{
	"id": "993897fb-9fca-4110-b447-7447291ed18c",
	"created_at": "2026-04-06T00:17:40.4063Z",
	"updated_at": "2026-04-10T03:29:45.354337Z",
	"deleted_at": null,
	"sha1_hash": "50d4b452eb01bd2423250aff63337aefe87572a4",
	"title": "Equation Group firewall operations catalogue",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51186,
	"plain_text": "Equation Group firewall operations catalogue\r\nPublished: 2016-08-16 · Archived: 2026-04-05 16:15:07 UTC\r\nThis week someone auctioning hacking tools obtained from the NSA-based hacking group “Equation Group”\r\nreleased a dump of around 250 megabytes of “free” files for proof alongside the auction.\r\nThe dump contains a set of exploits, implants and tools for hacking firewalls (“firewall operations”). This post\r\naims to be a comprehensive list of all the tools contained or referenced in the dump.\r\nExploits\r\nEGREGIOUSBLUNDER A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie\r\noverflow vulnerability. It affects models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600,\r\nand 3600A. The model of the firewall is detected by examining the ETag in the HTTP headers of the firewall. This\r\nis not CVE-2006-6493 as detected by Avast.\r\nELIGIBLEBACHELOR An exploit for TOPSEC firewalls running the TOS operation system, affecting versions\r\n3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. The attack vector is unknown but it has an XML-like\r\npayload that starts with \u003c?tos length=\"001e:%8.8x\"?\u003e .\r\nELIGIBLEBOMBSHELL A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie\r\ncommand injection vulnerability, affecting versions 3.2.100.010.1_pbc_17_iv_3 to 3.3.005.066.1. Version\r\ndetection by ETag examination.\r\nWOBBLYLLAMA A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version\r\n3.3.002.030.8_003.\r\nFLOCKFORWARD A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version\r\n3.3.005.066.1.\r\nHIDDENTEMPLE A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version\r\ntos_3.2.8840.1.\r\nCONTAINMENTGRID A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version\r\ntos_3.3.005.066.1.\r\nGOTHAMKNIGHT A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version\r\n3.2.100.010.8_pbc_27. Has no BLATSTING support.\r\nELIGIBLECANDIDATE A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie\r\ncommand injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1.\r\nELIGIBLECONTESTANT A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST\r\nparamter injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1. This exploit can be tried after\r\nhttps://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html\r\nPage 1 of 4\n\nELIGIBLECANDIDATE.\r\nEPICBANANA A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco\r\nPrivate Internet eXchange (PIX) devices. Exploitation takes advantage of default Cisco credentials (password:\r\ncisco). Affects ASA versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832 and PIX\r\nversions 711, 712, 721, 722, 723, 724, 804.\r\nESCALATEPLOWMAN A privilege escalation exploit against WatchGuard firewalls of unknown versions that\r\ninjects code via the ifconfig command.\r\nEXTRABACON A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices\r\naffecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844. It exploits an\r\noverflow vulnerability using the Simple Network Management Protocol (SNMP) and relies on knowing the\r\ntarget’s uptime and software version.\r\nBOOKISHMUTE An exploit against an unknown firewall using Red Hat 6.0.\r\nFALSEMOREL Allows for the deduction of the “enable” password from data freely offered by an unspecified\r\nfirewall (likely Cisco) and obtains privileged level access using only the hash of the “enable” password. Requires\r\ntelnet to be installed on the firewall’s inside interface.\r\nImplants\r\nBLATSTING A firewall software implant that is used with EGREGIOUSBLUNDER (Fortigate) and\r\nELIGIBLEBACHELOR (TOPSEC).\r\nBANANAGLEE A non-persistent firewall software implant for Cisco ASA and PIX devices that is installed by\r\nwriting the implant directly to memory. Also mentioned in the previously leaked NSA ANT catalogue.\r\nBANANABALLOT A BIOS module associated with an implant (likely BANANAGLEE).\r\nBEECHPONY A firewall implant that is a predecessor of BANANAGLEE.\r\nJETPLOW A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE. Also\r\nmentioned in the previously leaked NSA ANT catalogue.\r\nSCREAMINGPLOW Similar to JETPLOW.\r\nBARGLEE A firewall software implant for Juniper NetScreen firewalls.\r\nBUZZDIRECTION A firewall software implant for Fortigate firewalls.\r\nFEEDTROUGH A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper NetScreen\r\nfirewalls. Also mentioned in the previously leaked NSA ANT catalogue.\r\nJIFFYRAUL A module loaded into Cisco PIX firewalls with BANANAGLEE.\r\nhttps://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html\r\nPage 2 of 4\n\nBANNANADAIQUIRI An implant associated with SCREAMINGPLOW. Yes, banana is spelled with three Ns\r\nthis time.\r\nPOLARPAWS A firewall implant. Unknown vendor.\r\nPOLARSNEEZE A firewall implant. Unknown vendor.\r\nZESTYLEAK A firewall software implant for Juniper NetScreen firewalls that is also listed as a module for\r\nBANANAGLEE. Also mentioned in the previously leaked NSA ANT catalogue.\r\nSECONDDATE A packet injection module for BANANAGLEE and BARGLEE.\r\nBARPUNCH A module for BANANAGLEE and BARGLEE implants.\r\nBBALL A module for BANANAGLEE implants.\r\nBBALLOT A module for BANANAGLEE implants.\r\nBBANJO A module for BANANAGLEE implants.\r\nBCANDY A module for BANANAGLEE implants.\r\nBFLEA A module for BANANAGLEE implants.\r\nBMASSACRE A module for BANANAGLEE and BARGLEE implants.\r\nBNSLOG A module for BANANAGLEE and BARGLEE implants.\r\nBPATROL A module for BANANAGLEE implants.\r\nBPICKER A module for BANANAGLEE implants.\r\nBPIE A module for BANANAGLEE and BARGLEE implants.\r\nBUSURPER A module for BANANAGLEE implants.\r\nCLUCKLINE A module for BANANAGLEE implants.\r\nBILLOCEAN Retrieves the serial number of a firewall, to be recorded in operation notes. Used in conjunction\r\nwith EGREGIOUSBLUNDER for Fortigate firewalls.\r\nFOSHO A Python library for creating HTTP exploits.\r\nBARICE A tool that provides a shell for installing the BARGLEE implant.\r\nDURABLENAPKIN A tool for injecting packets on LANs.\r\nBANANALIAR A tool for connecting to an unspecified implant (likely BANANAGLEE).\r\nPANDAROCK A tool for connecting to a POLARPAWS implant.\r\nhttps://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html\r\nPage 3 of 4\n\nTURBOPANDA A tool that can be used to communicate with a HALLUXWATER implant. Also mentioned in\r\nthe previously leaked NSA ANT catalogue.\r\nTEFLONDOOR A self-destructing post-exploitation shell for executing an arbitrary file. The arbitrary file is first\r\nencrypted with a key.\r\n1212/DEHEX Converts hexademical strings to an IP addresses and ports.\r\nXTRACTPLEASING Extracts something from a file and produces a PCAP file as output.\r\nNOPEN A post-exploitation shell consisting of a client and a server that encrypts data using RC6. The server is\r\ninstalled on the target machine.\r\nBENIGNCERTAIN A tool that appears to be for sending certain types of Internet Key Exchange (IKE) packets to\r\na remote host and parsing the response.\r\nSource: https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html\r\nhttps://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MISPGALAXY"
	],
	"references": [
		"https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html"
	],
	"report_names": [
		"equation-group-firewall-operations-catalogue.html"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775791785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50d4b452eb01bd2423250aff63337aefe87572a4.pdf",
		"text": "https://archive.orkl.eu/50d4b452eb01bd2423250aff63337aefe87572a4.txt",
		"img": "https://archive.orkl.eu/50d4b452eb01bd2423250aff63337aefe87572a4.jpg"
	}
}