SYMBOLCOMMON_NAMEaka. SYNONYMS

Equation Group  (Back to overview)

aka: Tilded Team, Lamberts, EQGRP, Longhorn, PLATINUM TERMINAL

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame


Associated Families
elf.doublefantasy win.darkpulsar win.doublefantasy win.doublepulsar win.equationdrug win.fancyfilter win.fanny win.grok win.lambert win.mistyveal win.oddjob win.peddlecheap win.tildeb win.unidentified_020_cia_vault7 osx.lambert

References
2021-10-01Objective-SeeRuna Sandvik
@online{sandvik:20211001:made:832ee10, author = {Runa Sandvik}, title = {{Made In America: Green Lambert for OS X}}, date = {2021-10-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x68.html}, language = {English}, urldate = {2021-10-24} } Made In America: Green Lambert for OS X
Lambert
2021-06-10ESET ResearchAdam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2021-06-16} } BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks BackdoorDiplomacy
2021-02-05EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20210205:voltron:953cec2, author = {Juan Andrés Guerrero-Saade}, title = {{Voltron STA The curious case of 0xFancyFilter}}, date = {2021-02-05}, organization = {EpicTurla}, url = {https://www.epicturla.com/previous-works/hitb2020-voltron-sta}, language = {English}, urldate = {2021-02-06} } Voltron STA The curious case of 0xFancyFilter
fancyfilter MISTYVEAL Regin
2020-09-28fmmresearch wordpressFacundo Muñoz
@online{muoz:20200928:emerald:07900c2, author = {Facundo Muñoz}, title = {{The Emerald Connection: EquationGroup collaboration with Stuxnet}}, date = {2020-09-28}, organization = {fmmresearch wordpress}, url = {https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/}, language = {English}, urldate = {2020-10-04} } The Emerald Connection: EquationGroup collaboration with Stuxnet
Fanny Stuxnet
2020-09-28fmmresearch wordpressFacundo Muñoz
@techreport{muoz:20200928:emerald:1e7fceb, author = {Facundo Muñoz}, title = {{The Emerald Connection: Equation Group collaboration with Stuxnet}}, date = {2020-09-28}, institution = {fmmresearch wordpress}, url = {https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf}, language = {English}, urldate = {2020-10-04} } The Emerald Connection: Equation Group collaboration with Stuxnet
Fanny Stuxnet
2020-09-10Kaspersky LabsGReAT
@online{great:20200910:overview:f751b73, author = {GReAT}, title = {{An overview of targeted attacks and APTs on Linux}}, date = {2020-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/}, language = {English}, urldate = {2020-10-05} } An overview of targeted attacks and APTs on Linux
Cloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent
2020-08-27fmnagisa wordpressFacundo M
@online{m:20200827:revisiting:bac6d3b, author = {Facundo M}, title = {{Revisiting EquationGroup’s FANNY… or is it DEMENTIAWHEEL?}}, date = {2020-08-27}, organization = {fmnagisa wordpress}, url = {https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/}, language = {English}, urldate = {2020-10-04} } Revisiting EquationGroup’s FANNY… or is it DEMENTIAWHEEL?
DoubleFantasy Fanny
2020-08-15Twitter (@Int2e_)Adrien B
@online{b:20200815:doublefantasy:6c843b6, author = {Adrien B}, title = {{Tweet on DoubleFantasy}}, date = {2020-08-15}, organization = {Twitter (@Int2e_)}, url = {https://twitter.com/Int2e_/status/1294565186939092994}, language = {English}, urldate = {2020-08-18} } Tweet on DoubleFantasy
DoubleFantasy
2020-05-07Twitter (@ESETresearch)ESET Research
@online{research:20200507:peddlecheap:8a701e3, author = {ESET Research}, title = {{Tweet on PeddleCheap packed with Winnti packer}}, date = {2020-05-07}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1258353960781598721}, language = {English}, urldate = {2020-05-07} } Tweet on PeddleCheap packed with Winnti packer
PeddleCheap
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:platinum:3145483, author = {SecureWorks}, title = {{PLATINUM TERMINAL}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/platinum-terminal}, language = {English}, urldate = {2020-05-23} } PLATINUM TERMINAL
TalentRAT Equation Group
2019-11-08WikipediaVarious
@online{various:20191108:wikipedia:e281c5b, author = {Various}, title = {{Wikipedia Entry on Equation Group}}, date = {2019-11-08}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Equation_Group}, language = {English}, urldate = {2020-01-08} } Wikipedia Entry on Equation Group
Equation Group
2019-05-07SymantecSecurity Response Attack Investigation Team
@online{team:20190507:buckeye:a4cf7d8, author = {Security Response Attack Investigation Team}, title = {{Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak}}, date = {2019-05-07}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit}, language = {English}, urldate = {2020-01-13} } Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
DoublePulsar
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:equation:a2da8f9, author = {Cyber Operations Tracker}, title = {{Equation Group}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/equation-group}, language = {English}, urldate = {2019-12-20} } Equation Group
Equation Group
2019MITREMITRE ATT&CK
@online{attck:2019:equation:8b2ae74, author = {MITRE ATT&CK}, title = {{Group description: Equation}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0020/}, language = {English}, urldate = {2019-12-20} } Group description: Equation
Equation Group
2018-12-13Trend MicroMohamad Mokbel
@techreport{mokbel:20181213:tildeb:99fb939, author = {Mohamad Mokbel}, title = {{Tildeb: An Implant from the Shadow Brokers’ Leak}}, date = {2018-12-13}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf}, language = {English}, urldate = {2021-09-19} } Tildeb: An Implant from the Shadow Brokers’ Leak
tildeb
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2018-02-06ForcepointJohn Bergbom
@online{bergbom:20180206:danderspritzpeddlecheap:b09bc8f, author = {John Bergbom}, title = {{DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)}}, date = {2018-02-06}, organization = {Forcepoint}, url = {https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#}, language = {English}, urldate = {2020-05-07} } DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)
PeddleCheap
2017-11-13Obscurity LabsObscurity Labs
@online{labs:20171113:match:b967fde, author = {Obscurity Labs}, title = {{Match Made In The Shadows: Part [3]}}, date = {2017-11-13}, organization = {Obscurity Labs}, url = {https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/}, language = {English}, urldate = {2020-05-07} } Match Made In The Shadows: Part [3]
PeddleCheap
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-03-30Artem Baranov
@online{baranov:20170330:equationdrug:7255a48, author = {Artem Baranov}, title = {{EquationDrug rootkit analysis (mstcp32.sys)}}, date = {2017-03-30}, url = {http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html}, language = {English}, urldate = {2020-01-07} } EquationDrug rootkit analysis (mstcp32.sys)
EquationDrug
2017-03-07WikileaksWikileaks
@online{wikileaks:20170307:vault:839b275, author = {Wikileaks}, title = {{Vault 7: CIA Hacking Tools Revealed}}, date = {2017-03-07}, organization = {Wikileaks}, url = {https://wikileaks.org/ciav7p1/cms/page_34308128.html}, language = {English}, urldate = {2020-01-08} } Vault 7: CIA Hacking Tools Revealed
Unidentified 020 (Vault7)
2016-11-04Antiy CERTAntiy CERT
@techreport{cert:20161104:from:a139d13, author = {Antiy CERT}, title = {{FROM EQUATION TO EQUATIONS}}, date = {2016-11-04}, institution = {Antiy CERT}, url = {https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf}, language = {English}, urldate = {2020-08-18} } FROM EQUATION TO EQUATIONS
DoubleFantasy
2016-10-05ThaiCERT
@online{thaicert:20161005:shadow:5256332, author = {ThaiCERT}, title = {{The Shadow Brokers auctions cyber weapons from Equation Group}}, date = {2016-10-05}, url = {https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0}, language = {English}, urldate = {2019-12-20} } The Shadow Brokers auctions cyber weapons from Equation Group
Equation Group
2015-03-11Kaspersky LabsGReAT
@online{great:20150311:inside:28cec3e, author = {GReAT}, title = {{Inside the EquationDrug Espionage Platform}}, date = {2015-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/inside-the-equationdrug-espionage-platform/69203/}, language = {English}, urldate = {2019-12-20} } Inside the EquationDrug Espionage Platform
EquationDrug
2015-02-16Kaspersky LabsGReAT
@online{great:20150216:equation:ad81ead, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/}, language = {English}, urldate = {2019-12-20} } Equation: The Death Star of Malware Galaxy
EquationDrug
2015-02-16Kaspersky LabsGReAT
@online{great:20150216:equation:7b95c72, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1}, language = {English}, urldate = {2019-12-20} } Equation: The Death Star of Malware Galaxy
Fanny
2015-02-16Ars TechnicaDan Goodin
@online{goodin:20150216:how:4e36cde, author = {Dan Goodin}, title = {{How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last}}, date = {2015-02-16}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/}, language = {English}, urldate = {2019-12-06} } How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
Equation Group
2015-02Kaspersky LabsKaspersky
@techreport{kaspersky:201502:equation:3c079fb, author = {Kaspersky}, title = {{Equation Group: Questions and Answers}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf}, language = {English}, urldate = {2020-01-08} } Equation Group: Questions and Answers
Equation Group
2014-07-07QianxinRed Raindrop Team
@online{team:20140707:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2014-07-07}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2019-12-19} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
2014-04-17Nettitude LabsNettitude Labs
@online{labs:20140417:quick:6a0fa31, author = {Nettitude Labs}, title = {{A quick analysis of the latest Shadow Brokers dump}}, date = {2014-04-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/}, language = {English}, urldate = {2019-12-19} } A quick analysis of the latest Shadow Brokers dump
DarkPulsar
2010-09WikipediaWikipedia
@online{wikipedia:201009:stuxnet:9b317f2, author = {Wikipedia}, title = {{Stuxnet}}, date = {2010-09}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Stuxnet}, language = {English}, urldate = {2019-10-23} } Stuxnet
Equation Group

Credits: MISP Project