SYMBOLCOMMON_NAMEaka. SYNONYMS

Equation Group  (Back to overview)

aka: Tilded Team, Lamberts, EQGRP, Longhorn, PLATINUM TERMINAL

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame


Associated Families
elf.bvp47 elf.doublefantasy osx.lambert win.darkpulsar win.doublepulsar win.fancyfilter win.lambert win.mistyveal win.oddjob win.peddlecheap win.tildeb win.unidentified_020_cia_vault7 win.fanny win.equationdrug win.grok win.doublefantasy

References
2022-02-23Bleeping ComputerIonut Ilascu
@online{ilascu:20220223:nsalinked:556c453, author = {Ionut Ilascu}, title = {{NSA-linked Bvp47 Linux backdoor widely undetected for 10 years}}, date = {2022-02-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/}, language = {English}, urldate = {2022-03-01} } NSA-linked Bvp47 Linux backdoor widely undetected for 10 years
Bvp47
2022-02-23Pangu LabPangu Lab
@online{lab:20220223:bvp47:c8f2a2f, author = {Pangu Lab}, title = {{The Bvp47 - a Top-tier Backdoor of US NSA Equation Group}}, date = {2022-02-23}, organization = {Pangu Lab}, url = {https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/}, language = {English}, urldate = {2022-03-01} } The Bvp47 - a Top-tier Backdoor of US NSA Equation Group
Bvp47
2022-02-23The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220223:chinese:06abbe8, author = {Ravie Lakshmanan}, title = {{Chinese Experts Uncover Details of Equation Group's Bvp47 Covert Hacking Tool}}, date = {2022-02-23}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html}, language = {English}, urldate = {2022-03-01} } Chinese Experts Uncover Details of Equation Group's Bvp47 Covert Hacking Tool
Bvp47
2022-02-22Pangu LabPangu Lab
@techreport{lab:20220222:bvp47:0b9392d, author = {Pangu Lab}, title = {{Bvp47 - Top-tier Backdoor of US NSA Equation Group}}, date = {2022-02-22}, institution = {Pangu Lab}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf}, language = {English}, urldate = {2022-03-01} } Bvp47 - Top-tier Backdoor of US NSA Equation Group
Bvp47
2022-01-21Twitter (@_CPResearch_)Check Point Research
@online{research:20220121:whitelambert:e5581c9, author = {Check Point Research}, title = {{Tweet on WhiteLambert malware}}, date = {2022-01-21}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1484502090068242433}, language = {English}, urldate = {2022-01-25} } Tweet on WhiteLambert malware
Lambert
2021-12-27Checkpoint Research
@online{research:20211227:deep:c94d67d, author = {Checkpoint Research}, title = {{A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard}}, date = {2021-12-27}, url = {https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/}, language = {English}, urldate = {2022-01-05} } A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
Equationgroup (Sorting) Fanny MISTYVEAL PeddleCheap
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2021-10-01Objective-SeeRuna Sandvik
@online{sandvik:20211001:made:832ee10, author = {Runa Sandvik}, title = {{Made In America: Green Lambert for OS X}}, date = {2021-10-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x68.html}, language = {English}, urldate = {2021-10-24} } Made In America: Green Lambert for OS X
Lambert
2021-06-10ESET ResearchAdam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2021-06-16} } BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks BackdoorDiplomacy
2021-02-05EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20210205:voltron:953cec2, author = {Juan Andrés Guerrero-Saade}, title = {{Voltron STA The curious case of 0xFancyFilter}}, date = {2021-02-05}, organization = {EpicTurla}, url = {https://www.epicturla.com/previous-works/hitb2020-voltron-sta}, language = {English}, urldate = {2021-02-06} } Voltron STA The curious case of 0xFancyFilter
fancyfilter MISTYVEAL Regin
2020-09-28fmmresearch wordpressFacundo Muñoz
@online{muoz:20200928:emerald:07900c2, author = {Facundo Muñoz}, title = {{The Emerald Connection: EquationGroup collaboration with Stuxnet}}, date = {2020-09-28}, organization = {fmmresearch wordpress}, url = {https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/}, language = {English}, urldate = {2020-10-04} } The Emerald Connection: EquationGroup collaboration with Stuxnet
Fanny Stuxnet
2020-09-28fmmresearch wordpressFacundo Muñoz
@techreport{muoz:20200928:emerald:1e7fceb, author = {Facundo Muñoz}, title = {{The Emerald Connection: Equation Group collaboration with Stuxnet}}, date = {2020-09-28}, institution = {fmmresearch wordpress}, url = {https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf}, language = {English}, urldate = {2020-10-04} } The Emerald Connection: Equation Group collaboration with Stuxnet
Fanny Stuxnet
2020-09-10Kaspersky LabsGReAT
@online{great:20200910:overview:f751b73, author = {GReAT}, title = {{An overview of targeted attacks and APTs on Linux}}, date = {2020-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/}, language = {English}, urldate = {2020-10-05} } An overview of targeted attacks and APTs on Linux
Cloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent
2020-08-27fmnagisa wordpressFacundo M
@online{m:20200827:revisiting:bac6d3b, author = {Facundo M}, title = {{Revisiting EquationGroup’s FANNY… or is it DEMENTIAWHEEL?}}, date = {2020-08-27}, organization = {fmnagisa wordpress}, url = {https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/}, language = {English}, urldate = {2020-10-04} } Revisiting EquationGroup’s FANNY… or is it DEMENTIAWHEEL?
DoubleFantasy Fanny
2020-08-15Twitter (@Int2e_)Adrien B
@online{b:20200815:doublefantasy:6c843b6, author = {Adrien B}, title = {{Tweet on DoubleFantasy}}, date = {2020-08-15}, organization = {Twitter (@Int2e_)}, url = {https://twitter.com/Int2e_/status/1294565186939092994}, language = {English}, urldate = {2020-08-18} } Tweet on DoubleFantasy
DoubleFantasy
2020-05-07Twitter (@ESETresearch)ESET Research
@online{research:20200507:peddlecheap:8a701e3, author = {ESET Research}, title = {{Tweet on PeddleCheap packed with Winnti packer}}, date = {2020-05-07}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1258353960781598721}, language = {English}, urldate = {2020-05-07} } Tweet on PeddleCheap packed with Winnti packer
PeddleCheap
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:platinum:3145483, author = {SecureWorks}, title = {{PLATINUM TERMINAL}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/platinum-terminal}, language = {English}, urldate = {2020-05-23} } PLATINUM TERMINAL
TalentRAT Equation Group
2019-11-08WikipediaVarious
@online{various:20191108:wikipedia:e281c5b, author = {Various}, title = {{Wikipedia Entry on Equation Group}}, date = {2019-11-08}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Equation_Group}, language = {English}, urldate = {2020-01-08} } Wikipedia Entry on Equation Group
Equation Group
2019-09-30QianxinRed Raindrop Team
@online{team:20190930:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2019-09-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2022-05-04} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
2019-05-07SymantecSecurity Response Attack Investigation Team
@online{team:20190507:buckeye:a4cf7d8, author = {Security Response Attack Investigation Team}, title = {{Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak}}, date = {2019-05-07}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit}, language = {English}, urldate = {2020-01-13} } Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
DoublePulsar
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:equation:a2da8f9, author = {Cyber Operations Tracker}, title = {{Equation Group}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/equation-group}, language = {English}, urldate = {2019-12-20} } Equation Group
Equation Group
2019MITREMITRE ATT&CK
@online{attck:2019:equation:8b2ae74, author = {MITRE ATT&CK}, title = {{Group description: Equation}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0020/}, language = {English}, urldate = {2019-12-20} } Group description: Equation
Equation Group
2018-12-13Trend MicroMohamad Mokbel
@techreport{mokbel:20181213:tildeb:99fb939, author = {Mohamad Mokbel}, title = {{Tildeb: An Implant from the Shadow Brokers’ Leak}}, date = {2018-12-13}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf}, language = {English}, urldate = {2021-09-19} } Tildeb: An Implant from the Shadow Brokers’ Leak
tildeb
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2018-02-06ForcepointJohn Bergbom
@online{bergbom:20180206:danderspritzpeddlecheap:b09bc8f, author = {John Bergbom}, title = {{DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)}}, date = {2018-02-06}, organization = {Forcepoint}, url = {https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#}, language = {English}, urldate = {2020-05-07} } DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)
PeddleCheap
2017-11-13Obscurity LabsObscurity Labs
@online{labs:20171113:match:b967fde, author = {Obscurity Labs}, title = {{Match Made In The Shadows: Part [3]}}, date = {2017-11-13}, organization = {Obscurity Labs}, url = {https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/}, language = {English}, urldate = {2020-05-07} } Match Made In The Shadows: Part [3]
PeddleCheap
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-03-30Artem Baranov
@online{baranov:20170330:equationdrug:7255a48, author = {Artem Baranov}, title = {{EquationDrug rootkit analysis (mstcp32.sys)}}, date = {2017-03-30}, url = {http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html}, language = {English}, urldate = {2020-01-07} } EquationDrug rootkit analysis (mstcp32.sys)
EquationDrug
2017-03-07WikileaksWikileaks
@online{wikileaks:20170307:vault:839b275, author = {Wikileaks}, title = {{Vault 7: CIA Hacking Tools Revealed}}, date = {2017-03-07}, organization = {Wikileaks}, url = {https://wikileaks.org/ciav7p1/cms/page_34308128.html}, language = {English}, urldate = {2020-01-08} } Vault 7: CIA Hacking Tools Revealed
Unidentified 020 (Vault7)
2016-11-04Antiy CERTAntiy CERT
@techreport{cert:20161104:from:a139d13, author = {Antiy CERT}, title = {{FROM EQUATION TO EQUATIONS}}, date = {2016-11-04}, institution = {Antiy CERT}, url = {https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf}, language = {English}, urldate = {2020-08-18} } FROM EQUATION TO EQUATIONS
DoubleFantasy
2016-10-05ThaiCERT
@online{thaicert:20161005:shadow:5256332, author = {ThaiCERT}, title = {{The Shadow Brokers auctions cyber weapons from Equation Group}}, date = {2016-10-05}, url = {https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0}, language = {English}, urldate = {2019-12-20} } The Shadow Brokers auctions cyber weapons from Equation Group
Equation Group
2015-03-11Kaspersky LabsGReAT
@online{great:20150311:inside:28cec3e, author = {GReAT}, title = {{Inside the EquationDrug Espionage Platform}}, date = {2015-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/inside-the-equationdrug-espionage-platform/69203/}, language = {English}, urldate = {2019-12-20} } Inside the EquationDrug Espionage Platform
EquationDrug
2015-02-16Kaspersky LabsGReAT
@online{great:20150216:equation:ad81ead, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/}, language = {English}, urldate = {2022-05-23} } Equation: The Death Star of Malware Galaxy
DoubleFantasy EquationDrug Fanny GROK
2015-02-16Kaspersky LabsGReAT
@online{great:20150216:equation:7b95c72, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1}, language = {English}, urldate = {2019-12-20} } Equation: The Death Star of Malware Galaxy
Fanny
2015-02-16Ars TechnicaDan Goodin
@online{goodin:20150216:how:4e36cde, author = {Dan Goodin}, title = {{How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last}}, date = {2015-02-16}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/}, language = {English}, urldate = {2019-12-06} } How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
Equation Group
2015-02Kaspersky LabsKaspersky
@techreport{kaspersky:201502:equation:3c079fb, author = {Kaspersky}, title = {{Equation Group: Questions and Answers}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf}, language = {English}, urldate = {2020-01-08} } Equation Group: Questions and Answers
Equation Group
2014-04-17Nettitude LabsNettitude Labs
@online{labs:20140417:quick:6a0fa31, author = {Nettitude Labs}, title = {{A quick analysis of the latest Shadow Brokers dump}}, date = {2014-04-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/}, language = {English}, urldate = {2019-12-19} } A quick analysis of the latest Shadow Brokers dump
DarkPulsar
2010-09WikipediaWikipedia
@online{wikipedia:201009:stuxnet:9b317f2, author = {Wikipedia}, title = {{Stuxnet}}, date = {2010-09}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Stuxnet}, language = {English}, urldate = {2019-10-23} } Stuxnet
Equation Group

Credits: MISP Project