Skip to main content
Mallory
Back to threat actors
4 malware familiesExploits CVEs in the wild

Equation

Also known asEquation

Equation Group is a highly sophisticated cyber espionage threat actor and likely multi-institution umbrella referenced in reporting alongside Stuxnet, Duqu, Flame, and Fanny. The content links Equation to early exploit sharing and development overlap with other advanced actors: Stuxnet was described as connected to Equation through exploits originally used by the Fanny worm, and researchers noted shared coding practices between Stuxnet and Equation developers, including an RC5/6-related constant identified by Kaspersky as specific to Equation Group. The actor has used tools to search attached hard drives for specific information that could be used to identify and overwrite firmware, indicating deep host and storage-device manipulation capability. Kaspersky also reported on EQUATIONVECTOR, an Equation Group backdoor first used as early as 2006, described as a passive-active shellcode staging implant and an early example of a 'NOBUS' backdoor; Shadow Brokers material identified it as 'PeddleCheap.' The content further notes that one victim appeared to be infected by both Equation Group and Duqu at the same time, suggesting the two were distinct entities. Known aliases directly present in the content include Equation and Equation Group.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics13 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1203
Exploitation for Client Execution
TA0003
Persistence
1 technique
T1542
Pre-OS Boot
T1542.002
Component Firmware
TA0004
Privilege Escalation
1 technique
T1068×2
Exploitation for Privilege Escalation
TA0005
Stealth
3 techniques
T1480
Execution Guardrails
T1480.001
Environmental Keying
T1542
Pre-OS Boot
T1542.002
Component Firmware
T1564
Hide Artifacts
T1564.005
Hidden File System
TA0007
Discovery
1 technique
T1120×3
Peripheral Device Discovery
TA0040
Impact
1 technique
T1495
Firmware Corruption
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
FannyAt the same time, Stuxnet was connected to Duqu and, as we found more recently, the Equation group, through their exploits originally used by the Fanny worm.2May 26, 2026
EquationSince the discovery of Flame, we reported on many other advanced malware platforms, including Regin and Equation, yet Flame remains special in terms of being one of the most complex, surprising and innovative malware campaigns we have ever seen.1May 26, 2026
FlameThree years ago, on May 28th 2012, we announced the discovery of a malware known as Flame. At the same time we published our FAQ, CrySyS Lab posted their thorough analysis of sKyWIper. A few days earlier, Maher CERT published IOCs for Flamer. In short, Flame, sKyWIper and Flamer are different names for the same threat.1May 26, 2026
StuxnetThe tranquil days of reverse engineering banking trojans were pierced by Stuxnet, Duqu, Flame, Gauss, and MiniFlame.1May 26, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2010-2568Windows Shell .LNK/.PIF Shortcut Icon Loading Remote Code ExecutionIn the wildEvidence1

Fanny utilized two Stuxnet zero-days 1–2 years before Stuxnet entered the scene: the infamous LNK exploit (CVE-2010–2568) and a privilege escalation embedded in the aforementioned Resource 207.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
reverse put asNews
Dec 17, 2021
Knock Knock! Who's There? - An NSA VM | Reverse Engineering

Discussed in connection with the leaked NSA/ShadowBrokers toolset, specifically the dewdrop port-knocking backdoor and related code traits such as RC5/6 implementation constants and code reuse patterns.

Read more
securelistNews
May 13, 2021
Lessons learned from Flame, three years later | Securelist

Referenced as a connected advanced threat group linked via exploits originally used by the Fanny worm in the broader ecosystem surrounding Flame, Stuxnet, and Duqu.

Read more
web archiveNews
Apr 12, 2019
Who is GOSSIPGIRL?. Revisiting the O.G. Threat Actor… | by Chronicle | Chronicle Blog | Medium

Presented as one of the actors connected to Stuxnet through shared exploits and coding practices, and associated with the earlier Fanny worm.

Read more
mitre attack websiteNews
Mar 7, 2018
Peripheral Device Discovery, Technique T1120 - Enterprise | MITRE ATT&CK®

Uses tools to inspect attached hard drives for information that can support firmware identification and overwriting.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.