password stealer module
• NT LAN Manager (NTLM) hash stealer module
• System information gathering module
• Screenshot module
Threat Analysis
COZYDUKE is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases6
Also Known As
win.cozydukeCOZYDUKECozyCarEuroAPTCozyBearCozer
External Intelligence
Malpedia: win.cozydukeResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.