SYMBOLCOMMON_NAMEaka. SYNONYMS

Equation Group  (Back to overview)

aka: Tilded Team, EQGRP, G0020

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame


Associated Families
elf.bvp47 elf.doublefantasy win.darkpulsar win.doublefantasy win.doublepulsar win.equationdrug win.fancyfilter win.fanny win.grok win.mistyveal win.oddjob win.peddlecheap win.tildeb

References
2022-05-11ExaTrackTristan Pourcelot
@techreport{pourcelot:20220511:tricephalic:d8d6265, author = {Tristan Pourcelot}, title = {{Tricephalic Hellkeeper: a tale of a passive backdoor}}, date = {2022-05-11}, institution = {ExaTrack}, url = {https://exatrack.com/public/Tricephalic_Hellkeeper.pdf}, language = {English}, urldate = {2022-05-25} } Tricephalic Hellkeeper: a tale of a passive backdoor
BPFDoor Bvp47 Uroburos
2022-04-11Pangu LabPangu Lab
@techreport{lab:20220411:bvp47:1265bad, author = {Pangu Lab}, title = {{Bvp47 Technical Details Report II}}, date = {2022-04-11}, institution = {Pangu Lab}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf}, language = {English}, urldate = {2022-09-19} } Bvp47 Technical Details Report II
Bvp47
2022-02-23The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220223:chinese:06abbe8, author = {Ravie Lakshmanan}, title = {{Chinese Experts Uncover Details of Equation Group's Bvp47 Covert Hacking Tool}}, date = {2022-02-23}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html}, language = {English}, urldate = {2022-03-01} } Chinese Experts Uncover Details of Equation Group's Bvp47 Covert Hacking Tool
Bvp47
2022-02-23Bleeping ComputerIonut Ilascu
@online{ilascu:20220223:nsalinked:556c453, author = {Ionut Ilascu}, title = {{NSA-linked Bvp47 Linux backdoor widely undetected for 10 years}}, date = {2022-02-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/}, language = {English}, urldate = {2022-03-01} } NSA-linked Bvp47 Linux backdoor widely undetected for 10 years
Bvp47
2022-02-23Pangu LabPangu Lab
@online{lab:20220223:bvp47:c8f2a2f, author = {Pangu Lab}, title = {{The Bvp47 - a Top-tier Backdoor of US NSA Equation Group}}, date = {2022-02-23}, organization = {Pangu Lab}, url = {https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/}, language = {English}, urldate = {2022-03-01} } The Bvp47 - a Top-tier Backdoor of US NSA Equation Group
Bvp47
2022-02-22Pangu LabPangu Lab
@techreport{lab:20220222:bvp47:0b9392d, author = {Pangu Lab}, title = {{Bvp47 - Top-tier Backdoor of US NSA Equation Group}}, date = {2022-02-22}, institution = {Pangu Lab}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf}, language = {English}, urldate = {2022-03-01} } Bvp47 - Top-tier Backdoor of US NSA Equation Group
Bvp47
2021-12-27Checkpoint Research
@online{research:20211227:deep:c94d67d, author = {Checkpoint Research}, title = {{A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard}}, date = {2021-12-27}, url = {https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/}, language = {English}, urldate = {2022-01-05} } A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
Equationgroup (Sorting) Fanny MISTYVEAL PeddleCheap
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2021-06-10ESET ResearchAdam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2022-06-08} } BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy
2021-02-05EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20210205:voltron:953cec2, author = {Juan Andrés Guerrero-Saade}, title = {{Voltron STA The curious case of 0xFancyFilter}}, date = {2021-02-05}, organization = {EpicTurla}, url = {https://www.epicturla.com/previous-works/hitb2020-voltron-sta}, language = {English}, urldate = {2021-02-06} } Voltron STA The curious case of 0xFancyFilter
fancyfilter MISTYVEAL Regin
2020-09-28fmmresearch wordpressFacundo Muñoz
@techreport{muoz:20200928:emerald:1e7fceb, author = {Facundo Muñoz}, title = {{The Emerald Connection: Equation Group collaboration with Stuxnet}}, date = {2020-09-28}, institution = {fmmresearch wordpress}, url = {https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf}, language = {English}, urldate = {2020-10-04} } The Emerald Connection: Equation Group collaboration with Stuxnet
Fanny Stuxnet
2020-09-28fmmresearch wordpressFacundo Muñoz
@online{muoz:20200928:emerald:07900c2, author = {Facundo Muñoz}, title = {{The Emerald Connection: EquationGroup collaboration with Stuxnet}}, date = {2020-09-28}, organization = {fmmresearch wordpress}, url = {https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/}, language = {English}, urldate = {2020-10-04} } The Emerald Connection: EquationGroup collaboration with Stuxnet
Fanny Stuxnet
2020-09-10Kaspersky LabsGReAT
@online{great:20200910:overview:f751b73, author = {GReAT}, title = {{An overview of targeted attacks and APTs on Linux}}, date = {2020-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/}, language = {English}, urldate = {2020-10-05} } An overview of targeted attacks and APTs on Linux
Cloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent
2020-08-27fmnagisa wordpressFacundo M
@online{m:20200827:revisiting:bac6d3b, author = {Facundo M}, title = {{Revisiting EquationGroup’s FANNY… or is it DEMENTIAWHEEL?}}, date = {2020-08-27}, organization = {fmnagisa wordpress}, url = {https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/}, language = {English}, urldate = {2020-10-04} } Revisiting EquationGroup’s FANNY… or is it DEMENTIAWHEEL?
DoubleFantasy Fanny
2020-08-15Twitter (@Int2e_)Adrien B
@online{b:20200815:doublefantasy:6c843b6, author = {Adrien B}, title = {{Tweet on DoubleFantasy}}, date = {2020-08-15}, organization = {Twitter (@Int2e_)}, url = {https://twitter.com/Int2e_/status/1294565186939092994}, language = {English}, urldate = {2020-08-18} } Tweet on DoubleFantasy
DoubleFantasy
2020-05-07Twitter (@ESETresearch)ESET Research
@online{research:20200507:peddlecheap:8a701e3, author = {ESET Research}, title = {{Tweet on PeddleCheap packed with Winnti packer}}, date = {2020-05-07}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1258353960781598721}, language = {English}, urldate = {2020-05-07} } Tweet on PeddleCheap packed with Winnti packer
PeddleCheap
2020SecureworksSecureWorks
@online{secureworks:2020:platinum:3145483, author = {SecureWorks}, title = {{PLATINUM TERMINAL}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/platinum-terminal}, language = {English}, urldate = {2020-05-23} } PLATINUM TERMINAL
TalentRAT Equation Group Longhorn
2019-11-08WikipediaVarious
@online{various:20191108:wikipedia:e281c5b, author = {Various}, title = {{Wikipedia Entry on Equation Group}}, date = {2019-11-08}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Equation_Group}, language = {English}, urldate = {2020-01-08} } Wikipedia Entry on Equation Group
Equation Group
2019-05-07SymantecSecurity Response Attack Investigation Team
@online{team:20190507:buckeye:a4cf7d8, author = {Security Response Attack Investigation Team}, title = {{Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak}}, date = {2019-05-07}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit}, language = {English}, urldate = {2020-01-13} } Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
DoublePulsar
2019MITREMITRE ATT&CK
@online{attck:2019:equation:8b2ae74, author = {MITRE ATT&CK}, title = {{Group description: Equation}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0020/}, language = {English}, urldate = {2019-12-20} } Group description: Equation
Equation Group
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:equation:a2da8f9, author = {Cyber Operations Tracker}, title = {{Equation Group}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/equation-group}, language = {English}, urldate = {2019-12-20} } Equation Group
Equation Group
2018-12-13Trend MicroMohamad Mokbel
@techreport{mokbel:20181213:tildeb:99fb939, author = {Mohamad Mokbel}, title = {{Tildeb: An Implant from the Shadow Brokers’ Leak}}, date = {2018-12-13}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf}, language = {English}, urldate = {2021-09-19} } Tildeb: An Implant from the Shadow Brokers’ Leak
tildeb
2018-02-06ForcepointJohn Bergbom
@online{bergbom:20180206:danderspritzpeddlecheap:b09bc8f, author = {John Bergbom}, title = {{DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)}}, date = {2018-02-06}, organization = {Forcepoint}, url = {https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#}, language = {English}, urldate = {2020-05-07} } DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)
PeddleCheap
2017-11-13Obscurity LabsObscurity Labs
@online{labs:20171113:match:b967fde, author = {Obscurity Labs}, title = {{Match Made In The Shadows: Part [3]}}, date = {2017-11-13}, organization = {Obscurity Labs}, url = {https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/}, language = {English}, urldate = {2020-05-07} } Match Made In The Shadows: Part [3]
PeddleCheap
2017-03-30Artem Baranov
@online{baranov:20170330:equationdrug:7255a48, author = {Artem Baranov}, title = {{EquationDrug rootkit analysis (mstcp32.sys)}}, date = {2017-03-30}, url = {http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html}, language = {English}, urldate = {2020-01-07} } EquationDrug rootkit analysis (mstcp32.sys)
EquationDrug
2016-11-04Antiy CERTAntiy CERT
@techreport{cert:20161104:from:a139d13, author = {Antiy CERT}, title = {{FROM EQUATION TO EQUATIONS}}, date = {2016-11-04}, institution = {Antiy CERT}, url = {https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf}, language = {English}, urldate = {2020-08-18} } FROM EQUATION TO EQUATIONS
DoubleFantasy
2016-10-05ThaiCERT
@online{thaicert:20161005:shadow:5256332, author = {ThaiCERT}, title = {{The Shadow Brokers auctions cyber weapons from Equation Group}}, date = {2016-10-05}, url = {https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0}, language = {English}, urldate = {2019-12-20} } The Shadow Brokers auctions cyber weapons from Equation Group
Equation Group
2015-03-11Kaspersky LabsGReAT
@online{great:20150311:inside:28cec3e, author = {GReAT}, title = {{Inside the EquationDrug Espionage Platform}}, date = {2015-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/inside-the-equationdrug-espionage-platform/69203/}, language = {English}, urldate = {2019-12-20} } Inside the EquationDrug Espionage Platform
EquationDrug
2015-02-16Kaspersky LabsGReAT
@online{great:20150216:equation:ad81ead, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/}, language = {English}, urldate = {2022-05-23} } Equation: The Death Star of Malware Galaxy
DoubleFantasy EquationDrug Fanny GROK
2015-02-16Kaspersky LabsGReAT
@online{great:20150216:equation:7b95c72, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1}, language = {English}, urldate = {2019-12-20} } Equation: The Death Star of Malware Galaxy
Fanny
2015-02-16Ars TechnicaDan Goodin
@online{goodin:20150216:how:4e36cde, author = {Dan Goodin}, title = {{How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last}}, date = {2015-02-16}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/}, language = {English}, urldate = {2019-12-06} } How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
Equation Group
2015-02Kaspersky LabsKaspersky
@techreport{kaspersky:201502:equation:3c079fb, author = {Kaspersky}, title = {{Equation Group: Questions and Answers}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf}, language = {English}, urldate = {2020-01-08} } Equation Group: Questions and Answers
Equation Group
2014-04-17Nettitude LabsNettitude Labs
@online{labs:20140417:quick:6a0fa31, author = {Nettitude Labs}, title = {{A quick analysis of the latest Shadow Brokers dump}}, date = {2014-04-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/}, language = {English}, urldate = {2019-12-19} } A quick analysis of the latest Shadow Brokers dump
DarkPulsar
2010-09WikipediaWikipedia
@online{wikipedia:201009:stuxnet:9b317f2, author = {Wikipedia}, title = {{Stuxnet}}, date = {2010-09}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Stuxnet}, language = {English}, urldate = {2019-10-23} } Stuxnet
Equation Group

Credits: MISP Project