Pterodactyl – A “custom hardware solution to support media copying”; it uses small single-board computers like Raspberry Pi to copy data from an asset computer SparrowHawk – Keylogger intended for use across multiple architectures and Unix-based platforms DerStarke – Boot-level rootkit implant for Apple computers GyrFalcon – Tracks the client of an OpenSSH connection and collects password, username and connection data SnowyOwl – Uses OpenSSH session to inject code to target asset HarpyEagle – Hardware-specific tool to gain root access to Apple’s Airport Extreme and Time Capsule BaldEagle – An exploit for Unix systems’ Hardware Abstraction Layer MaddeningWhispers – Remote access to devices compromised with the Vanguard exploit CRUCIBLE – An “automated exploit identification” tool YarnBall – Covert USB storage for deployment of payloads and storage of exfiltrated data GreenPacket – Router implant kit QuarkMatter – Another boot-level rootkit implant for Apple computers Weeping Angel – Smart TV implant kit (we wrote about it separately) Hive – Basic implant suite for Windows and Unix setups aimed at “providing an initial foothold for the deployment of other full featured tools” Honeycomb – Server for data coming from Swindle or Blot proxy servers CutThroat – Virtual machine system apparently for hosting proxy servers to send asset data to Bee Sting – iFrame injection technique for HTTP connections Sontaran – An attempt to compromise the Siemens OpenStage VoIP phone Secret Squirrel (SQRL) – ??? Remote Development Branch There isn’t much data on RDB; the only tool listed is for getting at secure databases, so that’s a hint. Umbrage – This team, among other things, seems to have collected hacker tools and techniques in use around the web, and also sorted through the Hacking Team leak for useful code and documentation — helpful for development or attribution of hacks ShoulderSurfer – Tool used to extract data from Microsoft Exchange databases Operational Support Branch In addition to maintaining some useful all-purpose utilities, OSB creates custom solutions for individual operations or assets, with a focus on compromising Windows machines and apps. Time Stomper – Used to modify timestamps on files so that they match what an operation or asset requires Munge Payload – Tool for encrypting payloads and/or modifying them to avoid detection Magical Mutt – Appears to be a malware-style DLL injector and process monitor Flash Bang – Hijack that breaks out of the Internet Explorer sandboxed process and then escalates privileges on the target machine RickyBobby – Basic Windows implant comprising DLLs and scripts that sends its info to listening post server app Cal — yes, they’re Talladega Nights references Fight Club – Set of infected VLC, WinRAR, TrueCrypt, Shamela and Microsoft Office Standalone installers that deployed RickyBobby instances, for placement on thumbdrives used in an operation Melomy DriveIn – Hijack of a VLC DLL that launches a RickyBobby instance — unclear if it’s the one in Fight Club Rain Maker – Compromised portable VLC player that covertly collects files from an air-gapped computer when launched from a user’s USB drive Improvise – Set of interoperable tools used to collect and exfiltrate data from a Windows, Mac or Linux machine — with bar-themed names (Margarita, Dancefloor, Jukebox) corresponding to the OS Basic Bit – Keylogger for Windows machines Fine Dining – Not software exactly but apparently a menu that operatives can order from to get a custom tool for an operation — a fake PDF that launches on a Mac and scours the drive for all audio files, for instance HammerDrill – CD/DVD monitoring tool that also allows files to be compromised as they’re being written to a disc Taxman – ??? HyenasHurdle – ??? Automated Implant Branch AIB seems to concern itself with self-running implants. Many of these are not documented or described, but have file lists that reveal a little about their purpose. Frog Prince – Fully integrated implant system inclusive of command and control, listening post and implant software Grasshopper – Highly configurable tool used to place various implants on Windows machines (Cricket is a relative) Caterpillar – Tool for preparing files acquired from a system for secure transport AntHill – Appears to be a file management component for installed implants The Gibson – Appears to be a component of command and control servers and listening posts. Galleon – Set of nautically themed scripts and tools for securely copying files to a target computer Assassin – ??? HercBeetle – ??? CandyMountain – ??? Hornet – ??? Cascade – ??? MagicVikings – ??? Network Devices Branch This branch is all about routers and switches, from industrial-level gear to home devices, all of which require device or class-specific exploits and kits. The leaks largely consist of highly technical test results and developer instructions that only hint at the software’s capabilities. Cannoli – Implant for Linksys devices WAG200G – Implant installer for Linksys routers that works alongside Cannoli Slasher – Appears to be a port monitor Cinnamon – Implant for Cisco routers Earl Grey – Another implant possibly for Cisco routers Aquaman – Implant for Linux-based systems, possibly routers (HGs or home gateways) in particular Bumble – Implant for HP routers Perseus – Appears to be an implant for routers using PowerPC architecture Panda Poke – A “credless” exploit (i.e. requires no login credentials) for Huawei router devices Panda Flight – Covert tunneling tool for Huawei devices Panda Sneeze – Unclear purpose but part of the Panda suite along with PandaMitt, PandaScore and others ChimayRed – Exploit used against MikroTik routers running RouterOS that allows payloads to be installed on the device Felix – Appears to be a listening post for MikroTik routers HG – Possibly HunGrrr, general-purpose tool for accessing remote networking devices; used as a component or step in many tests and projects BuzFuz – ??? Cytolysis – ??? Powerman – ???