{ "id": "2d0f03a8-78cf-4440-b7b3-0d05909b9b15", "created_at": "2026-04-06T00:11:02.486126Z", "updated_at": "2026-04-10T13:11:41.92076Z", "deleted_at": null, "sha1_hash": "947e062922937eae5296e3d7ced0f0ef181c07b5", "title": "DarkPulsar", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1322918, "plain_text": "DarkPulsar\r\nBy Andrey Dolgushev\r\nPublished: 2018-10-19 · Archived: 2026-04-02 12:19:09 UTC\r\nIn March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz\r\nand FuzzBunch.\r\nDanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled\r\nmachines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels\r\nas well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.\r\nDanderSprit interface\r\nFuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains\r\nvarious types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. There are three\r\nfiles in the plugin set from the FuzzBunch framework:\r\n%pluginName%-version.fb\r\nThis is the utility file of the framework. It duplicates the header from XML and includes the plugin’s ID.\r\n%pluginName%-version.exe\r\nThis executable file is launched when FuZZbuNch receives the command to do so.\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 1 of 11\n\n%pluginName%-version.xml\r\nThis configuration file describes the plugin’s input and output parameters – the parameter name, its type and\r\ndescription of what it’s responsible for; all of these can be shown in FuzzBunch as a prompt. This file also\r\ncontributes a lot to the framework’s usability, as it supports the specification of default parameters.\r\nOne of the most interesting Fuzzbunch’s categories is called ImplantConfig and includes plugins designed to\r\ncontrol the infected machines via an implant at the post-exploitation stage. DarkPulsar is a very interesting\r\nadministrative module for controlling a passive backdoor named ‘sipauth32.tsp’ that provides remote control,\r\nbelonging to this category.\r\nIt supports the following commands:\r\nBurn\r\nRawShellcode\r\nEDFStagedUpload\r\nDisableSecurity\r\nEnableSecurity\r\nUpgradeImplant\r\nPingPong\r\nBurn, RawShellcode, UpgradeImplant, and PingPong remove the implant, run arbitrary code, upgrade the implant\r\nand check if the backdoor is installed on a remote machine, respectively. The purpose of the other commands is\r\nnot that obvious and, to make it worse, the leaked framework contained only the administrative module to work\r\nwith DarkPulsar’s backdoor, but not the backdoor itself.\r\nWhile analyzing the administrative module, we noticed several constants that are used to encrypt the traffic\r\nbetween the C\u0026C and the implant:\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 2 of 11\n\nWe thought that probably these constants should also appear in the backdoor, so we created a detection for them.\r\nSeveral months later we found our mysterious DarkPulsar backdoor. We later were able to find both 32- and 64-bit\r\nversions.\r\nWe found around 50 victims located in Russia, Iran and Egypt, typically infecting Windows 2003/2008 Server.\r\nTargets were related to nuclear energy, telecommunications, IT, aerospace and R\u0026D.\r\nDarkPulsar technical highlights\r\nThe DarkPulsar implant is a dynamic library whose payload is implemented in exported functions. These\r\nfunctions can be grouped as follows:\r\n1. 1 Two nameless functions used to install the backdoor in the system.\r\n2. 2 Functions with names related to TSPI (Telephony Service Provider Interface) operations that ensure the\r\nbackdoor is in the autorun list and launched automatically.\r\n3. 3 A function with a name related to SSPI (Security Support Provider Interface) operations. It implements\r\nthe main malicious payload.\r\nThe implementations of the SSPI and TSPI interfaces are minimalistic: the functions that are exported by\r\nDarkPulsar have the same names as the interface functions; however, they include malicious code instead of the\r\nphone service.\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 3 of 11\n\nThe implant is installed in the system by the nameless exported function. The backdoor is launched by calling\r\nSecur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter,\r\ncausing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by\r\nDarkPulsar to initialize the backdoor. In this way AddSecurityPackage is used to inject code into lsass.exe. It also\r\nadds its library name at HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Telephony\\Providers\r\nThis is loaded at start by the Telephony API (TapiSrv) launched alongside the Remote Access Connection\r\nManager (RasMan) service, setting startup type as “Automatic”. When loading the telephony service provider’s\r\nlibrary, TapiSrv calls TSPI_lineNegotiateTSPIVersion which contains the AddSecurityPackage call to make the\r\ninject into lsass.exe.\r\nDarkPulsar implements its payload by installing hooks for the SpAcceptLsaModeContext – function responsible\r\nfor authentication. Such injects are made in several system authentication packets within the process lsass.exe and\r\nallow Darkpulsar to control authentication process based on the following protocols:\r\nMsv1_0.dll – for the NTLM protocol,\r\nKerberos.dll – for the Kerberos protocol,\r\nSchannel.dll – for the TLS/SSL protocols,\r\nWdigest.dll – for the Digest protocol, and\r\nLsasrv.dll –for the Negotiate protocol.\r\nAfter this, Darkpulsar gets ability to embed malware traffic into system protocols. Since this network activity\r\ntakes place according to standard system charts, it will only be reflected in the System process – it uses the system\r\nports reserved for the above protocols without hindering their normal operation.\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 4 of 11\n\nNetwork traffic during successful connection to DarkPulsar implant\r\nThe second advantage of controlling authentication processes is ability to bypass entering a valid username and\r\npassword for obtaining access to objects that require authentication such as processes list, remote registry, file\r\nsystem through SMB. After Darkpulsar’s DisableSecurity command is sent, backdoor’s hooks on the victim side\r\nwill always returns in the SpAcceptLsaModeContext function that passed credentials are valid. Getting that,\r\nsystem will provide access to protected objects to client.\r\nWorking with DarkPulsar\r\nDarkpulsar-1.1.0.exe is the administrative interface working under the principle of “one command – one launch”.\r\nThe command to be executed must be specified either in the configuration file Darkpulsar-1.1.0.9.xml or as\r\ncommand line arguments, detailing at least:\r\nwhether the target machine uses a 32-bit or 64-bit system;\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 5 of 11\n\nprotocol (SMB, NBT, SSL, RDP protocols are supported) to deliver the command and port number\r\nprivate RSA key to decrypt the session AES key\r\nDarkpulsar-1.1.0 was not designed as a standalone program for managing infected machines. This utility is a\r\nplugin of the Fuzzbunch framework that can manage parameters and coordinate different components. Here is\r\nhow DisableSecurity command in Fuzzbunch looks like:\r\nBelow is an example of Processlist after DisableSecurity, allowing to execute any plugin without valid credentials\r\nand operating via regular system functions (remote registry service):\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 6 of 11\n\nDanderSpritz\r\nDanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides\r\na limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity\r\nfor DarkPulsar.\r\nFor DanderSpritz works for a larger range of backdoors, using PeedleCheap in the victim to enable operators\r\nlaunching plugins. PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect\r\nto infected machines. Once a connection is established all DanderSpritz post-exploitation features become\r\navailable.\r\nThis is how DarkPulsar in EDFStagedUpload mode provides the opportunity to infect the victim with a more\r\nfunctional implant: PCDllLauncher (Fuzzbunch’s plugin) deploys the PeddleCheap implant on the victim side,\r\nand DanderSpritz provides a user-friendly post-exploitation interface. Hence, the full name of PCDllLauncher is\r\n‘PeddleCheap DLL Launcher’.\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 7 of 11\n\nThe complete DanderSpritz usage scheme with the plugin PeddleCheap via FuZZbuNch with the plugins\r\nDarkPulsar and PCDllLauncher consists of four steps:\r\nVia FuZZbuNch, run command EDFStagedUpload to launch DarkPulsar.\r\nIn DanderSpritz, run command pc_prep (PeedelCheap Preparation) to prepare the payload and the library to be\r\nlaunched on the implant side.\r\nIn DanderSpritz, run command pc_old (which is the alias of command pc_listen -reuse -nolisten -key Default) –\r\nthis sets it to wait for a socket from Pcdlllauncher.\r\nLaunch Pcdlllauncher via FuZZbuNch and specify the path to the payload that has been prepared with the\r\ncommand pc_prep in the ImplantFilename parameter.\r\nDanderSpritz\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 8 of 11\n\nFile System plugin\r\nConclusions\r\nThe FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and\r\ncompatibility with other tools. Each of them consists of a set of plugins designed for different tasks: while\r\nFuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz\r\nframework are developed for managing already infected victims.\r\nThe discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked\r\nframeworks, and how they are part of the same attacking platform designed for long-term compromise, based on\r\nDarkPulsar’s advanced abilities for persistence and stealthiness. The implementation of these capabilities, such as\r\nencapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are\r\nhighly professional.\r\nOur product can completely remove the related to this attack malware.\r\nDetecting malicious network activity\r\nWhen EDFStagedUpload is executed in an infected machine, a permanent connection is established, which is why\r\ntraffic via port 445 appears. A pair of bound sockets also appears in lsass.exe:\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 9 of 11\n\nWhen DanderSpritz deploys PeddleCheap’s payload via the PcDllLauncher plugin, network activity increases\r\ndramatically:\r\nWhen a connection to the infected machine is terminated, network activity ceases, and only traces of the two\r\nbound sockets in lsass.exe remain:\r\nIOCs\r\nimplant – 96f10cfa6ba24c9ecd08aa6d37993fe4\r\nFile path – %SystemRoot%\\System32\\sipauth32.tsp\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 10 of 11\n\nRegistry – HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Telephony\\Providers\r\nSource: https://securelist.com/darkpulsar/88199/\r\nhttps://securelist.com/darkpulsar/88199/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/darkpulsar/88199/" ], "report_names": [ "88199" ], "threat_actors": [ { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434262, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/947e062922937eae5296e3d7ced0f0ef181c07b5.pdf", "text": "https://archive.orkl.eu/947e062922937eae5296e3d7ced0f0ef181c07b5.txt", "img": "https://archive.orkl.eu/947e062922937eae5296e3d7ced0f0ef181c07b5.jpg" } }