Leaked Files

June 9, 2025 by & filed under Bookkeeping

If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing short term assets the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked. The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method. Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.

Submit documents to WikiLeaks

The public HTTPS interface utilizes unsuspicious-looking cover domains to hide its presence. “AfterMidnight” allows operators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of “Gremlins” via a HTTPS based Listening Post (LP) system called “Octopus”. Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components before loading all new gremlins in memory. “Gremlins” are small AM payloads that are meant to run hidden on the target and either subvert the functionality of targeted software, survey the target (including data exfiltration) or provide internal services for other gremlins.

Contact us if you have specific problems

Additionally, Grasshopper provides a very flexible language to define rules that are used to “perform a pre-installation survey of the target device, assuring that the payload will only be installed if the target has the right configuration”. Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not. Missions may include tasking on Targets to monitor, actions/exploits to perform on a Target, and instructions on when and how to send the next beacon.

Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks’ earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others. The documents from this publication might further enable anti-malware researchers and forensic experts to analyse this kind of communication between malware implants and back-end servers used in previous illegal activities. Security researches and forensic experts will find more detailed informationon how watermarks are applied to documents in the source code, which isincluded in this publication as a zipped archive. Today, May 5th 2017, WikiLeaks publishes “Archimedes”, a tool used by the CIA to attack a computer inside a Local Area Network (LAN), usually used in offices.

Vault 7: Grasshopper Framework

  • “Assassin” is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.
  • Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.
  • Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices.
  • Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

Today, April 14th 2017, WikiLeaks publishes six documents from the CIA’s HIVE project created by its “Embedded Development Branch” (EDB). The classification marks of the User Guide document hint that is was originally written by the british MI5/BTSS and later shared with the CIA. Both agencies collaborated on the further development of the malware and coordinated their work in Joint Development Workshops. Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution.

OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain. Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.

Source code and analysis for CIA software projects including those described in the Vault7 series. Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. I.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008. Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code.

On November 15th, 2016 Nehemiah Security announced the acquisition of Siege Technologies. The primary execution vector used by infected thumbdrives is a vulnerability in the Microsoft Windows operating system that can be exploited by hand-crafted link files that load and execute programs (DLLs) without user interaction. Older versions of the tool suite used a mechanism called EZCheese that was a 0-day exploit until March 2015; newer versions seem use a similar, but yet unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.

When was each part of “Vault 7” obtained?

In our experience it is always possible to find a custom solution for even the most seemingly difficult situations. Tor is an encrypted anonymising network that makes it harder to intercept internet communications, or see where communications are coming from or going to. This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components. Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA. One of the persistence mechanisms used by the CIA here is ‘Stolen Goods’ – whose “components were taken from malware known as Carberp, a suspected Russian organized crime rootkit.” confirming the recycling of malware found on the Internet by the CIA.

Rather than lay independent components on disk, the system allows an operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc. If you are a high-risk source, avoid saying anything or doing anything after submitting which might promote suspicion. If the computer you are uploading from could subsequently be audited in an investigation, consider using a computer that is not easily tied to you. Technical users can also use Tails to help ensure you do not leave any records of your submission on the computer.

Martin then completed a Fellowship in Hand Surgery in Sydney Australia, the Aesthetic (cosmetic) Fellowship at the McIndoe Surgical Centre and a Microsurgical Fellowship at the Queen Victoria Hospital. He is on the specialist GMC register as an accredited Plastic and Reconstructive Surgeon and is a Consultant at the Queen Victoria Hospital in East Grinstead where he became the Clinical Director for Plastic Surgery from 2018 for three years. Mr Jones is a UK trained Consultant in Plastic & Reconstructive Surgery and is on the GMC Specialist Register for Plastic Surgery. He is based in the Southeast of England and holds an NHS Consultant post in Queen Victoria Hospital, East Grinstead. They are booked on an automated system where public transport or walking are not given as options – which can result in some unusually long or short journeys.

Vault 7: Projects

Today, June 30th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator. The following is the address of our secure site where you can anonymously upload your documents to WikiLeaks editors. (See our Tor tab for more information.) We also advise you to read our tips for sources before submitting. The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection.

  • If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp.
  • ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system.
  • Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu).
  • The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.

The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems. But this ‘voluntary sharing’ obviously does not work or is considered insufficient by the CIA, because ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services. All major French political parties were targeted for infiltration by the CIA’s human (“HUMINT”) and electronic (“SIGINT”) spies in the seven months leading up to France’s 2012 presidential election. The revelations are contained within three CIA tasking orders published today by WikiLeaks as context for its forth coming CIA Vault 7 series. The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. The document illustrates a type of attack within a “protected environment” as the the tool is deployed into an existing local network abusing existing machines to bring targeted computers under control and allowing further exploitation and abuse.

In particular, hard drives retain data after formatting which may be visible to a digital forensics team and flash media (USB sticks, memory cards and SSD drives) retain data even after a secure erasure. Today, June 1st 2017, WikiLeaks publishes documents from the “Pandemic” project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. “Pandemic” targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine.

Vault 7: Weeping Angel

ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0. Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity.

Today, July 13th 2017, WikiLeaks publishes documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication. Each operation anonymously registers at least one cover domain (e.g. “perfectly-boring-looking-domain.com”) for its own use.

I have recommended him to many of my friends and could not be happier or more confident in myself. “DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants. Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International). Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task.