{
	"id": "08804bdd-5f0d-4266-bd1c-551199ab67e4",
	"created_at": "2026-04-06T00:14:18.186143Z",
	"updated_at": "2026-04-10T13:13:09.026766Z",
	"deleted_at": null,
	"sha1_hash": "9a480e605fc0ae39325273e3060e2b457855091f",
	"title": "GitHub - francisck/DanderSpritz_docs: The goal of this project is to examine, reverse, and document the different modules available in the Equation Group's DanderSpritz post-exploitation framework leaked by the ShadowBrokers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62411,
	"plain_text": "GitHub - francisck/DanderSpritz_docs: The goal of this project is to\r\nexamine, reverse, and document the different modules available in the\r\nEquation Group's DanderSpritz post-exploitation framework leaked by\r\nthe ShadowBrokers\r\nBy francisck\r\nArchived: 2026-04-05 14:46:02 UTC\r\nDanderSpirtz documentation\r\nThe goal of this project is to document the different capabilities and functionality of the DanderSpirtz post-exploitation\r\nframework / application by examining the contents of the \"resources\" folder included in the ShadowBrokers leak and doing\r\nlive testing of the system.\r\nNote: This repository does not contain all of the FuzzBunch code, exploits, binaries, etc. The repository only contains the\r\nfiles found in the Windows/Resources/ directory included in the leak.\r\nThis repository alone is not enough to run DanderSpritz.\r\nIf you're interested in viewing the entire contents of the leak use this repo:\r\nEQGRP_Lost_in_Translation\r\nPython bytecode has been decompiled\r\nThe original ShadowBrokers leak had most of the python scripts compiled into optimized bytecode (.pyo). In order to make\r\nthis reversing / documentation effort easier I've decompiled the code and uploaded the \"raw\" python code to this repository\r\nThe original python bytecode files have been left intact\r\nResource Codenames and capabilities\r\nThe sub-directories in the \"Resources\" directory contain different modules which are used by DanderSpirtz to provide\r\ncapabilities such as packet capture, memory dumps, etc.\r\nBelow are the codenames that correspond to the different modules and the potential capabilities based on examining the\r\npython code, comments, XML, available \"command\" txt files\r\nFolder Code Name Description / Functionality\r\nDSky Darkskyline PacketCapture tool\r\nDaPu DarkPulsar Appears to be a legacy implant, similar to PeddleCheap but older\r\nDarkskyline DarkSkyline Contains tools to parse and filter traffic captured by DarkSkyline\r\nDeMI DecibelMinute Appears to interact with KillSuit to install, configure, and uninstall it\r\nhttps://github.com/francisck/DanderSpritz_docs/\r\nPage 1 of 3\n\nFolder Code Name Description / Functionality\r\nDf DoubleFeature\r\nGenerates a log \u0026 report about the types of tools that could be deployed\r\non the target. A lot of tools mention that doublefeature is the only way to\r\nconfirm their existence\r\nDmGZ DoormanGauze\r\nDoormanGauze is a kernel level network driver that appears to bypass\r\nthe standard Windows TCP/IP stack\r\nDsz DanderSpritz\r\nSeveral DanderSpritz specific files such as command descriptions (in\r\nXML), and several scripts with DSS (Debug script interface?) / DSI\r\nextensions?. They seem to be scripts run by DanderSpritz\r\nEp ExpandingPulley\r\nListening Post developed in 2001 and abandoned in 2008. Predecessor to\r\nDanderSpritz\r\nExternalLibraries N/A Well..\r\nFlAv FlewAvenue\r\nAppears related to DoormanGauze (based on\r\nFlAv/scripts/_FlewAvenue.txt)\r\nGRDO GreaterDoctor\r\nAppears to parse / process from GreaterSurgeon (based on\r\nGRDO/Tools/i386/GreaterSurgeon_postProcess.py \u0026 analyzeMFT.py)\r\nGROK ??\r\nAppears to be a keylogger (based on\r\nOps/PyScripts/overseer/plugins/keylogger.py)\r\nGRcl ??\r\nAppears to dump memory from a specific process (based on\r\nGRcl/Commands/CommandLine/ProcessMemory_Command.xml)\r\nGaTh GangsterTheif\r\nAppears to parse data gathered by GreaterDoctor to identify other\r\n(malicious) software that may be installed persistently (based on\r\nGaTh/Commands/CommandLine/GrDo_ProcessScanner_Command.xml)\r\nGeZU GreaterSurgeon\r\nAppears to dump memory (based on\r\nGeZu/Commands/CommandLine/GeZu_KernelMemory_Command.xml)\r\nGui N/A Resources used by the DanderSpirtz GUI\r\nLegacyWindowsExploits N/A Well..\r\nOps N/A\r\nContains a lot of awesome tools and python / dss scripts used by\r\nDanderSpritz. Deserves a lot of investigation. includes tools to gather\r\ndata from Chrome, Skype, Firefox (ripper) and gather information about\r\nthe machine / environment (survey)\r\nPfree Passfreely Oracle implant that bypasses auth for oracle databases\r\nPaCU PaperCut\r\nAllows you to perform operations on file handles opened by other\r\nprocesses\r\nPc PeddleCheap\r\nThe main implant (loaded via DoublePulsar) that performs all of these\r\nactions and communciates with the C2 (DanderSpirtz)\r\nhttps://github.com/francisck/DanderSpritz_docs/\r\nPage 2 of 3\n\nFolder Code Name Description / Functionality\r\nPc2.2 PeddleCheap\r\nResources for PeddleCheap including different DLLs / configs to call\r\nback to the C2\r\nPython N/A Python Libraries / resources being used\r\nScRe ??\r\nInteracts with SQL databases (based on\r\nScRe/Commands/CommandLine/Sql_Command.xml)\r\nStLa Strangeland Keylogger (based on StLa/Tools/i386-winnt/strangeland.xsl)\r\nTasking N/A\r\nHandles the collection \"tasks\" that DanderSpritz has requested on the\r\nsame (collection of windows, network data, etc)\r\nTeDi TerritorialDispute\r\nA plugin used to determine what other (malicious) software may be\r\npersistently installed (based on TeDi/PyScripts/sigs.py). Appears to be\r\nused to identify other nation states also\r\nUtbu UtilityBurst\r\nAppears to be a mechanism for persistence via a driver install unsure\r\n(based on UtBu/Scripts/Include/_UtilityBurstFunctions.dsi)\r\nZBng ZippyBang\r\nLooking at this quickly, it appears to be the NSA's version of Mimikatz.\r\nIt can duplicate tokens (Kerberos tokens?) and \"remote execute\r\ncommands\" as well as logon as users (based on files in\r\nZBng/Commands/CommandLine)\r\nSource: https://github.com/francisck/DanderSpritz_docs/\r\nhttps://github.com/francisck/DanderSpritz_docs/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/francisck/DanderSpritz_docs/"
	],
	"report_names": [
		"DanderSpritz_docs"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434458,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a480e605fc0ae39325273e3060e2b457855091f.pdf",
		"text": "https://archive.orkl.eu/9a480e605fc0ae39325273e3060e2b457855091f.txt",
		"img": "https://archive.orkl.eu/9a480e605fc0ae39325273e3060e2b457855091f.jpg"
	}
}