{ "id": "d537b9ff-70ed-4c57-b578-c966cd0d47e9", "created_at": "2026-04-06T00:07:17.949814Z", "updated_at": "2026-04-10T13:11:58.51417Z", "deleted_at": null, "sha1_hash": "c168d586075c976eac1b0c3d9130d23d6e4b6dae", "title": "Equation Group: from Houston with love", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 328138, "plain_text": "Equation Group: from Houston with love\r\nBy GReAT\r\nPublished: 2015-02-19 · Archived: 2026-04-05 22:20:56 UTC\r\nIn 2009, an international scientific conference was held in Houston, USA. Leading scientists from several\r\ncountries were invited to attend. As is traditional for such events, the organizers sent out a post-meeting CDROM\r\ncontaining a presentation with the best photos from the event. It is unlikely that any of the recipients expected that\r\nwhile they were enjoying the beautiful pictures and memories a nation-state sponsored Trojan Horse was\r\nactivating silently in the background.\r\nPhoto slideshow played from the CD\r\nInterestingly, it looks as if most of the attendees brought pens and paper instead of laptops.\r\nSelf-elevating Autorun\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 1 of 12\n\nThe disk contains two files in the root folder, an autorun.inf and autorun.exe. This is typical of many CDROMs.\r\nThe autorun.inf simply executes the main EXE from root.  Here’s what it looks like:\r\n[AutoRun]\r\nopen=Autorun.exe\r\nicon=Presentation\\Show.exe,0\r\nMore interesting is the autorun.exe binary, which has the following attributes:\r\nDate of compilation 2009.12.23 13:37:33 (GMT)\r\nSize 62464 bytes\r\nMD5 6fe6c03b938580ebf9b82f3b9cd4c4aa\r\nThe program starts by checking the current user’s privileges. If the current user has no administrative rights, it\r\ntries to elevate privileges using three different exploits for vulnerabilities in the Windows kernel. These\r\nvulnerabilities were patched by the following Microsoft patches:\r\nMS09-025\r\nMS12-034\r\nMS13-081\r\nConsidering the date the CDROM was shipped, it means that two of the exploits were zero-days. It’s notable that\r\nthe code attempts different variants of kernel exploits, and does so in a loop, one by one, until one of them\r\nsucceeds. The exploit set from the sample on the CDROM includes only three exploits, but this exploitation\r\npackage supports the running of up to 10 different exploits, one after another. It’s not clear whether this means that\r\nthere is also a malware with 10 EoP exploits in it, or whether it’s just a logical limitation.\r\nThe code has separate payloads for Windows NT 4.0, 2000, XP, Vista and Windows 2008, including variations for\r\ncertain service pack versions. In fact, it runs twice: firstly, to temporarily elevate privileges, then to add the current\r\nuser to the local administrators group on the machine, for privilege elevation persistence.\r\nSuch attacks were crafted only for important victims who couldn’t otherwise be reached #EquationAPT\r\n#TheSAS2015\r\nTweet\r\nIf these actions are successful, the module starts another executable from the disk, rendering the photo slideshow\r\nwith pictures from the Houston conference.\r\nAt the end, just before exiting, the code runs an additional procedure that does some special tests. If the date of\r\nexecution fell before 1 July 2010 and it detects no presence of Bitdefender Total Security 2009/2010 or any\r\nComodo products, it loads an additional DLL file from the disk named “show.dll”, waits for seven seconds,\r\nunloads the DLL and exits.\r\nIf the date fell after 1 July 2010, or any of the above products are installed, it drops execution immediately.\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 2 of 12\n\nThe “Show” Begins – introducing DoubleFantasy\r\nThe main loader and privilege escalation tool, “autorun.exe” fires up a special dropper, which is actually an\r\nEquation Group DoubleFantasy implant installer. The installer is stored as “show.dll” in the “Presentation” folder\r\nof the CDROM.\r\nThe DLL file has the following attributes:\r\nDate of compilation 2009.03.20 17:42:21 (GMT)\r\nSize 151’552 bytes\r\nMD5 ef40fcf419954226d8c029aac8540d5a\r\nFilename show.dll\r\nShort Description DoubleFantasy installer\r\nFirst it locates data in the resource section, unpacks (UCL) and XOR-decrypts configuration data from one of the\r\nresources.\r\nNext it creates the following registry keys:\r\nHKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\r\nHKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6AF33D21-9BC5-4f65-8654-\r\nB8059B822D91}\\Version\r\nAfter that it sets the (Default) value for “Version” subkey as “008.002.000.003”, which identifies the implant\r\nversion.\r\nIt also attempts to self-delete on the next reboot, which fails if it’s started from the CD.\r\nWhen run by the exploitation package “Autorun.exe”, the program already has administrative privileges from one\r\nof the three exploits. However, the code checks again if it’s running with administrative privileges, and attempts to\r\nelevate using just two kernel vulnerabilities:\r\nMS09-025\r\nMS12-034\r\nThis indicates that the DoubleFantasy installer has been designed to run independently from the disk from\r\nHouston with its “Autorun.exe”.  In fact, we’ve observed the independent use of the DoubleFantasy installer in\r\nother cases as well.\r\nThe installer checks for security software using a list of registry keys and values stored in the resource section.\r\nThe keys are checked in quite a delicate “non-alarming” way using key enumeration instead of direct key access.\r\nList of top level keys checked:\r\nHKLM\\Software\\KasperskyLab\\protected\\AVP7\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 3 of 12\n\nHKLM\\Software\\KasperskyLab\\AVP6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\r\nHKLM\\Software\\Agnitum\\Outpost Firewall\r\nHKLM\\Software\\PWI, Inc.\r\nHKLM\\Software\\Network Ice\\BlackIce\r\nHKLM\\Software\\S.N.Safe\u0026Software\r\nHKLM\\Software\\PCTools\\ThreatFire\r\nHKLM\\Software\\ProSecurity\r\nHKLM\\Software\\Diamond Computer Systems\r\nHKLM\\Software\\GentleSecurity\\GeSWall\r\nIf any of them exist, the installer will mark the system by setting a special registry key: \r\nHKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6AF33D21-9BC5-4f65-8654-\r\nB8059B822D91}\\MiscStatus\r\nThe mark will be in the form of {CE0F7387-0BB5-E60B-xxxx-xxxxxxxxxxxx} for the (Default) value data and\r\nwill then exit.\r\nIf no security software is identified, it will unpack (UCL) and XOR-decrypt the main payload, which is extracted\r\ninto %system%\\ee.dll.\r\nRemarkably, it loads the DLL using its own custom loader instead of using standard system LoadLibrary API call.\r\nThe module looks as if it was built using a set of components or libraries that perform:\r\nPrivilege escalation (it seems to be an early version of the same lib used in autorun.exe)\r\nSecurity software detection\r\nResource parsing and unpacking\r\nLoading of PE files\r\nThis library code supports Win9x and the Windows NT family from NT4.0 to NT6.x. It should be mentioned that\r\nthese libraries are not very well merged together. For instance, some parts of the code are unused.\r\nHere’s what the DoubleFantasy decoded configuration block looks like:\r\nDecoded DoubleFantasy configuration block\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 4 of 12\n\nSome of the C\u0026Cs from DoubleFantasy configuration:\r\n81.31.34.175 (Czech Republic)\r\n195.128.235.231 (Italy)\r\nThe DoubleFantasy malware copied into the victim’s machine has the following properties:\r\nDate of compilation 2009.03.31 15:32:42 (GMT)\r\nSize 69’632 bytes\r\nMD5 b8c0eb946de83fe8440fefbacf7de4a2\r\nFilename ee.dll\r\nShort Description DoubleFantasy implant\r\nIt should be noted that both the installer and the malware appear to have been compiled several months before\r\n“autorun.exe” from the CDROM, suggesting that they are more or less generic implants. It also suggests that the\r\n“autorun.exe” was probably compiled specially for the CDROM-based attack.\r\nThe DoubleFantasy Malware is the first step in the infection of a victim by the #EquationAPT Group\r\n#TheSAS2015\r\nTweet\r\nThe Equation Group’s DoubleFantasy implant is a validator-style Trojan which sends basic information about the\r\nsystem to the attackers. It also allows them to upload a more sophisticated Trojan platform, such as EquationDrug\r\nor GrayFish. In general, after one of these sophisticated platforms are installed, the attackers remove the\r\nDoubleFantasy implant. In case the victim doesn’t check out, for example, if they are a researcher analysing the\r\nmalware, the attackers can simply choose to uninstall the DoubleFantasy implant and clean up the victim’s\r\nmachine.\r\nIn fact, there are several known versions of the DoubleFantasy payload. The disk from Houston used version\r\n8.2.0.3; while other versions were mostly delivered using web-exploits.\r\nDecrypting configuration blocks from all known DoubleFantasy samples, we obtained the following internal\r\nversion numbers:\r\n8.1.0.4 (MSREGSTR.EXE)\r\n008.002.000.006\r\n008.002.001.001\r\n008.002.001.004\r\n008.002.001.04A (subversion “IMIL3.4.0-IMB1.8.0”)\r\n008.002.002.000\r\n008.002.003.000\r\n008.002.005.000\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 5 of 12\n\n008.002.006.000\r\n011.000.001.001\r\n012.001.000.000\r\n012.001.001.000\r\n012.002.000.001\r\n012.003.001.000\r\n012.003.004.000\r\n012.003.004.001\r\n013.000.000.000\r\nInterestingly, the most popular versions are 8 and 12:\r\nWe will describe some of the versions that we managed to discover including 8.2.0.3, 8.1.0.4 and 12.2.0.1.\r\nDoubleFantasy Payload v.8.2.0.3\r\nMd5 b8c0eb946de83fe8440fefbacf7de4a2\r\nSize 69’632 bytes\r\nType Win32 GUI DLL\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 6 of 12\n\nTimestamp Tue Mar 31 14:32:42 2009 (GMT)\r\nFilenames ee.dll, actxprxy32.dll\r\nThis module uses a technique known as DLL COM hijacking which provides a capability to load the code in\r\ndifferent processes.\r\nInitialization\r\nFirst of all, it checks if the running module is named “ee.dll” and, if so, will undertake the final installation steps:\r\nTry to find configuration settings in registry key HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\\r\n{6AF33D21-9BC5-4f65-8654-B8059B822D91}\\TypeLib, in value “DigitalProductId”. If this value exists\r\nit decodes it using base64 and decrypts using RC6 (with a 16-bytes HEX key: 66 39 71 3C 0F 85 99 81 20\r\n19 35 43 FE 9A 84 11).\r\nIf the key was not found in the registry, it loads configuration from a resource.\r\nIt copies itself to one of the two variants of filenames. Then it substitutes one of the system components by\r\nrenaming and replacing the original.\r\nOriginal\r\nFile\r\nRegistry Key\r\nRegistry\r\nValue\r\nNew Value\r\n(Variant 1)\r\nNew Value\r\n(Variant 2)\r\nlinkinfo.dll\r\nHKLM\\System\\CurrentControlSet\\\r\nControl\\SessionManager\\KnownDLLs\r\nLINKINFO LI.DLL LINK32.DLL\r\nhgfs1.dll\r\nHKLM\\SYSTEM\\CurrentControlSet\\\r\nServices\\hgfs\\networkprovider\r\nProviderPath hgfs32.dll hgfspath.dll\r\nmidimap.dll\r\nHKLM\\SOFTWARE\\Microsoft\\\r\nWindows\r\nNT\\CurrentVersion\\Drivers32\r\nmidimapper midimapper.dll midimap32.dll\r\nactxprxy.dll\r\nHKCR\\CLSID\\ {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\\r\nInProcServer32\r\n(Default) actxprxy32.dll actxprxyserv.dll\r\nSet 64-bit value from config to (Default) value of HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\\r\n{6AF33D21-9BC5-4f65-8654-B8059B822D91}\\TypeLib key in form of {8C936AF9-243D-11D0-xxxx-xxxxxxxxxxxx}, it seems to be used later as victim ID when connecting to C\u0026C server.\r\nSet (Default) value of HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6AF33D21-9BC5-4f65-\r\n8654-B8059B822D91}\\Version to “008.002.000.003” string.\r\nUpon the creation of a key it performs additional steps to set KEY_ALL_ACCESS rights for Everyone.\r\nUpdate start time, encode and write back config to registry value\r\nHKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6AF33D21-9BC5-4f65-8654-\r\nB8059B822D91}\\DigitalProductId\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 7 of 12\n\nIf an error occurs, it sets HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{6AF33D21-9BC5-4f65-8654-\r\nB8059B822D91}\\MiscStatus\\(Default) value to “0”. Registry value {CE0F7387-0BB5-E60B-8B4E-xxxxxxxxxxxx} then contains xor-encrypted error code.\r\nIf there is an initialization error, if the hosting process is “explorer.exe” or “avp.exe”, it supresses any exceptions\r\nand continues execution. This could indicate that if there were any errors in these processes they must not be shut\r\ndown because of them.\r\nTo correctly hijack the replaced COM objects, the code exports a set of functions bound to original DLL files.\r\nCompareLinkInfoReferents = linkinfo.CompareLinkInfoReferents\r\nCompareLinkInfoVolumes = linkinfo.CompareLinkInfoVolumes\r\nCreateLinkInfo = linkinfo.CreateLinkInfo\r\nDestroyLinkInfo = linkinfo.DestroyLinkInfo\r\nDisconnectLinkInfo = linkinfo.DisconnectLinkInfo\r\nDllCanUnloadNow = actxprxy.DllCanUnloadNow\r\nDllGetClassObject = actxprxy.DllGetClassObject\r\nDllRegisterServer = actxprxy.DllRegisterServer\r\nDllUnregisterServer = actxprxy.DllUnregisterServer\r\nDriverProc = midimap.DriverProc\r\nGetCanonicalPathInfo = linkinfo.GetCanonicalPathInfo\r\nGetLinkInfoData = linkinfo.GetLinkInfoData\r\nGetProxyDllInfo = actxprxy.GetProxyDllInfo\r\nIsValidLinkInfo = linkinfo.IsValidLinkInfo\r\nNPAddConncection = hgfs1.NPAddConncection\r\nNPAddConncection3 = hgfs1.NPAddConncection3\r\nNPCancelConncection = hgfs1.NPCancelConncection\r\nNPCloseEnum = hgfs1.NPCloseEnum\r\nNPEnumResource = hgfs1.NPEnumResource\r\nNPFormatNetworkName = hgfs1.NPFormatNetworkName\r\nNPGetCaps = hgfs1.NPGetCaps\r\nNPGetConnection = hgfs1.NPGetConnection\r\nNPGetResourceInformation = hgfs1.NPGetResourceInformation\r\nNPGetResourceParent = hgfs1.NPGetResourceParent\r\nNPOpenEnum = hgfs1.NPOpenEnum\r\nResolveLinkInfo = linkinfo.ResolveLinkInfo\r\nmodMessage = midimap.modMessage\r\nmodmCallback = midimap.modmCallback\r\nThe implants periodically run checks against a special file defined in config. If that file has changed since the last\r\ncheck, or at least a week has passed since the last check, it does the following:\r\nPerform a connectivity check via public domains (specified in config, i.e. “www.microsoft.com” and\r\n“www.yahoo.com“) using HTTP POST requests.\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 8 of 12\n\nIf Internet access is available, connect to one of two C\u0026C IPs or hostnames (specified in config: i.e.\r\n81.31.34.175 and 195.128.235.23). Standard HTTP/HTTPS ports 80 and 443 are probed.\r\nSend a POST request to the C\u0026C with additional headers “EIag: 0d1975bfXXXXXXXX9c:eac’,0Dh,0Ah”\r\n– where XXXX XXXX – is part of victim ID\r\nRequest additional data: victim ID, version, MAC address. The data is encrypted using RC6 and encoded\r\nusing Base64. (RC6 key: 8B 4C 25 04 56 85 C9 75 06 33 C0 5E C2 08 31 F6).\r\nThe C\u0026C communication code performs the following:\r\nReceived data is decoded using Base64 and decrypted using RC6. The result is interpreted as a backdoor\r\ncommand.\r\nResults of the command execution are sent back to the C\u0026C. It then attempts to fetch the next command\r\nfrom the server.\r\nUninstalls itself if it can’t connect to the C\u0026C server within 180 days (configurable).\r\nThe following commands are supported by the backdoor:\r\nCmd\r\ncode\r\nCommand\r\nName\r\nDescription\r\nDownload\u0026Run Group\r\nJ\r\n(0x4a)\r\nCreate File Create an empty file; if file already exists get its size.\r\nD\r\n(0x44)\r\nAppend File Append chunk of data to a file (created by the “J” cmd).\r\nV\r\n(0x56)\r\nRun or Copy\r\nCheck CRC16 of file received via D command, delete it if the check fails.\r\nDepending on the commands flag:\r\nCopy file to a new location\r\nLoad file as a DLL\r\nStart file as a new process\r\nLoad DLL using custom built-in loader and call “dll_u” export.\r\nUpload Group\r\nK\r\n(0x4b)\r\nGet File\r\nSize\r\nGet file size.\r\nS\r\n(0x53)\r\nRead File\r\nRead file specified by ‘K’ command, send it to C\u0026C. It can delete the file after\r\ntransfer (under some condition).\r\nService Group\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 9 of 12\n\n`\r\n(0x60)\r\nGet Info\r\nCollect info (IP and MAC addresses, implant version, system proxy server,\r\nWindows Registered Owner and Organization, Windows version and ProductID,\r\nLocale/Language and Country, Windows directory path, connection type, list of\r\nall HKLM\\Software subkeys).\r\np\r\n(0x70)\r\nSet Victim\r\nID\r\nPrepare to change Victim ID.\r\nu\r\n(0x75)\r\nSet Interval Change C\u0026C connection interval (seven days by default).\r\nv\r\n(0x76)\r\nSet C\u0026C IP Change primary C\u0026C IP address.\r\nx\r\n(0x78)\r\nSet File Path Change path and name of File-under-inspection.\r\n(0x80) Read File Delete file specified in command.\r\nB\r\n(0x42)\r\nReset Victim\r\nID\r\nChange Victim ID to the one set by Set Victim ID command:\r\nSubcmd 0 – reconnect to C\u0026C\r\nSubcmd 1 – reset RC6 context\r\nSubcmd 2 – uninstall\r\nDoubleFantasy Payload v.8.1.0.4\r\nLocation %System%\\MSREGSTR.EXE\r\nMD5 9245184228af33d3d97863daecc8597e\r\nSize 31’089\r\nType Win32 GUI EXE\r\nTimestamp Wed Mar 22 18:25:55 2006 (GMT)\r\nVersion Info\r\nFileDescription  Registration Software\r\nLegalCopyright  Copyright © Microsoft Corp. 1993-1995\r\nCompanyName  Microsoft Corporation\r\nFileVersion        4.00.950\r\nInternalName    MSREGSTR\r\nOriginalFilename  MSREGSTR.EXE\r\nCompared to version 8.2, version 8.1 implements the same tasks slightly differently.\r\nDifferences:\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 10 of 12\n\nThis is an EXE file running as a service process.\r\nConfiguration data stored in the overlay of the file, instead of in resources.\r\nOther registry keys are used as a config storage – set of subkeys under\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup\\Common\r\nRC6 encryption and Base64 encoding is not used. The network traffic data is sent in plaintext or simply\r\nXOR-encrypted.\r\nThe number of supported remote commands is only four.\r\nThe command encoding type is different.\r\nSupports Windows 9x family.\r\nDoubleFantasy Payload v.12.2.0.1\r\nLocation %System%\\actxprxy32.dll\r\nMD5\r\n562be0b1930fe5de684c2c530619d659\r\n769d099781220004540a8f6697a9cef1\r\nSize 151552\r\nType Win32 GUI DLL\r\nTimestamp Wed Aug 04 07:55:07 2004 (GMT), probably fake\r\nThe implementation of version 12.2 is similar to version 8.2, although it is twice the size due to the addition of a\r\nbig new library.\r\nThe main purpose of this new library to steal user names and passwords from:\r\nlive running Internet Explorer or Firefox browser memory\r\nInternet Explorer proxy configuration, stored in the Windows registry\r\nWindows protected storage (up to Windows XP)\r\nWindows authentication subsystem (Vista+)\r\nIn addition to browsers, the library can also inject malicious code and read the memory of other processes in order\r\nto obtain and decrypt users’ passwords. The same library is also used inside the main EQUATIONDRUG\r\norchestrator and TRIPLEFANTASY modules.\r\nThe library gathers stolen credentials and then probes them when accessing proxy server while connecting to the\r\nInternet, and, if a probe was successful, the valid credentials are encrypted with RC6 and encoded with BASE64\r\nto be used later.\r\nIn this version the data encryption RC6 key is:\r\n66 39 71 3C 0F 85 99 81 20 19 35 43 FE 9A 84 11\r\nThe traffic encryption RC6 key is:\r\n32 EC 89 D8 0A 78 47 22 BD 58 2B A9 7F 12 AB 0C\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 11 of 12\n\nThe stolen user data is stored in the Windows registry as @WriteHeader value, inside two random keys in the  \r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{77032DAA-B7F2-101B-A1F0-01C29183BCA1}\\Containers node\r\nSummary\r\nThe disk used in the Houston attack represents a rare and unusual operation for the Equation Group. We presume\r\nthat such attacks were crafted only for important victims who couldn’t otherwise be reached, for instance, through\r\na web-based attack vector. This is confirmed by the fact that the exploitation library had three exploits inside, two\r\nof which were zero-days at the time.\r\nThe DoubleFantasy Malware is usually the first step in the infection of a victim by the Equation Group. Once the\r\nvictim has been confirmed by communicating with the backdoor and checking various system parameters, a more\r\nsophisticated malware system is deployed, such as EquationDrug or Grayfish.\r\nDuring the upcoming blogposts, we will continue to describe the more sophisticated malware families used by the\r\nEquation Group: EquationDrug and GrayFish.\r\nSource: https://securelist.com/equation-group-from-houston-with-love/68877/\r\nhttps://securelist.com/equation-group-from-houston-with-love/68877/\r\nPage 12 of 12\n\nto be used later. In this version the data encryption RC6 key is: \n66 39 71 3C 0F 85 99 81 20 19 35 43 FE 9A 84 11\nThe traffic encryption RC6 key is: \n32 EC 89 D8 0A 78 47 22 BD 58 2B A9 7F 12 AB 0C\n Page 11 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/equation-group-from-houston-with-love/68877/" ], "report_names": [ "68877" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434037, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c168d586075c976eac1b0c3d9130d23d6e4b6dae.pdf", "text": "https://archive.orkl.eu/c168d586075c976eac1b0c3d9130d23d6e4b6dae.txt", "img": "https://archive.orkl.eu/c168d586075c976eac1b0c3d9130d23d6e4b6dae.jpg" } }