DoublePulsar
DoublePulsar is a kernel-mode SMB backdoor implant widely referred to as DOUBLEPULSAR or DoublePulsar. The content attributes it to the Equation Group/NSA-linked tooling later exposed via the Shadow Brokers leak. It is described as a persistent backdoor used to access previously compromised Windows systems and execute additional code, although some reporting in the content also notes it is highly stealthy, fileless, resident in kernel memory, and removed on reboot because it does not write files to disk. It commonly operates over SMB on TCP/445, waits for specially crafted data, and returns a distinctive response that can be used for detection. Multiple sources in the content describe SMB-based presence checks and covert signaling via SMB fields, including use of the Multiplex ID and a ping pattern where MID 0x41 elicits MID 0x51. Reported supported functions include Ping, RunDLL, RunShellcode, OutputInstall, and Uninstall.
The implant is repeatedly described as being installed after exploitation of Windows SMB vulnerabilities addressed by MS17-010, most notably via EternalBlue, and also associated with EternalRomance and EternalSynergy in some reporting. Technical content states EternalBlue can execute shellcode such as DoublePulsar in kernel context by corrupting srvnet structures and redirecting execution. Once present, DoublePulsar is used to inject DLLs or shellcode and deliver follow-on payloads. The content specifically links it to WannaCry/WCry/WanaCry propagation and payload delivery, where the worm checked for DoublePulsar on targets and, if present, used it to install the ransomware; if absent, it attempted SMB exploitation with EternalBlue and then implanted DoublePulsar before delivering the payload. Similar use is described in Satan ransomware, where EternalBlue and DoublePulsar were used for lateral movement and in-memory DLL loading. Cisco Talos also reported that Nyetya/Petrwrap/GoldenEye used SMB exploits to drop a modified DoublePulsar variant with altered protocol constants to evade common detection.
Associated threat activity in the content includes widespread criminal and state use after the leak. WannaCry used DoublePulsar during the 2017 global ransomware outbreak affecting organizations including Telefonica, the UK NHS, and FedEx. NotPetya is also described as reusing EternalBlue and DoublePulsar. Symantec reported that Buckeye/APT3/Gothic Panda/UPS Team/TG-0110, a China-linked espionage actor, used a variant of DoublePulsar as early as March 2016 against targets in Belgium, Luxembourg, Vietnam, the Philippines, Hong Kong, and other organizations including research, education, and telecommunications entities. More recent reporting in the content says Sandworm/APT44/Seashell Blizzard/Voodoo Bear continued to rely on exploit chains including EternalBlue, DoublePulsar, and WannaCry in intrusions affecting industrial and OT environments.
High-confidence behavioral and detection details in the content include operation via SMB over port 445, distinctive SMB responses to crafted probes, fileless kernel-memory residency, use as a code-execution and payload-delivery backdoor, and deployment through leaked NSA SMB exploit chains. Reported infection estimates from internet-wide scans in 2017 ranged from tens of thousands to over 100,000 exposed Windows systems. The content also notes that updated public tooling was released to remotely detect and even uninstall the implant from infected internet-facing hosts by modifying SMB queries.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010. The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems. If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems.
Symantec discovered that as early as March 2016, the Chinese hackers were using tweaked versions of two N.S.A. tools, called Eternal Synergy and Double Pulsar, in their attacks.
Symantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016... an advanced persistent threat hacking group... somehow got access to a variant of the NSA-developed “DoublePulsar” backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers.
The exploit chains in play included EternalBlue, DoublePulsar, and WannaCry, all tools that have been publicly known and patchable for years.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe hackers used the NSA’s backdoor, DoublePulsar, to create a persistent backdoor that was used to deliver the WannaCry ransomware.
People [who] have gotten their hands on the tools just started exploiting hosts on the Internet as fast as they could... While security practices almost always dictate the port shouldn’t be exposed to the open Internet...
Execution
4 techniquesThe fake HandlerFunction is executed, but this function is the shellcode.
The infection of other machines on the network will be achieved with the following command: cmd /c cd /D C:\Users\Alluse~1\&blue.exe ...
...got access to a variant of the NSA-developed “DoublePulsar” backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniquesAs Ars reported last week, the ultra-stealthy DoublePulsar writes no files to the hard drives of computers it infects, a feature that causes it to be removed as soon as the computer restarts.
By modifying two bytes of the query, the same person can remove the infection from any computers that test positive.
Lateral Movement
3 techniquesResearcher Kevin Beaumont told Ars that detecting DoublePulsar involves sending a series of SMB—short for server message block—queries to Internet-facing computers.
In essence, the transport code scanned the network for vulnerable computers, then used the EternalBlue exploit to access them by sending crafted packets from attackers, allowing them to execute arbitrary code remotely. | The references include WannaCry-related material such as “CVE-2017-0143,” “DoublePulsar Explained,” and “SMB Exploited: WannaCry Use of ‘EternalBlue.’”
After successfully exploiting the vulnerability of the protocol, an encrypted “payload” has the stager of malware, is transferred in the victim’s computer remotely.
Command and Control
1 techniqueTalos also confirmed the malware's use of exploits leaked by a crew called the Shadow Brokers... said WannaCry (also known as WannaCrypt) would attempt to install via a backdoor leaked by the Shadow Brokers called DoublePulsar.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor implant referenced as part of exploit chains used in pre-compromised environments that Sandworm later leveraged to move deeper into industrial networks.
Backdoor component appearing in exploit chains that Sandworm capitalized on in already-compromised environments.
Referenced as an example of a real-world implant used alongside exploitation techniques.
Fileless kernel-mode SMB backdoor used by WannaCry to verify compromise and inject/run payloads on infected systems during automated spreading.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.