{ "id": "9f8a121e-b371-4a82-b3b9-fe37b35d23b5", "created_at": "2026-04-06T02:10:39.058328Z", "updated_at": "2026-04-10T03:31:17.862917Z", "deleted_at": null, "sha1_hash": "04d8fc8cb14713e6bf620cc82605f2db9c42e0bf", "title": "Chinese Experts Uncover Details of Equation Group's Bvp47 Covert Hacking Tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 186758, "plain_text": "Chinese Experts Uncover Details of Equation Group's Bvp47\r\nCovert Hacking Tool\r\nBy The Hacker News\r\nPublished: 2022-02-23 · Archived: 2026-04-06 01:34:46 UTC\r\nResearchers from China's Pangu Lab have disclosed details of a \"top-tier\" backdoor put to use by the Equation\r\nGroup, an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of\r\nthe U.S. National Security Agency (NSA).\r\nDubbed \"Bvp47\" owing to numerous references to the string \"Bvp\" and the numerical value \"0x47\" used in the\r\nencryption algorithm, the backdoor was extracted from Linux systems \"during an in-depth forensic investigation\r\nof a host in a key domestic department\" in 2013.\r\nThe defense research group codenamed the attacks involving the deployment of Bvp47 \"Operation Telescreen,\"\r\nwith the implant featuring an \"advanced covert channel behavior based on TCP SYN packets, code obfuscation,\r\nsystem hiding, and self-destruction design.\"\r\nBvp47 is said to have been used on more than 287 targets in the academia, economic development, military,\r\nscience, and telecom sectors located in 45 countries, mainly in China, Korea, Japan, Germany, Spain, India, and\r\nMexico, all the while going largely undetected for over a decade.\r\nThe elusive backdoor is also equipped with a remote control function that's protected using an encryption\r\nalgorithm, activating which requires the attacker's private key – something the researchers said they found in the\r\nleaks published by the Shadow Brokers hacker group in 2016.\r\nhttps://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html\r\nPage 1 of 3\n\nPangu Lab is a research project of Pangu Team, which has a history of jailbreaking Apple iPhones dating all the\r\nway back to 2014. At the Tianfu Cup hacking contest last year, the white hat hacking team demonstrated several\r\nsecurity flaws that allowed for remotely jailbreaking a fully patched iPhone 13 Pro running iOS 15.\r\nThe Shadow Brokers leaks\r\nEquation Group, designated as the \"crown creator of cyber espionage\" by Russian security firm Kaspersky, is the\r\nname assigned to a sophisticated adversary that's been active since at least 2001 and has used previously\r\nundisclosed zero-day exploits to \"infect victims, retrieve data and hide activity in an outstandingly professional\r\nway,\" some of which were later incorporated into Stuxnet.\r\nThe attacks have targeted a variety of sectors in no less than 42 countries, counting governments, telecom,\r\naerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, media,\r\ntransportation, financial institutions, and companies developing encryption technologies.\r\nThe group is believed to be linked to the NSA's Tailored Access Operations (TAO) unit, while intrusion activities\r\npertaining to a second collective known as Longhorn (aka The Lamberts) have been attributed to the U.S. Central\r\nIntelligence Agency (CIA).\r\nEquation Group's malware toolset became public knowledge in 2016 when a group calling itself the Shadow\r\nBrokers leaked the entire tranche of exploits used by the elite hacking team, with Kaspersky uncovering code-level similarities between the stolen files and that of samples identified as used by the threat actor.\r\nBvp47 as a covert backdoor\r\nThe incident analyzed by Pangu Lab comprises two internally compromised servers, an email and an enterprise\r\nserver named V1 and V2 respectively, and an external domain (identified as A), sporting a novel two-way\r\ncommunication mechanism to exfiltrate sensitive data from the systems.\r\n\"There is abnormal communication between external host A and the V1 server,\" the researchers said. \"Specifically,\r\nA first sends a SYN packet with a 264-byte payload to port 80 of the V1 server, and then the V1 server\r\nimmediately initiates an external connection to the high-end port of the A machine and maintains a large amount\r\nof exchange data.\"\r\nSimultaneously, V1 connects to V2 via the SMB service to perform a number of operations, including logging in\r\nto the latter with an administrator account, trying to open terminal services, enumerating directories, and executing\r\nPowerShell scripts through scheduled tasks.\r\nhttps://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html\r\nPage 2 of 3\n\nV2, for its part, also connects to V1 to retrieve a PowerShell script and an encrypted second-stage payload, the\r\nencrypted execution results of which are sent back to V1, which, according to the researchers, \"acts as a data\r\ntransfer between the A machine and the V2 server.\"\r\nThe Bvp47 backdoor installed on the servers consists of two parts, a loader which is responsible for decoding and\r\nloading the actual payload into memory. \"Bvp47 generally lives in the Linux operating system in the demilitarized\r\nzone that communicates with the Internet,\" the researchers said. \"It mainly assumes the core control bridge\r\ncommunication role in the overall attack.\"\r\nLinks to the Equation Group\r\nPangu Lab's attribution to Equation Group stems from overlaps with exploits contained in a GPG-encrypted\r\narchive file published by the Shadow Brokers – \"eqgrp-auction-file.tar.xz.gpg\" – as part of a failed auction of the\r\ncyber weapons in August 2016.\r\n\"In the process of analyzing the 'eqgrp-auction-file.tar.xz.gpg' file, it was found that Bvp47 and the attacking tools\r\nin the compressed package were technically deterministic, mainly including 'dewdrops,' 'suctionchar_agents,'\r\n'tipoffs,' 'StoicSurgeon,' 'incision' and other directories,\" the researchers explained.\r\n\"The 'tipoffs' directory contains the RSA asymmetric algorithm private key used in the Bvp47 covert channel [for]\r\ncommand execution and other operations. On this basis, it can be confirmed that Bvp47 is from [the] Equation\r\ngroup.\"\r\nThe findings mark the second time hitherto undocumented malware developed by the Equation Group has come to\r\nlight in as many months. In late December 2021, Check Point Research disclosed details of a diagnostic utility\r\ncalled \"DoubleFeature\" that's used in conjunction with the DanderSpritz malware framework.\r\n\"Judging from the attack tools related to the organization, including Bvp47, Equation group is indeed a first-class\r\nhacking group,\" the researchers concluded.\r\n\"The tool is well-designed, powerful, and widely adapted. Its network attack capability equipped by zero-day\r\nvulnerabilities was unstoppable, and its data acquisition under covert control was with little effort. The Equation\r\nGroup is in a dominant position in national-level cyberspace confrontation.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html\r\nhttps://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html" ], "report_names": [ "chinese-experts-uncover-details-of.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "c91e335e-42be-48d9-96b5-ba56749a723b", "created_at": "2022-10-25T16:07:23.458346Z", "updated_at": "2026-04-10T02:00:04.616481Z", "deleted_at": null, "main_name": "CIA", "aliases": [ "Central Intelligence Agency" ], "source_name": "ETDA:CIA", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775441439, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04d8fc8cb14713e6bf620cc82605f2db9c42e0bf.pdf", "text": "https://archive.orkl.eu/04d8fc8cb14713e6bf620cc82605f2db9c42e0bf.txt", "img": "https://archive.orkl.eu/04d8fc8cb14713e6bf620cc82605f2db9c42e0bf.jpg" } }