Fanny
Fanny is an Equation Group worm. The provided content identifies it as an earlier Equation Group malware family/toolset alongside EQUATIONDRUG, DOUBLEFANTASY, and GRAYFISH, and states that it was later linked to Stuxnet through shared exploits. Specifically, the content says Fanny used two Stuxnet zero-days one to two years before Stuxnet, including the Windows LNK exploit CVE-2010-2568 and a privilege-escalation exploit embedded in Stuxnet Resource 207. The content further states that these shared exploits helped connect Stuxnet, Duqu, and the Equation Group, and that Kaspersky researchers noted shared coding practices between Stuxnet and Equation developers. No additional high-confidence details on Fanny’s infection vector, victimology, industries targeted, or specific indicators of compromise are provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Fanny utilized two Stuxnet zero-days 1–2 years before Stuxnet entered the scene: the infamous LNK exploit (CVE-2010–2568) and a privilege escalation embedded in the aforementioned Resource 207. | Equation, on the other hand, would eventually be connected by the use of exploits shared by both Stuxnet and an earlier Equation Group worm named Fanny.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Having originally uncovered the Equation group in February 2015, we’ve taken a look at the newly released files to check for any connections with the known toolsets used by Equation, such as EQUATIONDRUG, DOUBLEFANTASY, GRAYFISH and FANNY.
At the same time, Stuxnet was connected to Duqu and, as we found more recently, the Equation group, through their exploits originally used by the Fanny worm.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueFanny utilized two Stuxnet zero-days 1–2 years before Stuxnet entered the scene: the infamous LNK exploit (CVE-2010–2568) and a privilege escalation embedded in the aforementioned Resource 207.
Privilege Escalation
1 techniqueFanny utilized two Stuxnet zero-days 1–2 years before Stuxnet entered the scene: the infamous LNK exploit (CVE-2010–2568) and a privilege escalation embedded in the aforementioned Resource 207.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A worm referenced for its exploits, which were later tied into the broader connections among Stuxnet, Duqu, and the Equation group.
An Equation Group worm said to have used two Stuxnet zero-days one to two years before Stuxnet, helping connect Equation to the broader malware cluster discussed.
Equation Group malware referenced among known toolsets used for technical comparison with the ShadowBrokers dump, especially around a distinctive RC5/RC6 implementation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.