{ "id": "90237287-0779-428b-a608-5bd5972b7643", "created_at": "2026-04-06T01:30:21.303167Z", "updated_at": "2026-04-10T13:11:19.555188Z", "deleted_at": null, "sha1_hash": "8f5dbe09da5b96b9d88678be80c291f3e22a1c3c", "title": "NSA-linked Bvp47 Linux backdoor widely undetected for 10 years", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2098569, "plain_text": "NSA-linked Bvp47 Linux backdoor widely undetected for 10 years\r\nBy Ionut Ilascu\r\nPublished: 2022-02-24 · Archived: 2026-04-06 01:05:07 UTC\r\nA report released today dives deep into technical aspects of a Linux backdoor now tracked as Bvp47 that is linked to the\r\nEquation Group, the advanced persistent threat actor tied to the U.S. National Security Agency.\r\nBvp47 survived until today almost undetected, despite being submitted to the Virus Total antivirus database for the first time\r\nclose to a decade ago, in late 2013.\r\nUntil this morning, only one antivirus engine on Virus Total detected the Bvp47 sample. As the report spread in the infosec\r\ncommunity, detection started to improve, being flagged by six engines at the moment of writing.\r\nhttps://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nsource: BleepingComputer\r\nThe Equation Group connection\r\nThe Advanced Cyber Security Research team at Pangu Lab, a Chinese cybersecurity company, says that it found the elusive\r\nmalware in 2013, during a “forensic investigation of a host in a key domestic department.”\r\nThe Bvp47 sample obtained from the forensic investigation proved to be an advanced backdoor for Linux with a remote\r\ncontrol function protected through the RSA asymmetric cryptography algorithm, which requires a private key to enable.\r\nThey found the private key in the leaks published by the Shadow Brokers hacker group between 2016-2017, which\r\ncontained hacking tools and zero-day exploits used by NSA’s cyberattack team, the Equation Group.\r\nSome components in the Shadow Brokers leaks were integrated into the Bvp47 framework - “dewdrop” and\r\n“solutionchar_agents” - indicating that the implant covered Unix-based operating systems like mainstream Linux\r\ndistributions, Juniper’s JunOS, FreeBSD, and Solaris.\r\nApart from Pangu Lab attributing the Bvp47 malware to the Equation Group, automated analysis of the backdoor also shows\r\nsimilarities with another sample from the same actor.\r\nKaspersky’s Threat Attribution Engine (KTAE) shows that 34 out of 483 strings match those from another Equation-related\r\nsample for Solaris SPARC systems, which had a 30% similarity with yet another Equation malware submitted to Virus Total\r\nin 2018 and posted by threat intel researcher Deresz on January 24, 2022.\r\nsource: Kaspersky\r\nCostin Raiu, director of Global Research and Analysis Team at Kaspersky, told BleepingComputer that Bvp47’s code-level\r\nsimilarities match a single sample in the company’s current malware collection.\r\nhttps://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/\r\nPage 3 of 6\n\nThis indicates that the malware was not used extensively, as it usually happens with hacking tools from high-level threat\r\nactors, who use them in highly targeted attacks.\r\nIn the case of the Bvp47 Linux backdoor, Pangu Lab researchers say that it was used on targets in the telecom, military,\r\nhigher-education, economic, and science sectors.\r\nThey note that the malware hit more than 287 organizations in 45 countries and went largely undetected for over 10 years.\r\nsource: Pangu Lab\r\nAttack stages\r\nPangu Lab’s incident analysis involved three servers, one being the target of an external attack and two other internal\r\nmachines - an email server and a business server.\r\nsource: Pangu Lab\r\nAccording to the researchers, the threat actor pivoted established a connection between the external server and the email\r\nserver via a TCP SYN packet with a 264-byte payload.\r\nhttps://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/\r\nPage 4 of 6\n\n“At almost the same time, the [email] server connects to the [business] server's SMB service and performs some sensitive\r\noperations, including logging in to the [business] server with an administrator account, trying to open terminal services,\r\nenumerating directories, and executing Powershell scripts through scheduled tasks” - Pangu Lab\r\nThe business server then connected to the email machine to download additional files, “including the Powershell script and\r\nthe encrypted data of the second stage.”\r\nAn HTTP server is started on one of the two compromised machines, serving two HTML files to the other. One of the files\r\nwas a base64-encoded PowerShell script that downloads “index.htm,” which contains asymmetrically encrypted data.\r\nA connection between the two internal machines is used to communicate encrypted data via “its own protocol,” Pangu Lab\r\nresearchers say in their report.\r\nThe researchers were able to restore the communication between the servers and summarized it into the following steps,\r\nwhere machine A is the external system and V1/V2 are the email and business server, respectively:\r\n1. Machine A connects to port 80 of the V1 server to send a knock request and start the backdoor program on the V1\r\nserver\r\n2. The V1 server reversely connects the high-end port of machine A to establish a data pipeline\r\n3. The V2 server connects to the backdoor web service opened on the V1 server, and obtains PowerShell execution\r\nfrom the V1 server\r\n4. The V1 server connects to the SMB service port of the V2 server to perform command operations\r\n5. The V2 server establishes a connection with the V1 server on the high-end port and uses its own encryption protocol\r\nfor data exchange\r\n6. The V1 server synchronizes data interaction with the A machine, and the V1 server acts as a data transfer between the\r\nA machine and the V2 server\r\nReferring to the above communication technology between the three servers, the researchers assess that the backdoor is the\r\ncreation of “an organization with strong technical capabilities.”\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/\r\nhttps://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/" ], "report_names": [ "nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439021, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f5dbe09da5b96b9d88678be80c291f3e22a1c3c.pdf", "text": "https://archive.orkl.eu/8f5dbe09da5b96b9d88678be80c291f3e22a1c3c.txt", "img": "https://archive.orkl.eu/8f5dbe09da5b96b9d88678be80c291f3e22a1c3c.jpg" } }