Payload run type “Q” This payload is identical to payload K described above but it doesn’t block execution when a new thread is started. So far, the new code runs asynchronously.

After the payload container is opened and code migrated to another process, which can be elevated and protected from security software, the real malicious code is activated. In most cases, it is simple named pipe based backdoor that listens for incoming communications from the orchestrator. In rare cases, on selected machines, it can be heavy orchestrator module that communicates with command and control server, works as a bidirectional proxy and comes with a large bundle of secondary plugins.

The Duqu 2.0 Technical Details44>>>>Misspelling of the word “Exceeded” in Duqu 2.0

https:// www.csmonitor.com/USA/2011/0922/From-the-man-who-discovered-Stuxnet-dire-warnings-one-year-later/%28page%29/1

https:// en.wikipedia.org/wiki/Duqu

https:// www.fireeye.com/current-threats/recent-zero-day-attacks.html

https:// www.crysys.hu/publications/files/bencsathPBF11duqu.pdf