Untitled

Pterodactyl – A “custom hardware solution to support media copying”; it uses small single-board computers like Raspberry Pi to copy data from an asset computer
SparrowHawk – Keylogger intended for use across multiple architectures and Unix-based platforms
DerStarke – Boot-level rootkit implant for Apple computers
GyrFalcon – Tracks the client of an OpenSSH connection and collects password, username and connection data
SnowyOwl – Uses OpenSSH session to inject code to target asset
HarpyEagle – Hardware-specific tool to gain root access to Apple’s Airport Extreme and Time Capsule
BaldEagle – An exploit for Unix systems’ Hardware Abstraction Layer
MaddeningWhispers – Remote access to devices compromised with the Vanguard exploit
CRUCIBLE – An “automated exploit identification” tool
YarnBall – Covert USB storage for deployment of payloads and storage of exfiltrated data
GreenPacket – Router implant kit
QuarkMatter – Another boot-level rootkit implant for Apple computers
Weeping Angel – Smart TV implant kit (we wrote about it separately)
Hive – Basic implant suite for Windows and Unix setups aimed at “providing an initial foothold for the deployment of other full featured tools”
Honeycomb – Server for data coming from Swindle or Blot proxy servers
CutThroat – Virtual machine system apparently for hosting proxy servers to send asset data to
Bee Sting – iFrame injection technique for HTTP connections
Sontaran – An attempt to compromise the Siemens OpenStage VoIP phone
Secret Squirrel (SQRL) – ???
Remote Development Branch

There isn’t much data on RDB; the only tool listed is for getting at secure databases, so that’s a hint.

Umbrage – This team, among other things, seems to have collected hacker tools and techniques in use around the web, and also sorted through the Hacking Team leak for useful code and documentation — helpful for development or attribution of hacks
ShoulderSurfer – Tool used to extract data from Microsoft Exchange databases
Operational Support Branch

In addition to maintaining some useful all-purpose utilities, OSB creates custom solutions for individual operations or assets, with a focus on compromising Windows machines and apps.

Time Stomper – Used to modify timestamps on files so that they match what an operation or asset requires


Munge Payload – Tool for encrypting payloads and/or modifying them to avoid detection
Magical Mutt – Appears to be a malware-style DLL injector and process monitor
Flash Bang – Hijack that breaks out of the Internet Explorer sandboxed process and then escalates privileges on the target machine
RickyBobby – Basic Windows implant comprising DLLs and scripts that sends its info to listening post server app Cal — yes, they’re Talladega Nights references
Fight Club – Set of infected VLC, WinRAR, TrueCrypt, Shamela and Microsoft Office Standalone installers that deployed RickyBobby instances, for placement on thumbdrives used in an operation
Melomy DriveIn – Hijack of a VLC DLL that launches a RickyBobby instance — unclear if it’s the one in Fight Club
Rain Maker – Compromised portable VLC player that covertly collects files from an air-gapped computer when launched from a user’s USB drive
Improvise – Set of interoperable tools used to collect and exfiltrate data from a Windows, Mac or Linux machine — with bar-themed names (Margarita, Dancefloor, Jukebox) corresponding to the OS
Basic Bit – Keylogger for Windows machines
Fine Dining – Not software exactly but apparently a menu that operatives can order from to get a custom tool for an operation — a fake PDF that launches on a Mac and scours the drive for all audio files, for instance
HammerDrill – CD/DVD monitoring tool that also allows files to be compromised as they’re being written to a disc
Taxman – ???
HyenasHurdle – ???
Automated Implant Branch

AIB seems to concern itself with self-running implants. Many of these are not documented or described, but have file lists that reveal a little about their purpose.

Frog Prince – Fully integrated implant system inclusive of command and control, listening post and implant software
Grasshopper – Highly configurable tool used to place various implants on Windows machines (Cricket is a relative)
Caterpillar – Tool for preparing files acquired from a system for secure transport
AntHill – Appears to be a file management component for installed implants
The Gibson – Appears to be a component of command and control servers and listening posts.
Galleon – Set of nautically themed scripts and tools for securely copying files to a target computer
Assassin – ???
HercBeetle – ???
CandyMountain – ???
Hornet – ???
Cascade – ???
MagicVikings – ???
Network Devices Branch

This branch is all about routers and switches, from industrial-level gear to home devices, all of which require device or class-specific exploits and kits. The leaks largely consist of highly technical test results and developer instructions that only hint at the software’s capabilities.

Cannoli – Implant for Linksys devices
WAG200G – Implant installer for Linksys routers that works alongside Cannoli
Slasher – Appears to be a port monitor
Cinnamon – Implant for Cisco routers
Earl Grey – Another implant possibly for Cisco routers
Aquaman – Implant for Linux-based systems, possibly routers (HGs or home gateways) in particular
Bumble – Implant for HP routers
Perseus – Appears to be an implant for routers using PowerPC architecture
Panda Poke – A “credless” exploit (i.e. requires no login credentials) for Huawei router devices
Panda Flight – Covert tunneling tool for Huawei devices
Panda Sneeze – Unclear purpose but part of the Panda suite along with PandaMitt, PandaScore and others
ChimayRed – Exploit used against MikroTik routers running RouterOS that allows payloads to be installed on the device
Felix – Appears to be a listening post for MikroTik routers
HG – Possibly HunGrrr, general-purpose tool for accessing remote networking devices; used as a component or step in many tests and projects
BuzFuz – ???
Cytolysis – ???
Powerman – ???