Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke
April 13, 2026, 8:46 a.m.
Description
A new campaign attributed to CozyDuke threat actors has been identified, utilizing malware called MiniDionis that appears related to Seaduke. The campaign began on July 7, 2015, targeting government organizations and think-tanks in democratic countries through spear phishing emails containing malicious links or attachments. The attack chain involves multi-stage droppers that deliver decoy media files while executing malicious payloads in the background. MiniDionis uses compromised legitimate websites for command and control, employs JSON-based configuration, and communicates over HTTPS using RC4 and AES encryption. The malware includes comprehensive command capabilities for system reconnaissance, file operations, and remote execution. The attackers demonstrate sophisticated techniques including manual HTTP redirection handling and cleanup mechanisms to evade forensic analysis.
Tags
Date
- Created: April 13, 2026, 8:41 a.m.
- Published: April 13, 2026, 8:41 a.m.
- Modified: April 13, 2026, 8:46 a.m.
Indicators
- 122.228.193.115
- 64.244.34.200
- 103.226.132.7
- 103.254.16.168
- www.illuminatistudios.net
- https://www.illuminatistudios.net/mobile/viewer.php
Attack Patterns
- SeaDuke - S0053
- SeaDaddy
- Cozer
- CloudLook
- CloudDuke - S0054
- Forkmeimfamous
- CozyCar - S0046
- CozyDuke
Additional Informations
- Government
- staff.shasta.com
- illuminatistudios.net
- kane-consulting.net
- connectads.com
- secure.hgl.com
- redbluffchamber.com
- ff.whitebirchpaper.com
- extranet.qualityplanning.com
- visionresearch.com
- betawebservices.ntnonline.com
- edadmin.kearsney.com