{ "id": "b5be3900-89fc-411e-80fe-c444cf47d8af", "created_at": "2026-04-06T00:21:28.92094Z", "updated_at": "2026-04-10T13:11:56.9435Z", "deleted_at": null, "sha1_hash": "202147399435f628046aa982a9977c30e3504d2a", "title": "Shadow Brokers - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63406, "plain_text": "Shadow Brokers - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 18:44:01 UTC\r\nHome \u003e List all groups \u003e Shadow Brokers\r\n Other threat group: Shadow Brokers\r\nNames Shadow Brokers (self given)\r\nCountry USA\r\nMotivation Financial gain\r\nFirst seen 2016\r\nDescription\r\nBreached a server where zero-days accumulated by Equation Group were held, leaked a\r\nlarge section on the internet and tried to sell the rest afterward. Most of the published\r\nvulnerabilities have since been fixed by the respective vendors, but many have been\r\nused by other threat actors. Most notably among the dumps were zero-days such as\r\nETERNALBLUE that were used for the creation of infamous ransomware explosions\r\nsuch as WannaCry and NotPetya.\r\nShadow Brokers turned out to be an ex-NSA contractor.\r\nObserved\r\nTools used\r\nOperations performed\r\nAug 2016\r\nInitial public dump\r\n\u003chttps://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html\u003e\r\nOct 2016\r\n‘Shadow Brokers’ Whine That Nobody Is Buying Their Hacked NSA\r\nFiles\r\n\u003chttps://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files\u003e\r\nOct 2016\r\nSecond Shadow Brokers dump released\r\n\u003chttps://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4c7e8be4-5f97-4ca9-a4bd-eaa1709661c1\r\nPage 1 of 2\n\nMar 2017\nIn March 2017, the ShadowBrokers published a chunk of stolen data that\nincluded two frameworks: DanderSpritz and FuzzBunch.\nApr 2017\nShadow Brokers leaks show U.S. spies successfully hacked Russian,\nIranian targets\nApr 2017\nNew NSA leak may expose its bank spying, Windows exploits\nApr 2017\nShadowBrokers Dump More Equation Group Hacks, Auction File\nPassword\nSep 2017\nShadowBrokers are back demanding nearly $4m and offering 2 dumps\nper month\nSep 2017\nShadowBrokers Release UNITEDRAKE Malware\nCounter operations Nov 2017\nWho Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’\nHacking Tools?\nInformation\nLast change to this card: 21 May 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4c7e8be4-5f97-4ca9-a4bd-eaa1709661c1\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=4c7e8be4-5f97-4ca9-a4bd-eaa1709661c1\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=4c7e8be4-5f97-4ca9-a4bd-eaa1709661c1" ], "report_names": [ "showcard.cgi?u=4c7e8be4-5f97-4ca9-a4bd-eaa1709661c1" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434888, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/202147399435f628046aa982a9977c30e3504d2a.pdf", "text": "https://archive.orkl.eu/202147399435f628046aa982a9977c30e3504d2a.txt", "img": "https://archive.orkl.eu/202147399435f628046aa982a9977c30e3504d2a.jpg" } }