{ "id": "681c97c0-f5df-43e4-8863-acb00973c0a6", "created_at": "2026-04-06T00:11:38.108019Z", "updated_at": "2026-04-10T13:12:10.773519Z", "deleted_at": null, "sha1_hash": "8692deb88e1c5fb19fb710e9124315028369c42c", "title": "The Shadow Brokers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 165469, "plain_text": "The Shadow Brokers\r\nBy Contributors to Wikimedia projects\r\nPublished: 2016-08-18 · Archived: 2026-04-05 13:12:38 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nThe Shadow Brokers (TSB) are a hacker group that emerged during the summer of 2016.[1][2] They published\r\nseveral leaks containing hacking tools, including several zero-day exploits,\r\n[1]\r\n from the \"Equation Group\" who are\r\nwidely suspected to be a branch of the National Security Agency (NSA) of the United States.[3][4] Specifically,\r\nthese exploits and vulnerabilities[5][6] targeted enterprise firewalls, antivirus software, and Microsoft products.[7]\r\nThe Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the\r\nNSA's Tailored Access Operations unit.[8][9][10][4]\r\nSeveral news sources noted that the group's name was likely in reference to a character from the Mass Effect video\r\ngame series.[11][12] Matt Suiche quoted the following description of that character: \"The Shadow Broker is an\r\nindividual at the head of an expansive organization which trades in information, always selling to the highest\r\nbidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never\r\nallow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading\r\ninformation to avoid becoming disadvantaged, allowing the Broker to remain in business.\"[13]\r\nEquation Group leaks\r\n[edit]\r\nWhile the exact date is unclear, reports suggested that the preparation of the leak started at least in the beginning\r\nof August,[14] and that the initial publication occurred August 13, 2016 with a Tweet from a Twitter account\r\n\"@shadowbrokerss\" announcing a Pastebin page[6] and a GitHub repository containing references and instructions\r\nfor obtaining and decrypting the content of a file supposedly containing tools and exploits used by the Equation\r\nGroup. The initial response to the publication was met with some uncertainty about its authenticity.\r\n[15]\r\nOn October 31, 2016, The Shadow Brokers published a list of servers supposedly compromised by the Equation\r\nGroup, as well as references to seven supposedly undisclosed tools (DEWDROP, INCISION, JACKLADDER,\r\nORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOICSURGEON) also used by the threat\r\nactor.\r\n[16]\r\nOn April 8, 2017, the Medium account used by The Shadow Brokers posted a new update.[17] The post revealed\r\nthe password CrDj”(;Va.*NdlnzB9M?@K2)#\u003edeB7mN to encrypted files released the previous year, which allegedly\r\nhad more NSA hacking tools.[18] This posting explicitly stated that the post was partially in response to President\r\nTrump's attack against a Syrian airfield, which was also used by Russian forces.\r\nhttps://en.wikipedia.org/wiki/The_Shadow_Brokers\r\nPage 1 of 5\n\nApril 14 hacking tool leak\r\n[edit]\r\nOn April 14, 2017, The Shadow Brokers released, amongst other things, the tools and exploits codenamed:\r\nDANDERSPRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE,\r\nETERNALBLUE, EXPLODINGCAN and EWOKFRENZY.\r\n[19][20][21]\r\nThe leak was suggested to be the \"most damaging release yet\"[19] and CNN quoted Matthew Hickey saying, \"This\r\nis quite possibly the most damaging thing I've seen in the last several years\".[22]\r\nSome of the exploits targeting the Microsoft Windows operating system had been patched in a Microsoft Security\r\nBulletin on March 14, 2017, a month before the leak occurred.[23][24] Some speculated that Microsoft may have\r\nbeen tipped off by the NSA about the release of the exploits.[25]\r\nOver 200,000 systems were infected with tools from this leak within the first two weeks,[26] and in May 2017, the\r\nmajor WannaCry ransomware attack used the ETERNALBLUE exploit on Server Message Block (SMB) to\r\nspread itself.[27] The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017.[28]\r\nETERNALBLUE contains kernel shellcode to load the non-persistent DoublePulsar backdoor.\r\n[29]\r\n This allows for\r\nthe installation of the PEDDLECHEAP payload which would then be accessed by the attacker using the\r\nDanderSpritz Listening Post (LP) software.[30][31]\r\nSpeculations and theories on motive and identity\r\n[edit]\r\nJames Bamford along with Matt Suiche speculated[32] that an insider, \"possibly someone assigned to the [NSA's]\r\nhighly sensitive Tailored Access Operations\", stole the hacking tools.[33][34] In October 2016, The Washington\r\nPost reported that Harold T. Martin III, a former contractor for Booz Allen Hamilton accused of stealing\r\napproximately 50 terabytes of data from the National Security Agency (NSA), was the lead suspect. Martin had\r\nworked with the NSA's Tailored Access Operations from 2012 to 2015 in a support role. He pleaded guilty to\r\nretaining national defense information in 2019, but it is not clear whether the Shadow Brokers obtained their\r\nmaterial from him. The Shadow Brokers continued posting messages that were cryptographically-signed and were\r\ninterviewed by media while Martin was detained.[35]\r\nAlleged Russian ties\r\n[edit]\r\nEdward Snowden stated on Twitter on August 16, 2016 that \"circumstantial evidence and conventional wisdom\r\nindicates Russian responsibility\"[36] and that the leak \"is likely a warning that someone can prove US\r\nresponsibility for any attacks that originated from this malware server\"[37] summarizing that it looks like\r\n\"somebody sending a message that an escalation in the attribution game could get messy fast\".[38][39]\r\nhttps://en.wikipedia.org/wiki/The_Shadow_Brokers\r\nPage 2 of 5\n\nThe New York Times put the incident in the context of the Democratic National Committee cyber attacks and\r\nhacking of the Podesta emails. As US intelligence agencies were contemplating counter-attacks, the Shadow\r\nBrokers code release was to be seen as a warning: \"Retaliate for the D.N.C., and there are a lot more secrets, from\r\nthe hackings of the State Department, the White House and the Pentagon, that might be spilled as well. One senior\r\nofficial compared it to the scene in The Godfather where the head of a favorite horse is left in a bed, as a\r\nwarning.\"[40]\r\nIn 2019, David Aitel, a computer scientist formerly employed by the NSA, summarized the situation with: \"I don't\r\nknow if anybody knows other than the Russians. And we don't even know if it's the Russians. We don't know at\r\nthis point; anything could be true.\"[41]\r\n1. ^ Jump up to: a\r\n \r\nb\r\n Ghosh, Agamoni (April 9, 2017). \"'President Trump what the f**k are you doing' say\r\nShadow Brokers and dump more NSA hacking tools\". International Business Times UK. Archived from the\r\noriginal on May 14, 2017. Retrieved April 10, 2017.\r\n2. ^ \"'NSA malware' released by Shadow Brokers hacker group\". BBC News. April 10, 2017. Archived from\r\nthe original on July 22, 2025. Retrieved April 10, 2017.\r\n3. ^ Brewster, Thomas. \"Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'\". Forbes.\r\nArchived from the original on July 20, 2025. Retrieved November 25, 2020.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n Sam Biddle (August 19, 2016). \"The NSA Leak is Real, Snowden Documents Confirm\".\r\nThe Intercept. Archived from the original on May 25, 2017. Retrieved April 15, 2017.\r\n5. ^ Nakashima, Ellen (August 16, 2016). \"Powerful NSA hacking tools have been revealed online\". The\r\nWashington Post. Archived from the original on May 19, 2017. Retrieved August 18, 2016.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \"Equation Group - Cyber Weapons Auction - Pastebin.com\". August 16, 2016. {{cite\r\nweb}} : CS1 maint: deprecated archival service (link)\r\n7. ^ Dan Goodin (January 12, 2017). \"NSA-leaking Shadow Brokers lob Molotov cocktail before exiting\r\nworld stage\". Ars Technica. Archived from the original on May 24, 2017. Retrieved January 14, 2017.\r\n8. ^ Goodin, Dan (August 16, 2016). \"Confirmed: hacking tool leak came from \"omnipotent\" NSA-tied\r\ngroup\". Ars Technica. Retrieved January 14, 2017.\r\n9. ^ \"The Equation giveaway - Securelist\". August 16, 2016. Archived from the original on August 15, 2017.\r\nRetrieved May 19, 2020.\r\n10. ^ \"Group claims to hack NSA-tied hackers, posts exploits as proof\". August 16, 2016. Archived from the\r\noriginal on May 24, 2017. Retrieved June 15, 2017.\r\n11. ^ \"The 'Shadow Brokers' NSA theft puts the Snowden leaks to shame - ExtremeTech\". Extremetech. August\r\n19, 2016. Archived from the original on May 3, 2017. Retrieved January 20, 2017.\r\n12. ^ \"Shadow Brokers: Hackers Claim to have Breached NSA's Equation Group\". The Daily Dot. August 15,\r\n2016. Archived from the original on May 27, 2017. Retrieved January 20, 2017.\r\n13. ^ \"Shadow Brokers: NSA Exploits of the Week\". Medium.com. August 15, 2016. Archived from the original\r\non February 14, 2017. Retrieved January 20, 2017.\r\n14. ^ \"The Shadow Brokers: Lifting the Shadows of the NSA's Equation Group?\". August 15, 2016. Archived\r\nfrom the original on June 28, 2017. Retrieved August 18, 2016.\r\n15. ^ Rob Price (August 15, 2016). \"'Shadow Brokers' claim to have hacked an NSA-linked elite computer\r\nsecurity unit\". Business Insider. Archived from the original on June 20, 2025. Retrieved April 15, 2017.\r\nhttps://en.wikipedia.org/wiki/The_Shadow_Brokers\r\nPage 3 of 5\n\n16. ^ \"'Shadow Brokers' Reveal List Of Servers Hacked By The NSA; China, Japan, And Korea The Top 3\r\nTargeted Countries; 49 Total Countries, Including: China, Japan, Germany, Korea, India, Italy, Mexico,\r\nSpain, Taiwan, \u0026 Russia\". Fortuna's Corner. November 1, 2016. Archived from the original on January 16,\r\n2017. Retrieved January 14, 2017.\r\n17. ^ theshadowbrokers (April 8, 2017). \"Don't Forget Your Base\". Medium. Retrieved April 9, 2017.\r\n18. ^ Cox, Joseph (April 8, 2017). \"They're Back: The Shadow Brokers Release More Alleged Exploits\".\r\nMotherboard. Vice Motherboard. Retrieved April 8, 2017.\r\n19. ^ Jump up to: a\r\n \r\nb\r\n \"NSA-leaking Shadow Brokers just dumped its most damaging release yet\". Ars Technica.\r\nArchived from the original on May 13, 2017. Retrieved April 15, 2017.\r\n20. ^ \"Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows\". Medium. April\r\n14, 2017. Archived from the original on May 18, 2017. Retrieved April 15, 2017.\r\n21. ^ \"misterch0c\". GitHub. Archived from the original on April 9, 2022. Retrieved April 15, 2017.\r\n22. ^ Larson, Selena (April 14, 2017). \"NSA's powerful Windows hacking tools leaked online\". CNNMoney.\r\nArchived from the original on May 1, 2025. Retrieved April 15, 2017.\r\n23. ^ \"Microsoft says users are protected from alleged NSA malware\". AP News. Archived from the original on\r\nJuly 6, 2022. Retrieved April 15, 2017.\r\n24. ^ \"Protecting customers and evaluating risk\". MSRC. Archived from the original on October 24, 2017.\r\nRetrieved April 15, 2017.\r\n25. ^ \"Microsoft says it already patched 'Shadow Brokers' NSA leaks\". Engadget. April 15, 2017. Archived\r\nfrom the original on August 22, 2019. Retrieved April 15, 2017.\r\n26. ^ \"Leaked NSA tools, now infecting over 200,000 machines, will be weaponized for years\". CyberScoop.\r\nApril 24, 2017. Retrieved April 24, 2017.\r\n27. ^ \"An NSA-derived ransomware worm is shutting down computers worldwide\". May 12, 2017. Archived\r\nfrom the original on July 11, 2017. Retrieved May 12, 2017.\r\n28. ^ Perlroth, Nicole; Scott, Mark; Frenkel, Sheera (June 27, 2017). \"Cyberattack Hits Ukraine Then Spreads\r\nInternationally\". The New York Times. p. 1. Archived from the original on April 13, 2018. Retrieved June\r\n27, 2017.\r\n29. ^ Sum, Zero (April 21, 2017). \"zerosum0x0: DoublePulsar Initial SMB Backdoor Ring 0 Shellcode\r\nAnalysis\". zerosum0x0. Archived from the original on August 12, 2017. Retrieved November 15, 2017.\r\n30. ^ \"Shining Light on The Shadow Brokers\". The State of Security. May 18, 2017. Archived from the original\r\non September 26, 2022. Retrieved November 15, 2017.\r\n31. ^ \"DanderSpritz/PeddleCheap Traffic Analysis\" (PDF). Forcepoint. February 6, 2018. Archived from the\r\noriginal (PDF) on March 27, 2023. Retrieved February 7, 2018.\r\n32. ^ \"Shadow Brokers: The insider theory\". August 17, 2016.\r\n33. ^ \"Commentary: Evidence points to another Snowden at the NSA\". Reuters. August 23, 2016. Archived\r\nfrom the original on February 24, 2022. Retrieved July 2, 2017.\r\n34. ^ \"Hints suggest an insider helped the NSA \"Equation Group\" hacking tools leak\". Ars Technica. August\r\n22, 2016. Archived from the original on May 18, 2017. Retrieved June 15, 2017.\r\n35. ^ Cox, Joseph (January 12, 2017). \"NSA Exploit Peddlers The Shadow Brokers Call It Quits\".\r\nMotherboard.\r\n36. ^ \"Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is\r\nsignificant\". Twitter. August 16, 2016. Archived from the original on August 16, 2016. Retrieved August 22,\r\nhttps://en.wikipedia.org/wiki/The_Shadow_Brokers\r\nPage 4 of 5\n\n2016.\r\n37. ^ \"This leak is likely a warning that someone can prove US responsibility for any attacks that originated\r\nfrom this malware server\". August 16, 2016. Retrieved August 22, 2016.\r\n38. ^ \"TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game\r\ncould get messy fast\". twitter.com. Archived from the original on August 26, 2016. Retrieved August 22,\r\n2016.\r\n39. ^ Price, Rob (August 16, 2016). \"Edward Snowden: Russia might have leaked alleged NSA cyberweapons\r\nas a 'warning'\". Business Insider. Archived from the original on May 1, 2025. Retrieved August 22, 2016.\r\n40. ^ Eric Lipton; David E. Sanger; Scott Shane (December 13, 2016). \"The Perfect Weapon: How Russian\r\nCyberpower Invaded the U.S.\" New York Times. Archived from the original on May 27, 2017. Retrieved\r\nApril 15, 2017.\r\n41. ^ Abdollah, Tami; Tucker, Eric (July 6, 2019). \"Mystery of NSA leak lingers as stolen document case winds\r\nup\". Associated Press. Archived from the original on July 6, 2019.\r\nSource: https://en.wikipedia.org/wiki/The_Shadow_Brokers\r\nhttps://en.wikipedia.org/wiki/The_Shadow_Brokers\r\nPage 5 of 5\n\n2016. 39. ^ Price, Rob (August 16, 2016). \"Edward Snowden: Russia might have leaked alleged NSA cyberweapons\nas a 'warning'\". Business Insider. Archived from the original on May 1, 2025. Retrieved August 22, 2016.\n40. ^ Eric Lipton; David E. Sanger; Scott Shane (December 13, 2016). \"The Perfect Weapon: How Russian\nCyberpower Invaded the U.S.\" New York Times. Archived from the original on May 27, 2017. Retrieved\nApril 15, 2017. \n41. ^ Abdollah, Tami; Tucker, Eric (July 6, 2019). \"Mystery of NSA leak lingers as stolen document case winds\nup\". Associated Press. Archived from the original on July 6, 2019. \nSource: https://en.wikipedia.org/wiki/The_Shadow_Brokers \n Page 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/The_Shadow_Brokers" ], "report_names": [ "The_Shadow_Brokers" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434298, "ts_updated_at": 1775826730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8692deb88e1c5fb19fb710e9124315028369c42c.pdf", "text": "https://archive.orkl.eu/8692deb88e1c5fb19fb710e9124315028369c42c.txt", "img": "https://archive.orkl.eu/8692deb88e1c5fb19fb710e9124315028369c42c.jpg" } }