EGOTISTICALGIRAFFE
EGOTISTICALGIRAFFE is an NSA-attributed exploit referenced in Snowden-sourced reporting on the FOXACID and QUANTUM exploitation ecosystem. It is described as exploiting a type confusion vulnerability in E4X, the XML extension for JavaScript, in Firefox rather than attacking Tor directly. The reported vulnerable versions were Firefox 11.0 through 16.0.2 and Firefox 10.0 ESR, including affected Tor Browser Bundle builds based on those versions; the flaw was reportedly removed when Mozilla eliminated the vulnerable E4X library, and the NSA was said to be seeking a replacement exploit for Firefox 17.0 ESR.
In the described operations, the NSA allegedly identified Tor users on the network using systems including XKeyscore, Turbulence, Turmoil, and Tumult, then redirected selected users via QUANTUM packet-injection/man-on-the-side attacks to FOXACID servers. FOXACID is characterized as an exploit orchestrator operated by NSA Tailored Access Operations (TAO) that selected exploits based on target value, sophistication, and operational risk, delivered payloads, handled callbacks, and supported longer-term compromise. EGOTISTICALGIRAFFE is mentioned as one of the exploit capabilities used in that broader framework.
High-confidence associations in the content tie EGOTISTICALGIRAFFE to NSA offensive operations against Tor users and Firefox-based Tor Browser targets. The content does not provide a standalone malware family profile, persistence mechanism, or specific indicators of compromise unique to EGOTISTICALGIRAFFE beyond its role as a Firefox E4X exploit within the FOXACID/QUANTUM infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for JavaScript.
(On the other hand, EGOTISTICALGIRAFFE has to be the dumbest code name ever.)
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesAfter identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user’s computer.
one successful technique the NSA has developed involves exploiting the Tor browser bundle... The trick identifies Tor users on the Internet and then executes an attack against their Firefox web browser.
Execution
1 techniqueAccording to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X... This vulnerability exists in Firefox 11.0—16.0.2, as well as Firefox 10.0 ESR
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
NSA Firefox exploit used against Tor Browser Bundle users by exploiting an E4X type confusion vulnerability in Firefox to compromise targets.
A named NSA exploit/tool referenced in passing by codename only.
A named NSA exploit/tool referenced in passing in the discussion of FOXACID-related capabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.