EternalBlue
EternalBlue is an SMBv1 remote code execution exploit family/tool targeting Windows, associated with Microsoft bulletin MS17-010 and specifically described in the content as exploiting CVE-2017-0144. It was developed by the NSA-linked Equation Group and leaked publicly by the Shadow Brokers on 2017-04-14 in the "Lost in Translation" release. The content describes it as a collection or family of Windows zero-day vulnerabilities/exploitation capabilities that enabled attackers to break into vulnerable systems, move laterally across networks, and support self-propagating worm behavior.
Technically, the exploit targets the Windows SMBv1 implementation in srv.sys on Windows versions prior to Windows 8 / pre-Windows 10 systems. The supplied research describes a kernel non-paged pool overflow triggered through crafted SMB transactions and FEA list handling, with heap grooming used to overwrite srvnet structures and achieve kernel-level code execution. The exploit was commonly paired with the DoublePulsar backdoor/implant, which could be checked for first and, if absent, installed or used after exploitation to inject payloads.
The content repeatedly links EternalBlue to major destructive and ransomware outbreaks, most notably WannaCry/WCry/WanaCry and NotPetya, and also references Bad Rabbit, RobbinHood-related reporting, and use in Baltimore ransomware reporting. WannaCry used EternalBlue for initial SMB exploitation and DoublePulsar for payload installation and worming, scanning TCP/445 and spreading automatically across internal and external networks. NotPetya used EternalBlue in combination with Mimikatz and caused global disruption after initially targeting Ukraine. The content also states that North Korean operators used EternalBlue in WannaCry and Russian operators used it in NotPetya.
EternalBlue also appears in later criminal reuse and malware campaigns beyond the 2017 outbreaks. The content notes a Blackmoon/KRBanker campaign in which a spreader component dropped EternalBlue and DoublePulsar tooling, scanned for hosts with ports including 445 open, and attempted lateral movement across organizational environments.
High-confidence associations in the content include the Shadow Brokers leak, the Equation Group/NSA origin, frequent operational pairing with DoublePulsar, and use in WannaCry and NotPetya. Relevant indicators and artifacts directly mentioned include SMB over TCP port 445, SMBv1, MS17-010, CVE-2017-0144, and dropped tool names such as Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe in one observed campaign. Affected environments are Windows systems that remained unpatched against MS17-010, especially older/pre-Windows 10 hosts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2017-0143 Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit Mitigation: Update affected Microsoft products with the latest security patches | CVE-2017-0143 Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit.
The EternalBlue exploitation tool was leaked by “The Shadow Brokers” group on April 14, 2017, in their fifth leak, “Lost in Translation.”
"...the Shadow Brokers hacked and disclosed a cache of stockpiled NSA cyber capabilities, including the EternalBlue vulnerability, which was later used in the devastating WannaCry and NotPetya ransomware attacks."
"The NSA-developed Windows exploit EternalBlue was stolen and exposed in 2017, eventually enabling destructive operations like North Korea’s WannaCry attack and Russia-linked NotPetya hacks."
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueA single vulnerable and internet-exposed system was enough to wreak havoc.
Execution
2 techniquesAmong the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems...
Privilege Escalation
1 techniqueSean Dillon ... modified the source code for some of these lesser-known exploits so they would be able to work and run SYSTEM-level code on a wide variety of Windows OS versions.
Stealth
1 techniqueDefense Impairment
1 techniqueA bug in the process of converting FEA (File Extended Attributes) from Os2 structure to NT structure by the Windows SMB implementation (srv.sys driver) leads to buffer overflow in the non-paged kernel pool.
Discovery
1 techniqueNorth Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers later built it into NotPetya, which spiraled beyond its initial Ukrainian targets and caused an estimated $10 billion in damages globally.
Lateral Movement
4 techniquesAround January this year, Microsoft was tipped off ... that the NSA's Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain.
Our analysis of the artifacts and network traffic at victim networks indicate that modified versions of the EternalBlue and EternalRomance SMB exploits were used, at least in part, to spread laterally.
Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically.
Among the tools released, the Shadow Brokers published EternalBlue — a family of zero-day vulnerabilities targeting Windows that allowed hackers to break into computers on a hacked network, rapidly expand their access, and deploy self-propagating worms.
Command and Control
1 techniqueThus, it’s possible to send: SMB_COM_NT_TRANSACT followed by SMB_COM_TRANSACTION2_SECONDARY. This situation can lead to wrong data parsing, and this bug enables Bug A by treating Dword as Word.
Exfiltration
1 techniqueThe first installment centers on the Shadow Brokers — an enigmatic group that surfaced online, dumped a trove of hacking tools believed to belong to the NSA, and then vanished.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A leaked NSA-linked Windows exploit set described as enabling system intrusion, lateral movement, and automatic malware propagation. It later underpinned major destructive attacks.
A leaked NSA-linked exploit family targeting Windows that enabled network compromise, lateral spread, and deployment of self-propagating worms.
SMBv1 remote code execution exploit used by WannaCry for initial access and worm-like propagation by triggering a kernel memory corruption condition via crafted SMB packets.
Leaked NSA exploit later abused broadly by criminals, including in ransomware campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.