{
	"id": "91ba537f-2a5f-45da-a4f0-2a01d9c9767a",
	"created_at": "2026-04-06T00:11:09.784214Z",
	"updated_at": "2026-04-10T03:29:45.238569Z",
	"deleted_at": null,
	"sha1_hash": "81a946ac007574284f95b2f69b3c9b14d4c64a39",
	"title": "DoublePulsar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 167554,
	"plain_text": "DoublePulsar\r\nBy Contributors to Wikimedia projects\r\nPublished: 2017-05-15 · Archived: 2026-04-05 16:50:39 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nFor the only known double pulsar star system, see PSR J0737-3039.\r\nDoublePulsar\r\nMalware details\r\nTechnical name\r\nDouble Variant\r\nTrojan:Win32/DoublePulsar (Microsoft)\r\nBackdoor.DoublePulsar (Fortiguard)\r\nDark Variant\r\nTrojan.Darkpulsar (Symantec)\r\n[1]\r\nWin32/Equation.DarkPulsar (ESET)\r\n[2]\r\nFamily Pulsar (backdoor family)\r\nAuthor Equation Group\r\nDoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation\r\nGroup that was leaked by The Shadow Brokers in early 2017.[3][citation needed] The tool infected more than\r\nhttps://en.wikipedia.org/wiki/DoublePulsar\r\nPage 1 of 2\n\n200,000 Microsoft Windows computers in only a few weeks,[4][5][3][6][7]\r\n and was used alongside EternalBlue in\r\nthe May 2017 WannaCry ransomware attack.\r\n[8][9][10]\r\n A variant of DoublePulsar was first seen in the wild in\r\nMarch 2016, as discovered by Symantec.[11]\r\nSean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.\r\n[12][13]\r\nHe said that the NSA exploits are \"10 times worse\" than the Heartbleed security bug, and use DoublePulsar as the\r\nprimary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the\r\ncomputer system.[5] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to\r\nload malware onto the system.[12]\r\n1. ^ \"Trojan.Darkpulsar\". Symantec. Archived from the original on 3 October 2019.\r\n2. ^ \"Win32/Equation.DarkPulsar.A | ESET Virusradar\". www.virusradar.com.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \"DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump\".\r\n25 April 2017.\r\n4. ^ Sterling, Bruce. \"Double Pulsar NSA leaked hacks in the wild\". Wired.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n \"Seriously, Beware the 'Shadow Brokers'\". Bloomberg. 4 May 2017 – via\r\nwww.bloomberg.com.\r\n6. ^ \"Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage\".\r\n7. ^ \"\u003e10,000 Windows computers may be infected by advanced NSA backdoor\". 21 April 2017.\r\n8. ^ Cameron, Dell (13 May 2017). \"Today's Massive Ransomware Attack Was Mostly Preventable; Here's\r\nHow To Avoid It\".\r\n9. ^ Fox-Brewster, Thomas. \"How One Simple Trick Just Put Out That Huge Ransomware Fire\". Forbes.\r\n10. ^ \"Player 3 Has Entered the Game: Say Hello to 'WannaCry'\". blog.talosintelligence.com. 12 May 2017.\r\nRetrieved 2017-05-15.\r\n11. ^ \"Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak\".\r\narstechnica.com. 7 May 2019. Retrieved 2019-05-07.\r\n12. ^ Jump up to: a\r\n \r\nb\r\n \"DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis\".\r\nzerosum0x0.blogspot.com. 21 April 2017. Retrieved 2017-05-16.\r\n13. ^ \"NSA's DoublePulsar Kernel Exploit In Use Internet-Wide\". threatpost.com. 24 April 2017. Retrieved\r\n2017-05-16.\r\nSource: https://en.wikipedia.org/wiki/DoublePulsar\r\nhttps://en.wikipedia.org/wiki/DoublePulsar\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/DoublePulsar"
	],
	"report_names": [
		"DoublePulsar"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434269,
	"ts_updated_at": 1775791785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81a946ac007574284f95b2f69b3c9b14d4c64a39.pdf",
		"text": "https://archive.orkl.eu/81a946ac007574284f95b2f69b3c9b14d4c64a39.txt",
		"img": "https://archive.orkl.eu/81a946ac007574284f95b2f69b3c9b14d4c64a39.jpg"
	}
}