{
	"id": "07df4239-dd3b-4c53-8953-c68b101d9c54",
	"created_at": "2026-04-06T00:15:36.105028Z",
	"updated_at": "2026-04-10T03:35:34.390148Z",
	"deleted_at": null,
	"sha1_hash": "fca1a7535373a54af6abd33526865c25c42d3bf6",
	"title": "Equation Group - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91988,
	"plain_text": "Equation Group - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 13:07:03 UTC\r\nHome \u003e List all groups \u003e Equation Group\r\n APT group: Equation Group\r\nNames\r\nEquation Group (real name)\r\nTilded Team (CrySys)\r\nPlatinum Colony (SecureWorks)\r\nAPT-C-40 (Qihoo 360)\r\nG0020 (MITRE)\r\nCountry USA\r\nSponsor State-sponsored, believed to be tied to the NSA’s Tailored Access Operations unit\r\nMotivation Information theft and espionage, Sabotage and destruction\r\nFirst seen 2001\r\nDescription (Ars Technica) Kaspersky researchers have documented 500 infections by Equation Group\r\nin at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali\r\ntopping the list. Because of a self-destruct mechanism built into the malware, the\r\nresearchers suspect that this is just a tiny percentage of the total; the actual number of\r\nvictims likely reaches into the tens of thousands.\r\nA long list of almost superhuman technical feats illustrate Equation Group’s extraordinary\r\nskill, painstaking work, and unlimited resources. They include:\r\n• The use of virtual file systems, a feature also found in the highly sophisticated Regin\r\nmalware. Recently published documents provided by Ed Snowden indicate that the NSA\r\nused Regin to infect the partly state-owned Belgian firm Belgacom.\r\n• The stashing of malicious files in multiple branches of an infected computer’s registry.\r\nBy encrypting all malicious files and storing them in multiple branches of a computer’s\r\nWindows registry, the infection was impossible to detect using antivirus software.\r\n• Redirects that sent iPhone users to unique exploit Web pages. In addition, infected\r\nmachines reporting to Equation Group command servers identified themselves as Macs,\r\nan indication that the group successfully compromised both iOS and OS X devices.\r\n• The use of more than 300 Internet domains and 100 servers to host a sprawling\r\ncommand and control infrastructure.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=29bfd981-357b-4871-ba4b-ada033ba3217\r\nPage 1 of 3\n\n• USB stick-based reconnaissance malware to map air-gapped networks, which are so\r\nsensitive that they aren’t connected to the Internet. Both Stuxnet and the related Flame\r\nmalware platform also had the ability to bridge airgaps.\r\n• An unusual if not truly novel way of bypassing code-signing restrictions in modern\r\nversions of Windows, which require that all third-party software interfacing with the\r\noperating system kernel be digitally signed by a recognized certificate authority. To\r\ncircumvent this restriction, Equation Group malware exploited a known vulnerability in\r\nan already signed driver for CloneCD to achieve kernel-level code execution.\r\nTaken together, the accomplishments led Kaspersky researchers to conclude that Equation\r\nGroup is probably the most sophisticated computer attack group in the world, with\r\ntechnical skill and resources that rival the groups that developed Stuxnet and the Flame\r\nespionage malware in Operation Olympic Games.\r\nOther publicly exposed major APT activities from the NSA involve the wholesale\r\nworldwide spying from programs such as PRISM and, together with GCHQ, INCENSER,\r\nwhere various international Internet trunks were tapped.\r\nChina's Ministry of State Security (MSS) has accused the U.S. of breaking into Huawei's\r\nservers, stealing critical data, and implanting backdoors since 2009, amid mounting\r\ngeopolitical tensions between the two countries.\r\nObserved\r\nSectors: Aerospace, Defense, Education, Energy, Government, Media, Oil and gas,\r\nTelecommunications, Transportation and Nanotechnology, Nuclear research, Islamic\r\nactivists and scholars, and companies developing cryptographic technologies.\r\nCountries: Afghanistan, Algeria, Austria, Bangladesh, Belgium, Bolivia, Bosnia and\r\nHerzegovina, Botswana, Brazil, Chile, China, Cyprus, Ecuador, Egypt, Finland, France,\r\nGabon, Germany, Greece, Hong Kong, Hungary, India, Iran, Iraq, Israel, Italy, Japan,\r\nJordan, Kazakhstan, Kenya, Lebanon, Libya, Malaysia, Mali, Mexico, Netherlands,\r\nNicaragua, Nigeria, Norway, Pakistan, Palestine, Philippines, Poland, Qatar, Romania,\r\nRussia, Saudi Arabia, Singapore, Somalia, South Africa, South Korea, Spain, Sudan,\r\nSweden, Switzerland, Syria, Thailand, Turkey, UAE, UK, USA, Venezuela, Yemen.\r\nTools used\r\nBvp47, DanderSpritz, DarkPulsar, DOUBLEFANTASY, DoubleFeature, DoublePulsar,\r\nDuqu, EQUATIONDRUG, EQUATIONLASER, FANNY, Flame, GRAYFISH, GROK,\r\nLambert, OddJob, Regin, TRIPLEFANTASY, UNITEDRAKE and many others.\r\nCounter operations Aug 2016\r\nTheir arsenal of 0-day cyber weapons was stolen by an actor Shadow\r\nBrokers, who leaked a large section on the internet and tried to sell the rest\r\nafterward.\r\nMost notable among the dumps were 0-days such as ETERNALBLUE and\r\nETERNALROMANCE that were used by other groups for the creation of\r\ninfamous ransomware explosions such as WannaCry and NotPetya.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=29bfd981-357b-4871-ba4b-ada033ba3217\r\nPage 2 of 3\n\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=29bfd981-357b-4871-ba4b-ada033ba3217\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=29bfd981-357b-4871-ba4b-ada033ba3217\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=29bfd981-357b-4871-ba4b-ada033ba3217"
	],
	"report_names": [
		"showcard.cgi?u=29bfd981-357b-4871-ba4b-ada033ba3217"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d7c5a1bf-85c9-4d2f-bdbd-1455f5f2ae65",
			"created_at": "2022-10-25T16:07:23.978074Z",
			"updated_at": "2026-04-10T02:00:04.817311Z",
			"deleted_at": null,
			"main_name": "Operation Olympic Games",
			"aliases": [
				"GOSSIPGIRL"
			],
			"source_name": "ETDA:Operation Olympic Games",
			"tools": [
				"Stuxnet",
				"W32.Stuxnet"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4",
			"created_at": "2023-01-06T13:46:38.595679Z",
			"updated_at": "2026-04-10T02:00:03.033762Z",
			"deleted_at": null,
			"main_name": "PLATINUM",
			"aliases": [
				"TwoForOne",
				"G0068",
				"ATK33"
			],
			"source_name": "MISPGALAXY:PLATINUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a",
			"created_at": "2022-10-25T16:07:24.061767Z",
			"updated_at": "2026-04-10T02:00:04.854503Z",
			"deleted_at": null,
			"main_name": "Platinum",
			"aliases": [
				"ATK 33",
				"G0068",
				"Operation EasternRoppels",
				"TwoForOne"
			],
			"source_name": "ETDA:Platinum",
			"tools": [
				"AMTsol",
				"Adupib",
				"Adupihan",
				"Dipsind",
				"DvDupdate.dll",
				"JPIN",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"RedPepper",
				"RedSalt",
				"Titanium",
				"adbupd",
				"psinstrc.ps1"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33f527a5-a5da-496a-a48c-7807cc858c3e",
			"created_at": "2022-10-25T15:50:23.803657Z",
			"updated_at": "2026-04-10T02:00:05.333523Z",
			"deleted_at": null,
			"main_name": "PLATINUM",
			"aliases": [
				"PLATINUM"
			],
			"source_name": "MITRE:PLATINUM",
			"tools": [
				"JPIN",
				"Dipsind",
				"adbupd"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434536,
	"ts_updated_at": 1775792134,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fca1a7535373a54af6abd33526865c25c42d3bf6.pdf",
		"text": "https://archive.orkl.eu/fca1a7535373a54af6abd33526865c25c42d3bf6.txt",
		"img": "https://archive.orkl.eu/fca1a7535373a54af6abd33526865c25c42d3bf6.jpg"
	}
}