ShadowBrokers
Shadow Brokers is the name used by an entity that emerged publicly on 2016-08-13 claiming to possess files belonging to the Equation Group. The group released multiple dumps, including a free archive of roughly 300 MB containing firewall exploits, tools, and scripts, while another encrypted archive was offered separately. Reporting in the provided content states that the leaked material included tools and documentation allegedly stolen from the Equation Group and later releases allegedly included targeting of SWIFT service bureaus. The content does not provide high-confidence attribution of Shadow Brokers to any specific country or sponsor. However, multiple sources in the content describe strong technical linkage between the leaked tools and the Equation Group rather than proving who Shadow Brokers themselves were. Kaspersky assessed with high confidence that the leaked tools were related to the Equation Group, based in part on a rare RC5/RC6 implementation seen across hundreds of leaked files and previously observed in Equation malware. A separate analysis in the content disputes the strength of one specific RC6-based authorship argument, noting that the subtraction form of the RC6 constant on x86 can be compiler-generated and is therefore not conclusive by itself. Shadow Brokers is notable in the content primarily as a leak actor or persona rather than as an operator described conducting intrusions directly. The leaked archive exposed numerous Equation-associated tools and cryptonyms, including BANANAUSURPER, BLATSTING, BUZZDIRECTION, BANANAGLEE, and material later referenced in relation to EQUATIONVECTOR, identified in Shadow Brokers disclosures as "PeddleCheap." The name "fast16" also appeared in a document leaked by Shadow Brokers concerning NSA offensive cyber weapons. Known alias in the provided content: shadowbrokers.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Observables
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as the entity responsible for leaking NSA tools; mentioned in connection with the disclosure of Fast16 artifacts rather than as the operator of Fast16 itself.
Referenced as the group that leaked documents about NSA offensive cyber weapons; not described in the article as operating fast16.
Leak/operations entity discussed for releasing alleged Equation Group tooling and documentation, including material related to SWIFT/banking targeting.
Conducted high-profile public data dumps, claiming theft and release of Equation Group tooling including unreported zero-days, influencing public debate and increasing downstream exploitation risk.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.