Skip to main content
Mallory
Back to threat actors
🇷🇺 RU6 malware familiesExploits CVEs in the wild

Shadow Brokers

Also known asshadow_brokers

Shadow Brokers is a still-unidentified threat actor or online persona that emerged publicly in 2016 and became known for leaking highly sophisticated offensive cyber tools widely assessed as having been stolen from the NSA-linked Equation Group. The group publicized an "Equation Group Cyber Weapons Auction" via Twitter and Pastebin, released samples and encrypted archives, and later dumped additional tools publicly; multiple sources in the content note that the auction was likely a ruse rather than a genuine sale. The leaked material included NSA-linked exploits and implants such as EternalBlue, EternalRomance, DoublePulsar, and Oddjob, as well as other files including Darkpulsar-1.1.0.exe, Mofconfig-1.0.0.exe, and PluginHelper.py. Kaspersky-linked reporting in the content says the leaked code bore unique signatures tied to the Equation Group. The leaks also included weapons-grade exploits targeting unpatched Cisco firewall vulnerabilities, and one release reportedly contained evidence that Al Quds Bank for Development and Investment in Ramallah, Palestine, had been specifically targeted. The actor’s identity remains unknown, and no individual has been formally charged in connection with operating the Shadow Brokers persona or carrying out the leak. The content notes competing theories, including involvement by a current or former NSA insider and a widely credited theory that the persona may have been a front for a Russian intelligence operation, but these remain unconfirmed in the provided material. The group communicated publicly in stylized broken English, spoke to journalists only once in a brief interview cited in the content, and later re-emerged periodically with additional posts and claimed offerings. The Shadow Brokers’ significance is primarily the strategic impact of their disclosures. Their leak exposed EternalBlue and related capabilities that were later repurposed in major global malware outbreaks. The content explicitly links Shadow Brokers-released tooling to WannaCry and NotPetya, including use of EternalBlue in WannaCry and EternalBlue/EternalRomance-derived tradecraft in NotPetya/PetyaWrap. Those campaigns caused widespread disruption across hospitals, telecommunications providers, shipping, logistics, legal, manufacturing, and other sectors worldwide. The content also associates the release with rapid Internet-wide concern over DoublePulsar infections and with broader scrutiny of the NSA’s handling of offensive cyber capabilities. Known alias in the provided content: shadow_brokers.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
  • Military

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics8 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190×3
Exploit Public-Facing Application
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1203×8
Exploitation for Client Execution
TA0008
Lateral Movement
3 techniques
T1021
Remote Services
T1210×19
Exploitation of Remote Services
T1570
Lateral Tool Transfer
TA0011
Command and Control
1 technique
T1105
Ingress Tool Transfer
TA0010
Exfiltration
1 technique
T1537
Transfer Data to Cloud Account
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
WannaCryThe malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers... The Spanish CERT has called it a “massive ransomware attack” that is encrypting all the files of entire networks and spreading laterally through organizations.7May 26, 2026
EternalBlueIf the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit.5May 26, 2026
NotPetyaThe Trump administration on Thursday publicly blamed Russia for the massive notPetya cyberattack that ravaged computer systems worldwide last June... “The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas,” the White House said.3May 26, 2026
DoublePulsarThe worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems.2May 26, 2026
PetyaWrapPetyaWrap, as some researchers are calling the ransomware, uses a cocktail of potent techniques to break into a network and from there spread from computer to computer.1May 26, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2017-0144EternalBlue SMBv1 Remote Code Execution in Microsoft WindowsIn the wildEvidence7

Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010. The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems. If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
cysecurity newsNews
Jun 4, 2026
Shadow Brokers Mystery Remains One of Cybersecurity’s Biggest Unsolved Cases - CySecurity News - Latest Information Security and Hacking Incidents

Released stolen NSA-linked offensive cyber tools, claimed to have breached the Equation Group, attempted to auction the tools, and later publicly dumped them, enabling downstream destructive attacks by other actors.

Read more
techcrunch com securityNews
May 26, 2026
Ghost hackers: the cybersecurity mystery that nobody has solved | TechCrunch

Enigmatic group that leaked a trove of hacking tools believed to belong to the NSA/Equation Group, likely using the release as a propaganda operation and public dump rather than a genuine auction.

Read more
security affairsNews
May 12, 2026
WannaCry, the ransomware attack that changed the history of cybersecurity

Leaked offensive cyber tools including EternalBlue, which enabled the broader WannaCry outbreak.

Read more
risky biz rssNews
Mar 12, 2026
Srsly Risky Biz: Trump's Cyber Strategy… Great, Amazing, The Best Yet

Referenced as the leak actor responsible for stealing and releasing NSA exploit tooling (including EternalBlue), which was later abused in major destructive campaigns.

Read more
+35 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.