{
	"id": "9902f334-e969-4711-9e56-b9e11b37b508",
	"created_at": "2026-04-06T00:12:19.307246Z",
	"updated_at": "2026-04-10T03:31:17.872227Z",
	"deleted_at": null,
	"sha1_hash": "e57d09562b9a3ca615f74903bc4bc172f7475946",
	"title": "Wikileaks Vault7 JQJSNICKER code leak",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 448461,
	"plain_text": "Wikileaks Vault7 JQJSNICKER code leak\r\nArchived: 2026-04-02 12:45:46 UTC\r\nThis is high level and quick analysis to get the ball rolling as there did not seem to be anything public on\r\nthis binary leak. I wanted to note a few things so that malware researchers could follow-up. Please feel free\r\nto email me corrections and additions to Marc at the name of this website.com. Twitter updates happen\r\nhere: https://twitter.com/marcmaiffret\r\nhttps://wikileaks.org/ciav7p1/cms/page_41123853.html\r\nWikileaks decided to redact all binaries that were part of the CIA leak. There seems to be two binaries however\r\nthat they either decided to not redact or simply made a mistake.\r\nThe first is win32-srv8.zabbix-tech.com.exe which was just simply left for\r\ndownload. https://wikileaks.org/ciav7p1/cms/page_34308128.html This has been referenced in a few places online\r\nand I assume analyzed by someone somewhere.\r\nThe one I wanted to make a quick note about was in relation to JQJSNICKER\r\n(https://wikileaks.org/ciav7p1/cms/page_41123853.html). Wikileaks redacted all binaries on this page by\r\nreplacing them with a PDF that mentions the files are still being examined.\r\nThey did however allow the downloading of the file installer.reg. This is a Windows Registry key file that when\r\nimported on a system will create a scheduled task within Windows. After cleaning up the .reg file by replacing #\r\ncharacters with nothing you will then have a key value Data variable and within that is a base64 encoded DLL\r\nexecutable. \r\nhttp://marcmaiffret.com/vault7/\r\nPage 1 of 5\n\nThis decodes to a dll which had been named installer.dll. This is a .NET application that you can decompile in any\r\n.NET decompiler such as Jetbrains dotPeek. The authors did try for some mild .NET code obfuscation by using\r\nRedgate's .NET obfuscator SmartAssembly.\r\nThe Installer.dll itself has some interesting functionality, including launching a PowerShell command with\r\nexecutionPolicy unrestricted. \r\nWhat is more interesting is another encoded .NET DLL within the resources section of Installer.dll. This is also\r\nBase64 encoded and decodes to a file Core.dll.\r\nCore.dll appears to be a command and control, or more so, command and execute program. It should be noted that\r\nthere are characteristics of this program that fit with implant design recommendations that are documented\r\nthroughout the Vault7 leaks. \r\nOne notable aspect of Core.dll is it referenced urls at the website notepad.cc.\r\nhttp://marcmaiffret.com/vault7/\r\nPage 2 of 5\n\nNotepad.cc was a public website like pastebin where people could anonymously post content to later be\r\nreferenced via static urls. I am posting this quick so more time is needed to investigate exactly how those urls are\r\nleveraged. It should be noted that the developer of Notepad.cc shut down the website in December 2015. \r\nAnother aspect of the call back mechanism is that it appears to have a typo in the user agent header which could\r\nbe used from a signature perspective.\r\nThe UserAgent variable is missing the closing ). It is also worth noting they used a touch enabled device user\r\nagent string as signified by the Touch at the end. It is possible they copy and pasted from the touch screen Dell\r\nlaptops in their labs? :-o\r\nThere is more in these binaries but I wanted to get something up quick so that the much better full time malware\r\nreverse engineers can have a look. \r\nLastly, it should be noted that when I first uploaded these binaries to Virus Total the detection was 2/59 for the\r\nInstaller.dll and 1/60 for the Core.dll.\r\nWhat is interesting is that Kaspersky was one of the only scanners to have detection so far. This makes sense as it\r\nis my understanding that Kaspersky has an internal report on this malware in which they point out this possible\r\nWikileaks binary mistake that I am documenting here. Not sure that they have made that public yet but did not see\r\nanything on their blog at time of writing. Note the reason that ZoneAlarm is detecting this also is because they\r\nhttp://marcmaiffret.com/vault7/\r\nPage 3 of 5\n\nlicense Kaspersky's engine. It is also interesting to note that Kaspersky, at the time this was written, was not\r\ndetecting Core.dll (embedded within Installer.dll). I am not sure if that is because they did not see that in their\r\nanalysis or signature updates had just not hit Virus Total yet. \r\nThe code has mechanisms to clean itself from a system. There are however artifacts that could possibly be left on\r\naccident and or on a system that never had a cleanup initialized. One of those examples is a registry key that\r\nseems unique to this malware:\r\nhttp://marcmaiffret.com/vault7/\r\nPage 4 of 5\n\nSOFTWARE\\Microsoft\\DRM\\{cd704ff3-cd05-479e-acf7-6474908031dd}\r\nYou can download the reg file and binaries from here. The password is JQJSNICKER.\r\nI will post updates of any additions or corrections that people might send but really my goal is to make sure\r\nmalware researchers are checking this out and putting out further public analysis.\r\nSource: http://marcmaiffret.com/vault7/\r\nhttp://marcmaiffret.com/vault7/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://marcmaiffret.com/vault7/"
	],
	"report_names": [
		"vault7"
	],
	"threat_actors": [
		{
			"id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1",
			"created_at": "2024-05-01T02:03:08.146025Z",
			"updated_at": "2026-04-10T02:00:03.67072Z",
			"deleted_at": null,
			"main_name": "PLATINUM TERMINAL",
			"aliases": [
				"APT-C-39 ",
				"Longhorn ",
				"The Lamberts ",
				"Vault7 "
			],
			"source_name": "Secureworks:PLATINUM TERMINAL",
			"tools": [
				"AfterMidnight",
				"Assassin",
				"Marble Framework"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434339,
	"ts_updated_at": 1775791877,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e57d09562b9a3ca615f74903bc4bc172f7475946.pdf",
		"text": "https://archive.orkl.eu/e57d09562b9a3ca615f74903bc4bc172f7475946.txt",
		"img": "https://archive.orkl.eu/e57d09562b9a3ca615f74903bc4bc172f7475946.jpg"
	}
}