{ "id": "a40c9821-da57-45cd-a660-8b42eaec8c92", "created_at": "2026-04-06T00:07:37.47932Z", "updated_at": "2026-04-10T03:37:26.378605Z", "deleted_at": null, "sha1_hash": "ad7c4675b78eb3238978c0a5cb0e848975fcf8ae", "title": "Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75302, "plain_text": "Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow\r\nBrokers Leak\r\nBy About the Author\r\nArchived: 2026-04-05 14:36:43 UTC\r\nKey Findings\r\nThe Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a\r\nyear prior to the Shadow Brokers leak.\r\nVariants of Equation Group tools used by Buckeye appear to be different from those released by Shadow Brokers,\r\npotentially indicating that they didn't originate from that leak.\r\nBuckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day\r\nvulnerability. This zero day was reported by Symantec to Microsoft in September 2018 and patched in March 2019.\r\nWhile Buckeye appeared to cease operations in mid-2017, the Equation Group tools it used continued to be used in\r\nattacks until late 2018. It is unknown who continued to use the tools. They may have been passed to another group or\r\nBuckeye may have continued operating longer than supposed.\r\nThe 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most\r\nsignificant cyber security stories in recent years. Equation is regarded as one of the most technically adept espionage groups\r\nand the release of a trove of its tools had a major impact, with many attackers rushing to deploy the malware and exploits\r\ndisclosed. One of these tools, the EternalBlue exploit, was used to devastating effect in the May 2017 WannaCry\r\nransomware outbreak.\r\nHowever, Symantec has now found evidence that the Buckeye cyber espionage group (aka APT3, Gothic Panda) began\r\nusing Equation Group tools in attacks at least a year prior to the Shadow Brokers leak.\r\nBeginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor that was\r\nsubsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool\r\n(Trojan.Bemstour) that was specifically designed to install DoublePulsar.\r\nBemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers.\r\nOne vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec. The second Windows\r\nvulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—\r\nEternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak.\r\nThe zero-day vulnerability allows for the leaking of information and can be exploited in conjunction with other\r\nvulnerabilities to attain remote kernel code execution. It was reported by Symantec to Microsoft in September 2018 and was\r\npatched on March 12, 2019.\r\nHow Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown.\r\nBuckeye disappeared in mid-2017 and three alleged members of the group were indicted in the U.S. in November 2017.\r\nHowever, while activity involving known Buckeye tools ceased in mid-2017, the Bemstour exploit tool and the\r\nDoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different\r\nmalware.\r\nBuckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak\r\nHistory of attacks\r\nhttps://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit\r\nPage 1 of 5\n\nThe Buckeye attack group had been active since at least 2009, when it began mounting a string of espionage attacks, mainly\r\nagainst organizations based in the U.S.\r\nThe group has a record of exploiting zero-day vulnerabilities. These include CVE-2010-3962 as part of an attack campaign\r\nin 2010 and CVE-2014-1776 in 2014. Although other zero-day attacks have been reported, they have not been confirmed by\r\nSymantec. All zero-day exploits known, or suspected, to have been used by this group are for vulnerabilities in Internet\r\nExplorer and Flash.\r\nTimeline of attacks\r\nBeginning in August 2016, a group calling itself the Shadow Brokers began releasing tools it claimed to have originated\r\nfrom the Equation Group. It initially released samples of the information it had, offering the full trove to the highest bidder.\r\nOver the coming months, it progressively released more tools, until April 2017, when it released a final, large cache of tools,\r\nincluding the DoublePulsar backdoor, the FuzzBunch framework, and the EternalBlue, EternalSynergy, and EternalRomance\r\nexploit tools.\r\nHowever, Buckeye had already been using some of these leaked tools at least a year beforehand. The earliest known use of\r\nEquation Group tools by Buckeye is March 31, 2016, during an attack on a target in Hong Kong. During this attack, the\r\nBemstour exploit tool was delivered to victims via known Buckeye malware (Backdoor.Pirpi). One hour later, Bemstour was\r\nused against an educational institution in Belgium.\r\nBemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a\r\nsecondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected\r\ncomputer even after DoublePulsar is removed. It is worth noting that earlier versions did not include any means of\r\nuninstalling the DoublePulsar implant. This functionality was added in later versions.\r\nA significantly improved variant of the Bemstour exploit tool was rolled out in September 2016, when it was used in an\r\nattack against an educational institution in Hong Kong. While the original variant was only capable of exploiting 32-bit\r\nsystems, the new variant could exploit both 32-bit and 64-bit targets, adding support for newer Windows versions. Another\r\nnew feature of the payload in the second variant allowed the attacker to execute arbitrary shell commands on the infected\r\ncomputer. This custom payload is also designed to copy arbitrary files and execute arbitrary processes on the targeted\r\ncomputer. When used against 32-bit targets, Bemstour still delivered the same DoublePulsar backdoor. However, against 64-\r\nbit targets it delivered only the custom payload. The attackers typically used it to execute shell commands that created new\r\nuser accounts.\r\nBemstour was used again in June 2017 in an attack against an organization in Luxembourg. Unlike earlier attacks when\r\nBemstour was delivered using Buckeye’s Pirpi backdoor, in this attack Bemstour was delivered to the victim by a different\r\nbackdoor Trojan (Backdoor.Filensfer). Between June and September 2017, Bemstour was also used against targets in the\r\nPhilippines and Vietnam.\r\nDevelopment of Bemstour has continued into 2019. The most recent sample of Bemstour seen by Symantec appears to have\r\nbeen compiled on March 23, 2019, eleven days after the zero-day vulnerability was patched by Microsoft.\r\nThe purpose of all the attacks was to acquire a persistent presence on the victim’s network, meaning information theft was\r\nthe most likely motive of the attacks. \r\nTable 1. Buckeye Tool Usage Over Time\r\nMarch 2016\r\nSeptember\r\n2016\r\nApril\r\n2017\r\nJune 2017 June 2017 August 2017\r\nTarget\r\nlocations\r\nHong Kong,\r\nBelgium\r\nHong Kong Luxembourg Philippines Vietnam\r\nTools Backdoor.Pirpi Unknown Backdoor.Filensfer Unknown Unknown\r\nhttps://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit\r\nPage 2 of 5\n\nMarch 2016\r\nSeptember\r\n2016\r\nApril\r\n2017\r\nJune 2017 June 2017 August 2017\r\nBemstour\r\nExploit Tool\r\n(V1)\r\nBemstour\r\nExploit Tool\r\n(V2)\r\nShadow\r\nBrokers\r\nLeak\r\nBemstour Exploit\r\nTool (V1)\r\nBemstour\r\nExploit Tool\r\n(V1 \u0026 V2)\r\nBemstour\r\nExploit Tool\r\n(V2)\r\nDoublePulsar\r\nDoublePulsar\r\n(32-bit) or\r\ncustom\r\npayload only\r\n(64-bit)\r\nDoublePulsar\r\nDoublePulsar\r\n(32-bit) or\r\ncustom\r\npayload only\r\n(64-bit)\r\nDoublePulsar\r\n(32-bit) or\r\ncustom\r\npayload only\r\n(64-bit)\r\nThe Filensfer connection\r\nFilensfer is a family of malware that has been used in targeted attacks since at least 2013. Symantec has found multiple\r\nversions of the malware, including a C++ version, a compiled Python version (using py2exe), and a PowerShell version.\r\nOver the past three years, Filensfer has been deployed against organizations in Luxembourg, Sweden, Italy, the UK, and the\r\nU.S. Targets included organizations in the telecoms, media, and manufacturing sectors. While Symantec has never observed\r\nthe use of Filensfer alongside any known Buckeye tools, information shared privately by another vendor included evidence\r\nof Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi).\r\nBemstour exploit tool\r\nBemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers.\r\nThe zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB\r\nServer handles certain requests. The vulnerability allows for the leaking of information.\r\nThe second vulnerability (CVE-2017-0143) is a message type confusion vulnerability. When the two vulnerabilities are\r\nexploited together, the attacker can gain full access in the form of kernel mode code execution, enabling them to deliver\r\nmalware to the targeted computer.\r\nWhen Bemstour was first used in 2016, both vulnerabilities were zero days, although CVE-2017-0143 was subsequently\r\npatched by Microsoft in March 2017 (MS17-010). CVE-2017-0143 was also used by two other exploit tools—\r\nEternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017.  \r\nBuckeye's exploit tool, EternalRomance, as well as EternalSynergy, can exploit the CVE-2017-0143 message type confusion\r\nvulnerability to perform memory corruption on unpatched victim computers. In order to obtain remote code execution\r\ncapabilities, all three exploit tools needed to collect information about the memory layout of attacked systems in addition to\r\nexploiting the aforementioned message type confusion vulnerability. Each tool performed this differently, relying on\r\ndifferent vulnerabilities. In the case of the Buckeye exploit tool, the attackers exploited their own zero-day vulnerability\r\n(CVE-2019-0703).\r\nDoublePulsar development\r\nThe variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow\r\nBrokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2),\r\nindicating that it is a newer version of the malware. It also includes an additional layer of obfuscation. Based on technical\r\nfeatures and timing, it is possible that this obfuscation was created by DoublePulsar's original authors.\r\nIt is noteworthy that the attackers never used the FuzzBunch framework in its attacks. FuzzBunch is a framework designed\r\nto manage DoublePulsar and other Equation Group tools and was leaked by the Shadow Brokers in 2017. This suggests that\r\nhttps://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit\r\nPage 3 of 5\n\nBuckeye only managed to gain access to a limited number of Equation Group tools.\r\nBuckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak\r\nUnanswered questions\r\nThere are multiple possibilities as to how Buckeye obtained Equation Group tools before the Shadow Brokers leak. Based\r\non the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may\r\nhave engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an\r\nEquation Group attack. Other less supported scenarios, given the technical evidence available, include Buckeye obtaining\r\nthe tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group\r\nmember or associate leaked the tools to Buckeye. \r\nMystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance. It\r\nmay suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group.\r\nHowever, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled.\r\nAnother possibility is that Buckeye passed on some of its tools to an associated group. \r\nIndicators of Compromise\r\nMD5 SHA256 Descript\r\n7020bcb347404654e17f6303848b7ec4 cbe23daa9d2f8e1f5d59c8336dd5b7d7ba1d5cf3f0d45e66107668e80b073ac3\r\nPirpi (fir\r\nvariant)\r\naacfef51a4a242f52fbb838c1d063d9b 53145f374299e673d82d108b133341dc7bee642530b560118e3cbcdb981ee92c\r\nPirpi\r\n(second\r\nvariant)\r\nc2f902f398783922a921df7d46590295 01f53953db8ba580ee606043a482f790082460c8cdbd7ff151d84e03fdc87e42\r\nComman\r\nline utili\r\nto list us\r\naccounts\r\nremote\r\nmachine\r\n6458806a5071a7c4fefae084791e8c67 6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc\r\nFilensfer\r\n(C/C++)\r\n0d2d0d8f4989679f7c26b5531096b8b2 7bfad342ce88de19d090a4cb2ce332022650abd68f34e83fdc694f10a4090d65\r\nFilensfer\r\n(Powersh\r\na3932533efc04ac3fe89fb5b3d60128a 3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e\r\nFilensfer\r\n(py2exe)\r\n58f784c7a292103251930360f9ca713e 1c9f1c7056864b5fdd491d5daa49f920c3388cb8a8e462b2bc34181cef6c1f9c\r\nComman\r\nline SMB\r\nclient\r\na469d48e25e524cf0dec64f01c182b25 951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7 HTran\r\nThreat intelligence\r\nIn addition to file-based protection, customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence\r\n(MATI) service have received reports on Buckeye, which detail methods of detecting and thwarting activities of this group.\r\nhttps://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit\r\nPage 4 of 5\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nLearn More About Symantec Integrated Cyber Defense\r\nSource: https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit\r\nhttps://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit" ], "report_names": [ "buckeye-windows-zero-day-exploit" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434057, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad7c4675b78eb3238978c0a5cb0e848975fcf8ae.pdf", "text": "https://archive.orkl.eu/ad7c4675b78eb3238978c0a5cb0e848975fcf8ae.txt", "img": "https://archive.orkl.eu/ad7c4675b78eb3238978c0a5cb0e848975fcf8ae.jpg" } }