12 malware families

NSA

Also known asnsa

The National Security Agency (NSA) is referenced in the content in the context of sophisticated hardware implant capabilities, specifically the NSA’s COTTONMOUTH devices, which are cited as inspiration for advanced USB-based hardware implants enabling covert access. No additional NSA targeting, operational details, sub-groups, or TTPs beyond this hardware-implant reference are directly provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

56 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

15 of 15 tactics64 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

6 techniques

T1589×5

Gather Victim Identity Information

T1590×5

Gather Victim Network Information

T1591

Gather Victim Org Information

T1595

Active Scanning

T1596

Search Open Technical Databases

T1598

Phishing for Information

TA0042

Resource Development

4 techniques

T1583

Acquire Infrastructure

T1583.005

Botnet

T1584×2

Compromise Infrastructure

T1584.001

Domains

T1585

Establish Accounts

T1587

Develop Capabilities

T1587.001

Malware

TA0001

Initial Access

6 techniques

T1189×3

Drive-by Compromise

T1190×2

Exploit Public-Facing Application

T1195×3

Supply Chain Compromise

T1200

Hardware Additions

T1566

Phishing

T1566.002

Spearphishing Link

T1659

Content Injection

TA0002

Execution

3 techniques

T1059

Command and Scripting Interpreter

T1203×2

Exploitation for Client Execution

T1574×2

Hijack Execution Flow

TA0003

Persistence

3 techniques

T1205×2

Traffic Signaling

T1525

Implant Internal Image

T1542

Pre-OS Boot

TA0004

Privilege Escalation

1 technique

T1068

Exploitation for Privilege Escalation

TA0005

Stealth

6 techniques

T1027

Obfuscated Files or Information

T1036

Masquerading

T1070

Indicator Removal

T1205×2

Traffic Signaling

T1542

Pre-OS Boot

T1574×2

Hijack Execution Flow

TA0112

Defense Impairment

3 techniques

T1553×2

Subvert Trust Controls

T1600×5

Weaken Encryption

T1601

Modify System Image

TA0006

Credential Access

6 techniques

T1040×8

Network Sniffing

T1110

Brute Force

T1212

Exploitation for Credential Access

T1555

Credentials from Password Stores

T1557×8

Adversary-in-the-Middle

T1649×2

Steal or Forge Authentication Certificates

TA0007

Discovery

3 techniques

T1040×8

Network Sniffing

T1082

System Information Discovery

T1614

System Location Discovery

TA0008

Lateral Movement

1 technique

T1210×2

Exploitation of Remote Services

TA0009

Collection

9 techniques

T1025

Data from Removable Media

T1113

Screen Capture

T1114

Email Collection

T1119

Automated Collection

T1123×4

Audio Capture

T1125

Video Capture

T1185

Browser Session Hijacking

T1213×4

Data from Information Repositories

T1557×8

Adversary-in-the-Middle

TA0011

Command and Control

5 techniques

T1090

Proxy

T1105

Ingress Tool Transfer

T1205×2

Traffic Signaling

T1573

Encrypted Channel

T1659

Content Injection

TA0010

Exfiltration

2 techniques

T1020

Automated Exfiltration

T1020.001

Traffic Duplication

T1041

Exfiltration Over C2 Channel

TA0040

Impact

1 technique

T1565

Data Manipulation

ARSENAL

Associated malware families

12 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

EternalBlue"...the Shadow Brokers hacked and disclosed a cache of stockpiled NSA cyber capabilities, including the EternalBlue vulnerability, which was later used in the devastating WannaCry and NotPetya ransomware attacks."2Mar 18, 2026

Beach HeadThe documentation mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head—all delivered from a FOXACID subsystem called Ferret Cannon.1May 26, 2026

Dual EC DRBGThe NSA is reported to have inserted a backdoor into the NIST certified cryptographically secure pseudorandom number generator Dual EC DRBG. If for example an SSL connection is created using this random number generator, then according to Matthew Green it would allow NSA to determine the state of the random number generator, and thereby eventually be able to read all data sent over the SSL connection.1May 26, 2026

EGOTISTICALGIRAFFE(On the other hand, EGOTISTICALGIRAFFE has to be the dumbest code name ever.)1May 26, 2026

EvercookieEvercookie (also known as supercookie) is an open-source JavaScript application programming interface (API) that identifies and reproduces intentionally deleted cookies on the clients' browser storage.1Mar 18, 2026

7 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

resilient cyber blogNews

Oct 22, 2025

Resilient Cyber Newsletter #70

Alleged to have exploited vulnerabilities in messaging services of a foreign mobile phone brand to steal sensitive information from the Chinese National Time Center.

techrepublic com securityNews

Oct 21, 2025

China Alleges US Hacked National Time Center

Allegedly conducting long-term, highly covert cyber operations against China’s National Time Service Center, including compromising staff mobile devices, stealing sensitive data, and attempting to infiltrate internal networks. The operations reportedly escalated in 2023 with the deployment of a new cyberwarfare platform targeting high-precision timing networks.

securityaffairsNews

Oct 20, 2025

China finds “irrefutable evidence” of US NSA cyberattacks on time Authority

The NSA is accused of conducting cyber-espionage operations against China’s National Time Service Center, targeting sensitive data and critical infrastructure related to national timekeeping. The operations reportedly involved exploiting mobile phone vulnerabilities, credential theft, network infiltration, and deployment of a cyber warfare platform with multiple tools for data theft and disruption.

cso onlineNews

Oct 20, 2025

US NSA alleged to have launched a cyber attack on a Chinese agency

Allegedly conducted a cyber attack against China's National Time Service Center, targeting critical timekeeping infrastructure that supports communications, finance, power, transportation, defense, and other sectors. The operation reportedly involved exploiting an SMS vulnerability to compromise mobile devices of staff and steal sensitive data, with the potential to disrupt national and international time services.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping56

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal12

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.