{ "id": "cf664505-a2fb-4d73-86f2-9e4e48f505fc", "created_at": "2026-04-06T00:10:32.992012Z", "updated_at": "2026-04-10T13:12:42.042066Z", "deleted_at": null, "sha1_hash": "6573b4ec603c6899b1713dcd1a23a1cbadb54fc9", "title": "ShadowBrokers Dump More Equation Group Hacks, Auction File Password", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39678, "plain_text": "ShadowBrokers Dump More Equation Group Hacks, Auction File\r\nPassword\r\nBy Michael Mimoso\r\nPublished: 2017-04-10 · Archived: 2026-04-05 12:52:33 UTC\r\nThe ShadowBrokers’ latest dump of Equation Group hacks focuses on UNIX systems and GSM networks, and\r\nwas accompanied by an open letter to President Trump.\r\nThe mysterious ShadowBrokers, long thought to have given up their cause, released on Saturday additional\r\nhacking tools allegedly belonging to the Equation Group, along with the password guarding the original set of\r\nexploits the group planned to auction off.\r\nThe password was at the tail end of a rambling open letter to President Donald Trump in which the\r\nShadowBrokers expressed their discontent with the administration’s actions in Syria, its defeat on Obamacare, the\r\nremoval of Steve Bannon from the National Security Council and more.\r\n“Respectfully, what the f%\u0026k are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports\r\nyou. TheShadowBrokers is losing faith in you,” the letter begins.\r\nAs for the tools, as in past leaks it appears these are older exploits. They run the gamut from remote code\r\nexecution attacks against enterprise operating systems such as Solaris, Netscape Server, FTP servers, various\r\nwebmail clients and more.\r\nThere are also a number of antiforensics tools that the Equation Group, linked in many circles to the National\r\nSecurity Agency, uses to clean up its tracks after an intrusion.\r\nSaturday’s dump also includes a number of backdoors and post-exploitation remote access shells for UNIX and\r\nSPARC systems, as well as keyloggers, network monitoring tools and kernel-level implants for UNIX systems.\r\n“What is stunning is the way it specifically targets Solaris/HP-UX systems that are most likely used in big\r\ncorporations or telecoms companies,” said a researcher who goes by the handle x0rz. “Which means they are in\r\nfor the big fish.”\r\nThe extent of the Equation Group’s reach into its targets is illustrated in a long list of compromised hosts and tools\r\nused against them, including UNIX backdoors PITCHIMPAR and INTONATION.\r\nX0rz was among a handful of researchers who examined the dump over the weekend and posted the files and an\r\nindex for other researchers to examine. X0rz said the Equation Group was particularly invested in exploiting and\r\nattacking GSM core networks. GSM stands for Global System for Mobile Communication, used primarily in\r\nEurope, and is the telephony system for data compression and transmission; there are estimated five billion GSM\r\nphone users worldwide.\r\nhttps://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/\r\nPage 1 of 2\n\nIn one instance, it appears the Equation Group had access to the Pakistan Mobilink GSM network.\r\n“From what I understand they have tools to collect CDRs (Call detail record) that are generated on GSM core\r\nnetworks for billing purpose (who is calling who, etc.),” x0rz said. “They are deep into these systems.”\r\nThere are more than 1,000 files included in the dump and it’s unknown whether any of the vulnerabilities being\r\nexploited remain unpatched.\r\nEdward Snowden, the NSA whistleblower, said in a series of tweets on Saturday that the latest dump does not\r\nrepresent the totality of the NSA’s hacking tools.\r\nIn January, the ShadowBrokers said they were done and were deleting all of their accounts. The group did first put\r\na set of Windows exploits for sale for 750 Bitcoin which included a zero-day exploit for a Windows SMB protocol\r\nflaw. Researcher Jacob Williams looked at the screenshots and surmised the zero day by the price the\r\nShadowBrokers are asking.\r\n“Note that most of the tools have apparently been through multiple revisions, adding apparent legitimacy to the\r\nclaim that these exploits are real,” Williams said. “Though another screenshot hints at a possible zero day SMB\r\nexploit, there’s no indication of which exploit names involve SMB (or any other target service).”\r\nThe identity of the ShadowBrokers remains open for debate, and the candidates could be anyone from an\r\nintelligence outfit, to a NSA insider. Saturday’s letter gives no concrete clues as to who they may be, or their\r\nmotivations.\r\nSource: https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/\r\nhttps://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/" ], "report_names": [ "124882" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434232, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6573b4ec603c6899b1713dcd1a23a1cbadb54fc9.pdf", "text": "https://archive.orkl.eu/6573b4ec603c6899b1713dcd1a23a1cbadb54fc9.txt", "img": "https://archive.orkl.eu/6573b4ec603c6899b1713dcd1a23a1cbadb54fc9.jpg" } }