{
	"id": "5378dbb9-38a6-4392-a0c3-24779784295d",
	"created_at": "2026-04-06T01:31:43.273478Z",
	"updated_at": "2026-04-10T03:31:17.828309Z",
	"deleted_at": null,
	"sha1_hash": "927f4a570eb2dbe2ed05bbd55d7014e95d84bd43",
	"title": "WikiLeaks - Vault 8",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108114,
	"plain_text": "WikiLeaks - Vault 8\r\nArchived: 2026-04-06 01:15:17 UTC\r\nToday, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component\r\nof the CIA infrastructure to control its malware.\r\nHive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant\r\non a target computer is useless if there is no way for it to communicate with its operators in a secure manner that\r\ndoes not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA\r\nis difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a\r\ncovert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers\r\nand to receive new instructions from operators at the CIA.\r\nHive can serve multiple operations using multiple implants on target computers. Each operation anonymously\r\nregisters at least one cover domain (e.g. \"perfectly-boring-looking-domain.com\") for its own use. The server\r\nrunning the domain website is rented from commercial hosting providers as a VPS (virtual private server) and its\r\nsoftware is customized according to CIA specifications. These servers are the public-facing side of the CIA back-end infrastructure and act as a relay for HTTP(S) traffic over a VPN connection to a \"hidden\" CIA server called\r\n'Blot'.\r\nhttps://wikileaks.org/vault8/\r\nPage 1 of 2\n\nThe cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is\r\nanything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server\r\noption that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client\r\nAuthentication so that the user browsing the website is not required to authenticate - it is optional. But implants\r\ntalking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants\r\nis sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic\r\ngo to a cover server that delivers the insuspicious content for all other users.\r\nDigital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The\r\nthree examples included in the source code build a fake certificate for the anti-virus company Kaspersky\r\nLaboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target\r\norganization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration\r\nof data to uninvolved entities whose identities have been impersonated.\r\nThe documentation for Hive is available from the WikiLeaks Vault7 series.\r\nSource: https://wikileaks.org/vault8/\r\nhttps://wikileaks.org/vault8/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://wikileaks.org/vault8/"
	],
	"report_names": [
		"vault8"
	],
	"threat_actors": [
		{
			"id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1",
			"created_at": "2024-05-01T02:03:08.146025Z",
			"updated_at": "2026-04-10T02:00:03.67072Z",
			"deleted_at": null,
			"main_name": "PLATINUM TERMINAL",
			"aliases": [
				"APT-C-39 ",
				"Longhorn ",
				"The Lamberts ",
				"Vault7 "
			],
			"source_name": "Secureworks:PLATINUM TERMINAL",
			"tools": [
				"AfterMidnight",
				"Assassin",
				"Marble Framework"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439103,
	"ts_updated_at": 1775791877,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/927f4a570eb2dbe2ed05bbd55d7014e95d84bd43.pdf",
		"text": "https://archive.orkl.eu/927f4a570eb2dbe2ed05bbd55d7014e95d84bd43.txt",
		"img": "https://archive.orkl.eu/927f4a570eb2dbe2ed05bbd55d7014e95d84bd43.jpg"
	}
}