FOXACID
FOXACID is an NSA browser exploitation and malware delivery framework/infrastructure operated by the Tailored Access Operations (TAO) unit. The content describes it as a network of secret Internet-facing servers used to compromise selected targets, including by redirecting identified users—such as Tor users—to FOXACID servers and serving tailored exploits. FOXACID fingerprints browsers, can automatically choose which exploit to deploy based on the target’s identity, assessed intelligence value, technical sophistication, and operational risk, and is described as capable of deploying zero-day exploits. The content states that the NSA used QUANTUM packet-injection/man-on-the-side techniques, including QUANTUMINSERT, to redirect targets to FOXACID, and that Tor users were reportedly targeted by exploiting Firefox vulnerabilities in the Tor Browser Bundle rather than Tor itself, including the EGOTISTICALGIRAFFE exploit against an E4X type confusion flaw affecting Firefox 11.0 through 16.0.2 and Firefox 10.0 ESR. FOXACID is also described as handling callbacks from compromised systems, installing follow-on payloads or implants, and supporting long-term compromise; associated codenames and components mentioned in the content include Ferret Cannon, FrugalShot, DireScallop, Validator, United Rake, Peddle Cheap, Packet Wrench, and Beach Head. One source in the content additionally cites unverified Chinese reporting alleging FOXACID use in a 2022 intrusion against Northwestern Polytechnical University as part of broader NSA-attributed operations. The content also notes FOXACID servers were described as Windows Server 2003 systems running custom software and Perl scripts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
After identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user’s computer.
the NSA has secret servers on the Internet that hack into other computers, codename FOXACID.
FOXACID: Browser exploitation framework that fingerprints the browser and deploys a 0-day.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniquesAfter identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user’s computer.
one successful technique the NSA has developed involves exploiting the Tor browser bundle... The trick identifies Tor users on the Internet and then executes an attack against their Firefox web browser.
The NSA also uses phishing attacks to induce users to click on FoxAcid tags.
Execution
2 techniquesIt is a Windows 2003 computer configured with custom software and a series of Perl scripts.
Based on that information, the server can automatically decide what exploit to serve the target... The documentation mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head—all delivered from a FOXACID subsystem called Ferret Cannon.
Credential Access
1 techniqueBy exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond... In the academic literature, these are called 'man-in-the-middle' attacks... More specifically, they are examples of 'man-on-the-side' attacks.
Discovery
2 techniquesTwo basic payloads mentioned in the manual are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.
Two basic payloads mentioned in the manual are designed to collect configuration and location information from the target computer
Collection
1 techniqueBy exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond... In the academic literature, these are called 'man-in-the-middle' attacks... More specifically, they are examples of 'man-on-the-side' attacks.
Command and Control
2 techniquesAfter a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install 'implants' designed to exfiltrate data.
Exfiltration
1 techniqueinstall 'implants' designed to exfiltrate data... continues to provide eavesdropping information back to the NSA.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Browser exploitation platform used to fingerprint browsers and deliver zero-day exploits to workstations, servers, and mobile devices, often via redirected traffic.
NSA exploit orchestrator system used to deliver tailored exploits, infect target systems, receive callbacks, maintain long-term compromise, and deploy implants for data exfiltration.
A server-side exploitation platform used by the NSA to identify targets and automatically deliver tailored exploits or payloads based on the target and operational risk/benefit considerations.
An NSA exploit server/framework used to deliver tailored exploits against targets, selecting payloads based on target value, sophistication, and operational risk.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.