Skip to main content
Mallory
Back to threat actors
1 malware familyExploits CVEs in the wild

The Shadow Brokers

Also known asThe Shadow Brokers

The Shadow Brokers is a hacking group known for publishing troves of offensive cyber tools in 2016 and 2017 that it claimed were stolen from the NSA-linked Equation Group. The group is repeatedly associated in the provided content with leaks of sophisticated Windows SMB exploitation tools, including EternalBlue, EternalChampion, EternalRomance, and EternalSynergy, and with the April 14, 2017 "Lost in Translation" leak. The leaked material also included the NSA-developed FuzzBunch framework and other exploitation tools targeting Microsoft SMB vulnerabilities addressed by MS17-010. Content provided states that EternalBlue was later used in major ransomware outbreaks including WannaCry, NotPetya, and Bad Rabbit, and that EternalRomance was also used in NotPetya and Bad Rabbit. The group publicly said it had infiltrated the Equation Group, and later indicated plans to release additional vulnerabilities, including via a subscription model. The content does not provide high-confidence attribution of The Shadow Brokers to any specific state, but it consistently describes the leaked tools as allegedly stolen from the Equation Group, which is described as having suspected ties to the U.S. National Security Agency.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190×2
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1203
Exploitation for Client Execution
TA0003
Persistence
1 technique
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0004
Privilege Escalation
2 techniques
T1068
Exploitation for Privilege Escalation
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0005
Stealth
1 technique
T1027
Obfuscated Files or Information
T1027.002
Software Packing
TA0008
Lateral Movement
1 technique
T1210×6
Exploitation of Remote Services
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
T1071.001
Web Protocols
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
EternalBlueThe EternalBlue exploitation tool was leaked by “The Shadow Brokers” group on April 14, 2017, in their fifth leak, “Lost in Translation.”1May 26, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2017-0144EternalBlue SMBv1 Remote Code Execution in Microsoft WindowsIn the wildEvidence3

Microsoft released patches for the vulnerabilities in the leak, under the MS17-010 (Microsoft Security Bulletin). CVE-2017-0144 is the CVE ID in MS17-010 that is related to EternalBlue.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
the hacker newsNews
Apr 25, 2026
Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software

Leaked large collections of allegedly stolen Equation Group tools and exploits, including the 'Lost in Translation' dump that contained a driver list relevant to the fast16 investigation.

Read more
bleeping computerNews
Feb 5, 2018
NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000

Known for leaking stolen NSA exploit code, including EternalChampion, EternalRomance, EternalSynergy, and the broader April 2017 dump that also contained EternalBlue.

Read more
theguardianNews
Oct 25, 2017
Bad Rabbit: Game of Thrones-referencing ransomware hits Europe | Malware | The Guardian

Referenced as the hacking group that stole the EternalBlue exploit from the NSA; not described as conducting the Bad Rabbit attack itself in this content.

Read more
checkpoint research blogNews
Sep 29, 2017
EternalBlue - Everything There Is To Know - Check Point Research

Leaked NSA-linked exploitation tools including EternalBlue and the FuzzBunch framework in the “Lost in Translation” release.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.