{ "id": "145f66cb-d4ad-4ab1-88ec-eff25d32eca5", "created_at": "2026-04-06T00:08:41.294166Z", "updated_at": "2026-04-10T03:26:53.336673Z", "deleted_at": null, "sha1_hash": "ffb0f848d0ef357a1544b5d3caf2177f7f74e419", "title": "Malware Using Exploits from Shadow Brokers Leak Reportedly in the Wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 771890, "plain_text": "Malware Using Exploits from Shadow Brokers Leak Reportedly in\r\nthe Wild\r\nArchived: 2026-04-05 20:38:39 UTC\r\nThe effects of the recent leak of malware, hacking tools, and\r\nexploits by hacking group Shadow Brokersnews article is now coming to light as two malware, whose attack\r\nchain were derived from Shadow Brokers’s leak, have been reportedly sighted in the wild: AES-NI ransomware\r\n(detected by Trend Micro as RANSOM_HPSOREBRECT.SM) and the DoublePulsar backdoor. What can\r\norganizations and end users do to mitigate these threats?\r\nAES-NI’s Developer Claims to Use EternalBlue Exploit\r\nA version of AES-NI ransomware, so named based on its ransom note and unrelated to the homonymous\r\ncryptographic instruction set, purportedlynews article uses the “EternalBlue” exploit, which was one of the many\r\nincluded in the Shadow Brokers leak. The exploit takes advantage of a remote code execution vulnerability in\r\nWindows Server Message Block (SMB) server found in almost all Windows operating systems (OS). Microsoft\r\nhas addressed this via a patch (MS17-010) released last March 14, 2017.\r\nAccording to reports, AES-NI’s developer professed to have successfully used EternalBlue to install his own\r\ncrafted ransomware to vulnerable systems or servers. His only proof is a screenshot—posted to his now defunct\r\nTwitter account—of the developer scanning the targeted server for exploits drawn from Shadow Brokers’s dump. \r\n[READ: Protect, Contain, and Recover: How Organizations can Defend against Ransomware]\r\nHowever, security researchers dismissed the claim, noting that the attacker may not be using the exploit after all,\r\nbut may instead be abusing Remote Desktop Protocol (RDP) and taking advantage of poorly secured internet-exposed remote desktops or servers. This has been the modus operandi of another ransomware family Crysis\r\n(RANSOM_CRYSIS), which Trend Micro initially found targeting Australian and New Zealand businesses in\r\nSeptember 2016. Crysis’s operators have since ramped up their malicious activities, and were found in February\r\n2017 targeting SMEs and large enterprises worldwide, especially those in healthcare. The attack chain involves\r\nthe bad guys brute forcing their way into the system, then dropping and executing the payload in the compromised\r\nmachine.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malware-using-exploits-from-shadow-brokers-in-the-wild\r\nPage 1 of 4\n\nAES-NI’s activity is also consistent with Trend Micro’s ongoing monitoring. Despite being a newcomer in the\r\nransomware landscape (our earliest detection and monitoring were in February 2017), the ransomware family had\r\na modest spike in activity that topped out around the week of April 17–24, 2017.\r\nAccording to the ransom note of AES-NI’s “NSA EXPLOIT EDITION” version, infected files are encrypted using\r\nAES-256 algorithm in Electronic Codebook (ECB) mode. Victims are urged to contact the developer via email,\r\nBitMsg (a web application using Bitmessage, a peer-to-peer communications protocol), or a forum. Other\r\nmalware analysts cite this version demands a ransom of 1.5 Bitcoins (equivalent to USD $1,900 as of April 25,\r\n2017), with the cybercriminal offering free decryption to victims from the Commonwealth of Independent States.\r\n[READ: What does Shadow Brokers’s malware dump mean for enterprises?news article]\r\nDoublePulsar Infections Soaring\r\nAnother notable threat that's currently making headlines—and one that can be traced to Shadow Broker’s leak—is\r\nDoublePulsar, a remote access Trojan/backdoor that appears to be the payload for many of the exploits found in\r\nthe dump. DoublePulsar is now apparently being adopted by various threat actors since its public release by\r\nShadow Brokers.\r\nDoublePulsar is a memory-based kernel payload that allows attackers to inject arbitrary Dynamic-link Library\r\n(DLL) files to the system processes and execute shellcode payloads, ultimately providing attackers unprecedented\r\naccess to infected x86 and 64-bit systems. Trend Micro’s continuous analysis of the dump suggests that\r\nEternalBlue is one of the exploits that also executes DoublePulsar as payload. EternalBlue is part of the\r\nFuzzbunch framework (also found in the dump) responsible for executing the exploits.\r\nThe attacks also involve sending malicious SMB requests to the same port where the targeted machine is running\r\nthe SMB service (Port 445), which is typically left exposed in the Internet. Internet scans for DoublePulsar\r\ninfections indicate that it is currently increasing, with more than 40,000 SMB-run (and publicly exposed)\r\nmachines reported to be infected.\r\nDoublePulsar has been addressed by Microsoft via the same update (MS17-010) that patches the security flaws in\r\nSMB protocol across various Windows system and server OSes. \r\n[READ: How do backdoors work, and how can they be thwarted?]\r\nHow can these threats be mitigated?\r\nWhile these threats can pose significant risks to businesses and end users alike, many of the exploits and malware\r\nrecently leaked by Shadow Brokers leverage relatively old vulnerabilities that can be prevented from being abused\r\nby applying the latest patches and keeping the systems up-to-date.\r\nHere are some best practices that enterprises and individual users can adopt to mitigate these threats:\r\nDisable unnecessary, outdated, and unsupported components (or applications/software that use them);\r\nblocking them at the network level (like blocking TCP Port 445 and related protocols) is also\r\nrecommended\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malware-using-exploits-from-shadow-brokers-in-the-wild\r\nPage 2 of 4\n\nDeploy firewalls as well as intrusion detection and prevention systems to monitor and validate the traffic\r\ntraversing in and out of the network\r\nApart from fostering security awareness in the workplace, provide actionable instructions like requiring\r\nemployees to employ virtual private networknews- cybercrime-and-digital-threats (VPN) when remotely\r\naccessing company assets\r\nProvide additional layers of security to remote connections—from authentication and least privilege\r\nprinciple to encryption of remote desktops\r\nOn top of keeping systems up-to-date, enforce a stronger patch management policy, and employ virtual\r\npatchingnews article\r\nMigrating to newer operating systems and software can also reduce the risks caused by the use of\r\nunsupported software\r\nEmploy network segmentation to limit access to sensitive data (and networks), as well as data\r\ncategorization to lessen the impact of a breach \r\nTrend Micro Solutions:\r\nTrend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from\r\nthreats that abuse unpatched vulnerabilities. OfficeScan’s Vulnerability Protection shields endpoints from\r\nidentified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep\r\nDiscovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through\r\nspecialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to\r\ndetect similar threats even without any engine or pattern update.\r\nTrend Micro’s Hybrid Cloud Securityproducts solution, powered by XGen™ security and features Trend Micro™\r\nDeep Security™, delivers a blend of cross-generational threat defense techniques that have been optimized to\r\nprotect physical, virtual, and cloud workloads/servers.\r\nTippingPoint’s Integrated Advanced Threat Preventionproducts provides actionable security intelligence, shielding\r\nagainst vulnerabilities and exploits, and defending against known and zero-day attacks. TippingPoint’s solutions,\r\nsuch as Advanced Threat Protectionproducts and Intrusion Prevention Systemproducts, powered by XGen™\r\nsecurity, use a combination of technologies such as deep packet inspection, threat reputation, and advanced\r\nmalware analysis to detect and block attacks and advanced threats.\r\nDeep Discovery Inspector protects customers from AES-NI ransomware’s malicious network via this DDI Rule:\r\nDDI Rule ID 1078: ‘Possible TOR node certificate detected’\r\nTippingPoint protects customers from AES-NI ransomware via this ThreatDV filter:\r\n30623: TLS: Suspicious SSL Certificate (DGA)\r\nTippingPoint customers are protected against EternalBlue via this MainlineDV filter:\r\n27928: SMB: Microsoft Windows SMB Remote Code Execution Vulnerability (EternalBlue)\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malware-using-exploits-from-shadow-brokers-in-the-wild\r\nPage 3 of 4\n\nAn in-depth information on Trend Micro’s detections and solutions for Trend Micro Deep Security, Vulnerability\r\nProtection, TippingPoint and Deep Discovery Inspector can be found in this technical support brief.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malware-using-exploits-from-shadow-brokers-in-t\r\nhe-wild\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malware-using-exploits-from-shadow-brokers-in-the-wild\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malware-using-exploits-from-shadow-brokers-in-the-wild" ], "report_names": [ "malware-using-exploits-from-shadow-brokers-in-the-wild" ], "threat_actors": [ { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434121, "ts_updated_at": 1775791613, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ffb0f848d0ef357a1544b5d3caf2177f7f74e419.pdf", "text": "https://archive.orkl.eu/ffb0f848d0ef357a1544b5d3caf2177f7f74e419.txt", "img": "https://archive.orkl.eu/ffb0f848d0ef357a1544b5d3caf2177f7f74e419.jpg" } }