MalwareUsed by 2 actors

CUNNING HERETICS

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TAO

CUNNING HERETICS: A lightweight implant that established encrypted communication channels for NSA to remotely reactivate access points even after clean up attempts.

via inversecosinversecos.com

APT-C-40

CUNNING HERETICS: A lightweight implant that established encrypted communication channels for NSA to remotely reactivate access points even after clean up attempts.

via inversecosinversecos.com

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Lateral Movement

1 technique

T1570Lateral Tool TransferEvidence1

TacticLateral Movement

Using this MiTM platform, they allegedly hijacked internal hosts and servers of the University before deploying further tools for remote control of the systems.

Command and Control

2 techniques

T1219Remote Access ToolsEvidence1

TacticCommand and Control

NOPEN: A remote-controlled malware that provided NSA operators with ongoing access to compromised systems. It allowed for file execution, process management, system command execution, and privilege escalation ... FLAME SPRAY - Windows-based remote-controlled malware ... STOIC SURGEON: A stealthy backdoor targeting Linux, Solaris, JunOS, and FreeBSD systems.

T1573Encrypted ChannelEvidence1

TacticCommand and Control

Encrypted Communications: All NSA tools leveraged encryption, ensuring that traffic to their command-and-control (C2) servers remained undetectable.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

inversecosNews

Jun 29, 2022

An inside look at NSA (Equation Group) TTPs from China’s lense

Lightweight implant used to establish encrypted communications and restore remote access after remediation attempts.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.