gArL8tuS

1
2A
3ACRIDMINI - TAO computer hacking project *
4ADJUTANT VENTURE - Intrusion set? *
5ALOOFNESS - Cyber threat actor *
6ALTEREDCARBON - An IRATEMONK implant for Seagate drives *
7AMULETSTELLAR - Cyber threat actor sending malicious e-mails *
8ANGRYNEIGHBOR - Family of radar retro-reflector tools used by NSA's TAO division *
9APERTURESCIENCE - TAO computer hacking project *
10ARGYLEALIEN - Method to cause a loss of data by exploiting zeroization of hard-drives *
11ARKSTREAM - Implant used to reflash BIOS, installed by remote access or intercepted shipping
12ARROWECLIPSE - Counter CNE tool *
13 
14B
15BADDECISION (BDN) - Hacking tool to redirect users of a wireless/802.11 network to NSA FOXACID servers * *
16BALLOONKNOT - TAO computer hacking project *
17BANANAAID - NSA hacking tool or code included in the Shadow Brokers leak *
18BANANABALLOT - A BIOS module associated with an implant (likely BANANAGLEE) *
19BANNANADAIQUIRI - An implant associated with SCREAMINGPLOW *
20BANANAGLEE - A non-persistent firewall software implant for Cisco ASA and PIX devices that allows remote JETPLOW installation *
21BANANALIAR - A tool for connecting to an unspecified implant (likely BANANAGLEE) *
22BARGLEE - A software implant for a firewall of an unknown vendor *
23BARICE - A tool that provides a shell for installing the BARGLEE implant *
24BARNFIRE - TAO tool to erase the BIOS on a brand of servers that act as a backbone to many rival governments *
25BARPUNCH - A module for BANANAGLEE and BARGLEE implants *
26BEACHHEAD - Computer exploit delivered by the FERRETCANON system * *
27BEECHPONY - A firewall implant that is a predecessor of BANANAGLEE *
28BENIGNCERTAIN - A tool that appears to be for sending certain types of Internet Key Exchange (IKE) packets to a remote host and parsing the response *
29BERSERKR - Persistent backdoor that is implanted into the BIOS and runs from System Management Mode * *
30BILLOCEAN - Retrieves the serial number of a firewall, to be recorded in operation notes *
31BISHOP KNIGHT - Major cyber threat category of Chinese attacks against NASA, DoD, DoE, part of BYZANTINE HADES, countered by the TUTELAGE system * *
32BLACK ENERGY Bot - Major cyber threat category countered by the TUTELAGE system *
33BLATSTING - A firewall software implant that is used with EGREGIOUSBLUNDER (Fortigate) and ELIGIBLEBACHELOR (TOPSEC) *
34BLINDDATE (BD) - Survey and exploitation hardware with a mobile antenna system to run BADDECISION, which allows for a SECONDDATE attack * * *
35BLIND MARKSMAN - Major cyber threat category countered by the TUTELAGE system *
36BOOKISHMUTE - An exploit against an unknown firewall using Red Hat 6.0 *
37BORGERKING - Something related to Linux exploits *
38BOTANICREALTY - Video demodulation tool (formerly: UNCANNY) *
39BOXINGRUMBLE - Network attack that was countered by QUANTUMDNS *
40BRICKTOP - Project to learn about new malware by intercepting e-mail from several security companies (2009) *
41BROKENTIGO - Tool for computer network operations
42BULLDOZER - PCI bus hardware implant on intercepted shipping
43BUZZDIRECTION - A firewall software implant for Fortigate firewalls *
44BYZANTINE - First word of nicknames for programs involving defense against Chinese cyber-warfare and US offensive cyber-warfare *
45BYZANTINE ANCHOR - Chinese cyber attacks against a broad range of US targets since 2003, part of BYZANTINE HADES * *
46BYZANTINE CANDOR (BC) - Chinese cyber attacks against DoD and other US targets, part of BYZANTINE HADES, formerly TITAN RAIN III * * *
47BYZANTINE FOOTHOLD (BF) - Major cyber threat category of Chinese attacks against TRANSCOM, PACOM and others, countered by the TUTELAGE system * *
48BYZANTINE HADES - Chinese computer network exploitation (CNE) against the US * probably renamed to the LEGION-series *
49BYZANTINE PRAIRIE - Chinese cyber attacks but inactive since 2008, part of BYZANTINE HADES *
50BYZANTINE RAPTOR - Chinese cyber attacks against DoD and Congress, resurfaced 2008, part of BYZANTINE HADES * *
51BYZANTINE TRACE - Chinese cyber attacks against DoD, part of BYZANTINE HADES * already indentified in 2007 *
52BYZANTINE VIKING - Major cyber threat category countered by the TUTELAGE system *
53 
54C
55CAPTIVATEDAUDIENCE - Computer implant plug-in to take over a targeted computer’s microphone and record conversations taking place near the device
56CARBON PEPTIDE - Major cyber threat category, part of BYZANTINE HADES, countered by the TUTELAGE system *
57CASTLECRASHER - Primary technique for executing DNT payloads for Windows computers *
58CASTLECREEK (CC) - Hacking tool *
59CATFLAP - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
60CENTRICDUD - Tool that can read and write bytes in the CMOS of a targeted Windows computer *
61CHAOSOVERLORD - TAO computer hacking project *
62CHARMS - Alleged NSA implant, offered for sale by Shadow Brokers *
63CHELSEABLUE - ? *
64CHIMNEYPOOL - Framework or specification of GENIE-compliance for hardware/software implants
65CHOCOLATESHIP - TAO computer hacking project *
66CHOCOPOP - SNOWGLOBE cyber threat process *
67CLIMBINGSHIRT - Expeditionary Access Operations (EAO) in Iraq *
68CLOUDSHIELD - System that terminates a client-side connection to a malicious server and blocks the server's response *
69CLUCKLINE - A module for BANANAGLEE implants *
70COLOSSUS - FTP mover on TAONet *
71COMMON - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
72COMMONDEER - Computer exploit for looking whether a computer has security software
73CONFICKER - Major cyber threat category countered by the TUTELAGE system *
74CONJECTURE - Network compatible with HOWLERMONKEY
75CONTAINMENTGRID - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
76COTTONMOUTH (CM) - Computer implant devices used by NSA's TAO division
77COTTONMOUTH-I (CM-I) - USB hardware implant providing wireless bridge into target network and loading of exploit software onto target PCs, formerly DEWSWEEPER
78COTTONMOUTH-II (CM-II) - USB hardware host tap provides covert link over USP into target's network co-located with long haul relay; dual-stacked USB connector, consists of CM-I digital hardware plus long haul relay concealed in chassis; hub with switches is concealed in a dual stacked USB connector and hard-wired to provide intra-chassis link.
79COTTONMOUTH-III (CM-III) - Radio Frequency link for commands to software implants and data infiltration/exfiltration, short range inter-chassis link within RJ45 Dual Stacked USB connector
80CROSSBEAM - GSM module mating commercial Motorola cell with WagonBed controller board for collecting voice data content via GPRS (web), circuit-switched data, data over voice, and DTMF to secure facility, implanted cell tower switch
81CROSSBONES - Cyber threat analysis tool * *
82CROSSEYEDSLOTH - TAO computer hacking project *
83CROWNPRINCE - Related to the MAKERSMARK intrusion set *
84CROWNROYAL - Related to the MAKERSMARK intrusion set *
85CRYPTICSENTINEL - Counter computer network exploitation (CCNE) project *
86CURSES - Alleged NSA implant, offered for sale by Shadow Brokers *
87CUTEBOY - Foreign (Chinese) computer network exploitation actor *
88CYBERCOP - Cyber attack visualisation tool
89CYBERQUEST (CQ) - Cyber threat discovery mission? (since 2008)*
90 
91D
92DAMPCROWD - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
93DANCING PANDA - Hacking effort by China in which private e-mails of top US officials were obtained; renamed into LEGION AMETHYST (since 2010) * *
94DANDERSPRITZ – An implant for interacting with a compromised host and controlling Windows systems, published by the Shadow Brokers *
95DAREDEVIL - Shooter/implant as part of the QUANTUM system *
96DARKFIRE - TAO counter cyber attack project * *
97DARKHELMET - Counter computer network exploitation (CCNE) project *
98DARKTHUNDER - TAO traffic shaping program supporting SSO cable tapping collection *
99DEAD SEA - Computer network exploitation tool (?) *
100DEEPFRIEDPIG - Data processing system on TAONet, including SEAGULLFARO *
101DEFIANTWARRIOR - Program under which a host computer that is infected with an exploitable bot can hijacked through a QUANTUMBOT attack and redirected to the NSA *
102DEITYBOUNCE - Provides implanted software persistence on Dell PowerEdge RAID servers via motherboard BIOS using Intel's System Management Mode for periodic execution, installed via ArkStream to reflash the BIOS
103DEMENTIAWHEEL - Hacking tool *
104DESERTWINTER - Codeword found in the source code used by the Equation hacking group *
105DEWDROP - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
106DEWSWEEPER - Technique to tap USB hardware hosts *
107DIESEL RATTLE - Chinese cyber attacks against US ISPs, government, defense contractors and Japan, part of BYZANTINE HADES *
108DIRESCALLOP - Tool that disables DeepFreeze without the need for a reboot *
109DISABLEVALOR - Hacking tool *
110DISCOROUTE - NAC/GCHQ repository for router configuration files from CNE and passive SIGINT, like for example telnet sessions * *
111DISCOVERY - Major cyber threat category countered by the TUTELAGE system *
112DOCKETDICTATE - Something related to NSA's TAO division
113DOUBLEPULSAR - Payload uploaded through the FUZZBUNCH framework, published by the Shadow Brokers *
114DOURMAGNUM - Cyber threat activity from the Imam Hussein University *
115DRINKPARSLEY - Codeword found in the source code used by the Equation hacking group *
116DROPMIRE - Passive collection of emanations (e.g. from printers or faxes) by using a radio frequency antenna
117DROPOUTJEEP - STRAITBIZARRE-based software implant for iPhone, initially close access but later remotely
118DUBMOAT - Alleged NSA trojan, offered for sale by Shadow Brokers *
119DURABLENAPKIN - A tool for injecting packets on LANs *
120 
121E
122EARLYSHOVEL - Alleged NSA exploit, offered for sale by Shadow Brokers *
123EASYKRAKEN - An IRATEMONK implantation for ARM-based Samsung drives *
124EBB - Alleged NSA exploit, offered for sale by Shadow Brokers *
125EBBISLAND - Alleged TAO exploit for the Solaris operating system, published by the Shadow Brokers *
126ECLECTICPILOT - ? *
127EGGBASKET - Alleged NSA exploit, offered for sale by Shadow Brokers *
128EGOTISTICALGIRAFFE (EGGI) - NSA program for exploiting the TOR network *
129EGOTISTICALGOAT (EGGO) - NSA tool for exploiting the TOR network *
130EGREGIOUSBLUNDER (EGBL) - A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie overflow vulnerability *
131ELATEDMONKEY - Alleged NSA exploit, offered for sale by Shadow Brokers *
132ELDESTMYRIAD - Alleged NSA exploit, offered for sale by Shadow Brokers *
133ELECTRICSLIDE - Alleged NSA exploit, offered for sale by Shadow Brokers *
134ELEGANTEAGLE - Alleged NSA exploit, offered for sale by Shadow Brokers *
135ELEONORE Exploit Kit - Major cyber threat category countered by the TUTELAGE system *
136ELGINGAMBLE - Alleged NSA exploit, offered for sale by Shadow Brokers *
137ELIGIBLEBACHELOR (ELBA) - An exploit for TOPSEC firewalls running the TOS operation system *
138ELIGIBLEBOMBSHELL (ELBO) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability *
139ELIGIBLECANDIDATE (ELCA) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability *
140ELIGIBLECONTESTANT (ELCO) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST paramter injection vulnerability *
141ENDLESSDONUT - Alleged NSA exploit, offered for sale by Shadow Brokers *
142ENEMYRUN - Alleged NSA implant, offered for sale by Shadow Brokers *
143ENGLANDBOGGY - Alleged NSA exploit, offered for sale by Shadow Brokers *
144ENVISIONCOLLISION - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
145ENVOYTOMATO - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
146EPICBANANA (EPBA) - A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices *
147EPICHERO - Alleged NSA exploit, offered for sale by Shadow Brokers *
148EQUATION Group - Nickname given by Kaspersky to a highly advanced computer hacking group, considered to be part of TAO *
149ERRONEOUSINGENUITY (ERIN) - NSA tool for exploiting the TOR network *
150ESCALATEPLOWMAN (ESPL) - A privilege escalation exploit against WatchGuard firewalls *
151ESTOPMOONLIT - Alleged NSA exploit, offered for sale by Shadow Brokers *
152ETERNALBLUE – TAO exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers * and included in the WanneCry ransomware worm (2017) *
153ETERNALCHAMPION – Exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers *
154ETERNALROMANCE – Exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers *
155ETERNALSYNERGY – Exploit for Windows 8 SP0 & Windows 2012 SP0, published by the Shadow Brokers *
156EVOLVINGSTRATEGY - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
157EWOK - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
158EXACTCHANGE - Alleged NSA exploit, offered for sale by Shadow Brokers *
159EXPOXYRASIN - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
160EXTRABACON (EXBA) - A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices *
161EXTREMEPARR - Alleged TAO exploit for the Solaris operating system, published by the Shadow Brokers *
162EXZE - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
163 
164F
165FABULOUSFABLE (FABFAB) - Tool used in automated SECONDDATE tasking *
166FAKEDOUBT - An IRATEMONK implantation for ARM-based Hitachi drives *
167FALSEMOREL - Allows for the deduction of the "enable" password from data freely offered by an unspecified firewall *
168FANNER - Cyber threat actor *
169FASHIONCLEFT - TAO/DNT protocol used by implants to exfiltrate collected network packets to the Common Data Receptor (CDR)
170FEEDTROUGH - A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper NetScreen firewalls * *
171FERRETCANON - Subsystem of the FOXACID system *
172FESTIVEWRAPPER - Something used for TAO botnet hacking *
173FIGBUILD - External mission network for TAO/ROC hacking operations, connected to OPTICPINCH through ROOTKNOT (2009) *
174FINKCOAT - ? *
175FINKDIFFERENT (FIDI) - Tool used for exploiting TOR networks
176FIREWALK -Bidirectional network implant, passive gigabit ethernet traffic collector and active ethernet packet injector within RJ45 Dual Stacked USB connector, digital core used with HOWLERMONKEY, formerly RADON
177FLASHHANDLE Mission Management (FMM) - Database for generating and retaining crypto keys for encrypting data that have to be transferred onto internal TAO networks * provides this to SURPASSPIN *
178FLATLIQUID - TAO operation against the office of the Mexican president *
179FLAXENPRECEPT - Common Data Receptor interface(?) *
180FLOCKFORWARD - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
181FLUXBABBITT - Hardware implant for Dell PowerEdge RAID servers using Xeon processors
182FOGGYBOTTOM - Computer implant plug-in that records logs of internet browsing histories and collects login details and passwords used to access websites and email accounts
183FOGYNULL - DNT standard exfiltration protocol *
184FORKPTY - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
185FORRESTPLACE - Access system *
186FOSHO - A Python library for creating HTTP exploits *
187FOXACID (FA) - Originally a counter-terrorism mission against Al-Qaeda, now a network of covert internet servers used to exploit a target's browser through spam e-mail * *
188FOXSEARCH - Tool for monitoring a QUANTUM target which involves FOXACID servers
189FREEFLOW - One-way data diodes, see HANGARSURPLUS and SURPLUSHANGAR *
190FREEZEPOST - Something related to NSA's TAO division
191FROZENGAZE - System related to SECONDDATE operations *
192FRUGALSHOT - FOXACID servers for receiving callbacks from computers infected with NSA spying software *
193FUNNELAPS - DNT standard exfiltration data format *
194FUZZBUNCH - An exploit framework containing 15 exploits and advanced kernel-mode backdoors for Windows, published by the Shadow Brokers *
195 
196G
197GADGET HISS - Computer network "intrusion set" already identified in 2007 *
198GECKO II - System consisting of hardware implant MR RF or GSM, UNITEDRAKE software implant, IRONCHEF persistence back door
199GENESIS - Modified GSM handset for covert network surveys, recording of RF spectrum use, and handset geolocation based on software defined radio
200GENIE - Overall close-access program, collection by Sigads US-3136 and US-3137 * *
201GHOST - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
202GHOSTRECON - Related to the VOYEUR intrusion set *
203GNOMEFISHER - Major cyber threat category countered by the TUTELAGE system *
204GNOMEVISION - Analytic tool for cyber attacks *
205GODSURGE - Runs on FLUXBABBITT circuit board to provide software persistence by exploiting JTAG debugging interface of server processors, requires interdiction and removal of motherboard of JTAG scan chain reconnection
206GOLLUM - Computer implant created by a partner agency *
207GOPHERRAGE - Pilot project that seeks to develop a hypervisor implant to provide implant capabilites and a back door *
208GOPHERSET - Software implant on GMS SIM phase 2+ Toolkit cards that exfiltrates contact list, SMS and call log from handset via SMS to user-defined phone; malware loaded using USB smartcard reader or over-the-air.
209GOSSIPGIRL - Cyber threat actor *
210GOTHAM - Processor for external monitor recreating target monitor from red video
211GOTHAMKNIGHT - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
212GOURMETTROUGH - Configurable implant for Juniper NetScreen firewalls including SSG type, minimal beaconing
213GROK - Computer implant plug-in used to log keystrokes
214GUMFISH - Computer implant plug-in to take over a computer’s webcam and snap photographs
215 
216H
217HALLUXWATER - Software implant as boot ROM upgrade for Huawei Eudemon firewalls, finds patch points in inbound packet processing, used in O2, Vodafone and Deutsche Telekom
218HAMMERCHANT - Implant for network routers to intercept and perform exploitation attacks against data sent through a Virtual Private Network (VPN) and/or phone calls via Skype and other VoIP software *
219HAMMERMILL - Insertion Tool controls HEADWATER boot ROM backdoor
220HAMMERSTEIN - Implant for network routers to intercept and perform exploitation attacks against data sent through a Virtual Private Network (VPN) and/or phone calls via Skype and other VoIP software
221HANGARSURPLUS - Low-to-High diode used for botnet hacking *
222HAPPYFOOT - Program that intercepts traffic generated by mobile apps that send a smartphone’s location to advertising networks *
223HAPPYHOUR - Plug-in for the wireless survey and exploitation system BLINDDATE *
224HAWALA - ? *
225HEADMOVIES - TAO computer hacking project *
226HEADWATER - Permanent backdoor in boot ROM for Huawei routers stable to firmware updates, installed over internet, capture and examination of all IP packets passing through host router, controlled by Hammermill Insertion Tool
227HIDDENTEMPLE - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
228HIGHLANDS - Technique for close access collection from computer implants *
229HOGTECH - Streaming packets collected through hacking operations *
230HOWLERMONKEY (HM) - Generic radio frequency (RF) transceiver tool used for various applications *
231HUFF - System like FOXACID? *
232HYDROCASTLE - Tool or database with 802.11 configuration data extracted from CNE activity in specific locations *
233 
234I
235ICYTWINS - Processing system for data collected from vPCS shaping under the STEELFLAUTA program *
236INCAADAM - Major intrusion set effort *
237INCISION - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
238INTOLERANT - Data set stolen by hackers, discovered and exploited by CSEC and Menwith Hill Station since 2010 *
239IRATEMONK - Hard drive firmware providing software persistence for desktops and laptops via Master Boot Record substitution, for Seagate Maxtor Samsung file systems FAR NRFS EXT3 UFS, payload is implant installer, shown at internet cafe *
240IRONAVENGER - NSA hacking operation against an ally and an adversary (2010) *
241IRONCHEF - Provides access persistence back door exploiting BIOS and SMM to communicate with a 2-way RF hardware implant
242IRONPERSISTANCE - Access Technologies Operations (ATO) operation support to DIA in Afghanistan *
243ITIME - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
244 
245J
246JACKLADDER - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
247JEEPFLEA - TAO computer hacking project *
248JETPLOW - A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE *
249JIFFYRAUL - A module loaded into Cisco PIX firewalls with BANANAGLEE *
250JOLLYROGER - Tool that provides metadata that describe the networking environment of TAO-implanted Windows PCs *
251JUMPDOLLAR - Tool to support various file systems *
252JUNIORMINT - Implant digital core, either mini printed circuit board or ultra-mini Flip Chip Module, contains ARM9 micro-controller, FPGA Flash SDRAM and DDR2 memories
253 
254 
255[NSA codenames used under the SPINALTAP program]
256NSA codenames (not included on this page) used under the SPINALTAP program
257for combining data from active hacking operations
258and passive signals intelligence collection.
259 
260K
261KIRKBOMB - Windows kernel examination to detect loaded drivers and processes *
262KOALAPUNCH - TAO computer hacking project *
263KONGUR - Software implant restorable by GINSU after OS upgrade or reinstall
264 
265L
266LEAKYFAUCET - Flow repository of 802.11 WiFi IP addresses and clients via STUN data *
267LEGION AMBER - Chinese hacking operation against a major US software company *
268LEGION AMETHYST - Hacking effort by China in which private e-mails of top US officials were obtained; previously codenamed DANCING PANDA (since 2010) *
269LEGION JADE - A group of Chinese hackers *
270LEGION RUBY - A group of Chinese hackers *
271LEGION YANKEE - Chinese hacking operation against the Pentagon and defense contractors (2011)*
272LIFESAVER - Technique which images the hard drive of computers *
273LOUDAUTO - An ANGRYNEIGHBOR radar retro-reflector, microphone captures room audio by pulse position modulation of square wave
274LUTEUSICARUS - TAO computer hacking project *
275LUTEUSOBSTOS - Codeword found in the source code used by the Equation hacking group *
276 
277M
278MADBISHOP - Hard drive implant *
279MAESTRO-II - Mini digital core implant, standard TAO implant architecture
280MAGICBEAN - Man-in-the-middle WiFi attack tool *
281MAGICJACK - Alleged NSA implant, offered for sale by Shadow Brokers *
282MAGICSQUIRREL - Man-in-the-middle WiFi attack tool *
283MAGNETIC - Technique of sensor collection of magnetic emanations *
284MAGNUMOPUS - TAO computer hacking project *
285MAKERSMARK - Major cyber threat category countered by the TUTELAGE system * identified in 2007 *
286MAVERICK CHURCH - Major cyber threat category countered by the TUTELAGE system, formerly BISHOP * part of BYZANTINE HADES *
287MIDDLEMAN - TAO covert network
288MINERALIZE - Technique for close access collection through LAN implants *
289MIRROR - Automated survey system that can for example identify the presence of a VPN; interface to the ROADBED system *
290MISTYVEAL (MV) - Another version of VALIDATOR for installation on a target's computer *
291MOCCASIN - A hardware implant, permanently connected to a USB keyboard *
292MONKEYCALENDAR - Software implant on GMS SIM cards that exfiltrates user geolocation data
293MOUSETRAP - Sandia implant for EFI *
294MURPHYSLAW - TAO computer hacking project *
295 
296N
297NATIVE DANCER - Major cyber threat category countered by the TUTELAGE system *
298NEBULA - Base station router similar to CYCLONE Hx9
299NIGHTWATCH - Portable computer in shielded case for recreating target monitor from progressive-scan non-interlaced VAGRANT signals
300NIGHTSTAND (NS) - Plug-in for the wireless survey and exploitation system BLINDDATE, which injects a packet that forces a client to access a monitored listening post *
301NIGHTTRAIN - Major intrusion set effort *
302NITESTAND - See NIGHTSTAND
303NITRO ZEUS - Umbrella program for hacking operations against Iranian critical civilian and military infrastructure *
304NOPEN - A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6, offered for sale by Shadow Brokers *
305 
306O
307ODDJOB – A HTTP command and control implant for installation on compromised Windows hosts, published by the Shadow Brokers *
308OLYMPIC - First word of nicknames for programs involving defense against Chinese cyber-warfare and US offensive cyber-warfare *
309OLYMPIC GAMES - Joint US and Israel operation against the Iranian nuclear program (aka Stuxnet)*
310OLYMPUS - Software component of VALIDATOR/SOMBERKNAVE used to communicate via wireless LAN 802.11 hardware *
311OPTICPINCH - Internal mission network for TAO/ROC hacking operations, connected to FIGBUILD through ROOTKNOT (2009) *
312ORANGUTAN - Implant, tool or exploit presumably used by TAO's Equation Group *
313ORLEANSTRIDE - Alleged NSA implant, offered for sale by Shadow Brokers *
314 
315P
316PACKETWRENCH - Computer exploit delivered by the FERRETCANON system *
317PANDAROCK - A tool for connecting to a POLARPAWS implant *
318PANDORAS MAYHEM - Part of QUANTUM operations involving TUTELAGE *
319PARCHDUSK (PD) - Productions Operation of NSA's TAO division *
320PASSIONATEPOLKA - TAO tool for remotely bricking network cards *
321PASTEPIG - NetApp on the TAONet/NSANet DMZ *
322PATCHICILLIN - Implant, tool or exploit presumably used by TAO's Equation Group *
323PCLEAN - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
324PEDDLECHEAP - Computer exploit delivered by the FERRETCANON system *
325PERFECT CITIZEN - Research and engineering program to counter cyberattacks, in cooperation with Raytheon *
326PHOENIX Exploit Kit - Major cyber threat category countered by the TUTELAGE system *
327PHOTOANGLO - A continuous wave generator and receiver. The bugs on the other end are ANGRYNEIGHBOR class
328PITIEDFOOL - A suite of CNA tools for use against file systems. Overwrites data to the point it is irrecoverable.
329PLAIDDIANA - Major intrusion set effort *
330PLUCKHAGEN - An IRATEMONK implantation for ARM-based Fujitsu drives *
331POLARBREEZE - NSA technique to tap into nearby computers *
332POLARPAWS - An implant for a firewall form an unknown vendor *
333POLARSNEEZE - An implant for a firewall form an unknown vendor *
334POLARSTARKEY - Network Defense data source *
335POLITERAIN - CNA team or operation from the ATO unit of TAO *
336POPROCKS - Chinese cyber attacks against video conference provides, 2009 Navy Router Incident, part of BYZANTINE HADES *
337POPQUIZ - Project of NSA's Research Directorate to collect network metadata on high-bandwidth protocols such as HTTP, SMTP and DNS (2008) * or analytic tool for cyper attacks *
338PORK - Alleged NSA implant, offered for sale by Shadow Brokers *
339POTBED - TAO computer hacking project *
340PROTOSS - Local computer handling radio frequency signals from implants
341PUZZLECUBE - TAO tasking database * *
342 
343Q
344QFIRE - A consolidated QUANTUMTHEORY platform to reduce latencies by co-locating passive sensors with local decisioning and traffic injection (under development in 2011)
345QUANTUM - Secret servers placed by NSA at key places on the internet backbone; part of the TURMOIL program *
346QUANTUMBISCUIT - Enhancement of QUANTUMINSERT for targets which are behind large proxies *
347QUANTUMBOT - Method for taking control of idle IRC bots and botnets) *
348QUANTUMBOT2 - Combination of Q-BOT and Q-BISCUIT for webbased botnets *
349QUANTUMCOOKIE - Method to force cookies onto target computers
350QUANTUMCOPPER - Method for corrupting file uploads and downloads *
351QUANTUMDIRK - Replacement for the QUANTUMINSERT hacking toolset that injects malicious content into chat services provided by websites such as Facebook and Yahoo *
352QUANTUMDNS - DNS injection/redirection based off of A record queries *
353QUANTUMHAND - Man-on-the-side technique using a fake Facebook server *
354QUANTUMINSERT (QI) - Man-on-the-side technique that redirects target internet traffic to a FOXACID server for exploitation *
355QUANTUMMUSH - Targeted spam exploitation method *
356QUANTUMNATION - Umbrella for COMMONDEER and VALIDATOR computer exploits
357QUANTUMPHANTOM - Hijacks any IP address to use as covert infrastructure *
358QUANTUMSKY - Malware used to block targets from accessing certain websites through RST packet spoofing *
359QUANTUMSMACKDOWN - Method for using packet injection to block attacks against DoD computers *
360QUANTUMSPIN - Exploitation method for instant messaging *
361QUANTUMSQUEEL - Method for injecting MySQL persistant database connections *
362QUANTUMSQUIRREL - Using any IP address as a covert infrastructure *
363QUANTUMTHEORY (QT) - Computer hacking toolbox, which dynamically injects packets into target's network session *
364QWERTY - TAO keylogger tool, probably a component of the WARRIORPRIDE malware framework *
365 
366R
367RADON - Host tap that can inject Ethernet packets *
368RAGEMASTER - Part of ANGRYNEIGHBOR radar retro-reflectors, for red video graphics array cable in ferrite bead RFI chokers between video card and monitor, target for RF flooding and collection of VAGRANT video signal
369RAISEBED - Access system *
370RAPTOR JOY - Intrusion set? *
371RAPTOR ROLEX - Intrusion set? *
372RAPORT SAD - Intrusion set? *
373RATWHARF - Cyber mission *
374RECORDER - Major intrusion set effort *
375REGIN - Highly sophisticated spyware found in computers systems worldwide, supposedly used by NSA and GCHQ (discovered in 2013, codename by Microsoft) *
376REPLICANTFARM - Signature based output of the WARRIORPRIDE framework *
377RETICULUM - Implant, tool or exploit presumably used by TAO's Equation Group *
378RETURNSPRING - High-side server shown in UNITEDRAKE internet cafe monitoring graphic
379REXKWONDO - TAO project for shaping and MitM capabilities against Lebanon's internet traffic (2013) *
380ROGUESAMURAI - Test framework of TAO's persistence division for testing computer exploits *
381ROOTKNOT - One-way transfer device *
382 
383S
384SADDLEBACK - Hacking tool that performs a firmware modification? *
385SCHOOLMONTANA - Software implant for Juniper J-series routers used to direct traffic between server, desktop computers, corporate network and internet
386SCREAMINGHARPY - TAO computer hacking project *
387SCREAMINGPLOW - Similar to JETPLOW *
388SEAGULLFARO - Processing system on TAONet, part of DEEPFRIEDPIG * part of OPTICPINCH in 2009 *
389SEASONEDMOTH (SMOTH) - Stage0 computer implant which dies after 30 days, deployed by the QUANTUMNATION method
390SECONDDATE - Method to influence real-time communications between client and server in order to redirect web-browsers to FOXACID malware servers, offered for sale by Shadow Brokers * component of BADDECISION *
391SEED SPHERE - Computer network "intrusion set" identified in 2007 * *
392SENTRY EAGLE (SEE) - Overarching umbrella program for ECI compartments and SAP programs of the National Initiative to protect US cyberspace
393SENTRY HAWK - ECI compartment of SENTRY EAGLE that protects information about Computer Network Exploitation *
394SENTRY FALCON - ECI compartment of SENTRY EAGLE that protects information about Computer Network Defense *
395SERUM - Bank of servers within ROC managing approvals and ticket system
396SHADOWDRAGON - Major intrusion set effort *
397SHAREDTAFFY - TAO computer hacking project *
398SHARPFOCUS (SF2) - Productions Operation of NSA's TAO division *
399SHARPSHADOW - TAO computer hacking project *
400SHELLGREY - DNT standard exfiltration metadata format *
401SHENTYSDELIGHT - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
402SHEPARD - Related to the MAKERSMARK intrusion set *
403SHORTSHEET - NSA tool for Computer Network Exploitation *
404SHOTGIANT - NSA operation for hacking and monitoring the Huawei network (since 2009)
405SHOUTPIG - FTP server on the TAONet/NSANet DMZ *
406SIDETRACK - Implant, tool or exploit presumably used by TAO's Equation Group *
407SIERRAMONTANA - Software implant for Juniper M-series routers used by enterprises and service providers
408SIFT - Alleged NSA implant, offered for sale by Shadow Brokers *
409SILLYBUNNY - Some kind of webbrowser tag which can be used as selector *
410SKIMCOUNTRY - Alleged NSA implant, offered for sale by Shadow Brokers *
411SKYHOOKCHOW - Codeword found in the source code used by the Equation hacking group *
412SLICKERVICAR - Used with UNITEDRAKE or STRAITBIZARRE to upload hard drive firmware to implant IRATEMONK
413SLIPSTREAM - Part of the WARRIORPRIDE framework *
414SLYHERETIC_CHECKER - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
415SNORT - Repository of computer network attack techniques/coding
416SNOWGLOBE - Hacking operations against the US that may have originated in France * *
417SODAPRESSED - Linux application presistence *
418SOMBERKNAVE - Windows XP wireless software implant providing covert internet connectivity, routing TCP traffic via an unused 802.11 network device allowing OLYMPUS or VALIDATOR to call home from air-gapped computer
419SOUFFLETROUGH - Software implant in BIOS Juniper SSG300 and SSG500 devices, permanent backdoor, modifies ScreenOS at boot, utilizes Intel's System Management Mode
420SPARROW II - Airborne wireless network detector running BLINDDATE tools via 802.11
421SPECULATION - Protocol for over-the-air communication between COTTONMOUTH computer implant devices, compatible with HOWLERMONKEY
422SPINALTAP - NSA program for combining data from active hacking operations and passive signals intelligence collection *
423SPITEFULANGEL - Hacking tool or method in or for the Python programming language *
424STEALTHFIGTHER - Codeword found in the source code used by the Equation hacking group *
425STEELFLAUTA - TAO traffic shaping program supporting SSO cable tapping collection
426STOICSURGEON - Hacking tool presumably used by TAO's Equation Group, offered for sale by Shadow Brokers *
427STORMPIG - Data cleanup tool on TAONet used for TAO botnet hacking *
428STRAITACID - Codeword found in the source code used by the Equation hacking group *
429STRAI(GH)TBIZARRE (SBZ) - TAO software implant used to communicate through covert channels * or spyware that can turn computers into disposable and non-attributable "shooter" nodes *
430STRAITSHOOTER - Codeword found in the source code used by the Equation hacking group *
431STRIFEWORLD - Alleged NSA implant, offered for sale by Shadow Brokers *
432STRIKEZONE - Device running HOWLERMONKEY personality
433STRONGMITE - Computer at remote operations center used for long range communications
434STUCCOMONTANA - Software implant for Juniper T-Series routers used in large fixed-line, mobile, video, and cloud networks, otherwise just like SCHOOLMONTANA
435STUMPCURSOR - Foreign computer accessing program of the NSA's Tailored Access Operations
436STUXNET - A computer worm that was used to destroy Iran's nuclear centrifuges (discovered in 2010)
437STYLISHCHAMP - Tool that can create a HPA on a hard drive and then provide raw reads and writes to this area *
438SUAVEEYEFUL - Alleged NSA implant, offered for sale by Shadow Brokers *
439SUBTLESNOW - Major cyber threat category countered by the TUTELAGE system *
440SUCTIONCHAR - Alleged NSA implant, offered for sale by Shadow Brokers *
441SUPERDRAKE - Cyber threat actor * related to WIDOWKEY *
442SURLEYSPAWN - Data RF retro-reflector, gathers keystrokes FSK frequency shift keyed radar retro-reflector, USB or IBM keyboards
443SURPASSPIN - Transfers commands and tasking instructions from TAO's internal to the external mission network * receives messages from the FLASHHANDLE Mission Manager *
444SURPLUSHANGAR (SH) - High-to-Low diode, used for the QUANTUM system * and botnet hacking *
445SUTURESAILOR - Printed circuit board digital core used with HOWLERMONKEY
446SWAP - Implanted software persistence by exploiting motherboard BIOS and hard drive Host Protected Area for execution before OS loads, operative on windows linux, freeBSD Solaris
447 
448T
449TEFLONDOOR - A self-destructing post-exploitation shell for executing an arbitrary file *
450TITAN RAIN - Presumably Chinese attacks on American computer systems (since 2003)
451TOAST - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
452TORNSTEAK - Exploit solution for two firewall devices from a particular vendor *
453TOTECHASER - Software implant in flash ROM windows CE for Thuraya 2520 satellite/GSM/web/email/MMS/GPS
454TOTEGHOSTLY - Modular implant for windows mobile OS based on SB using CP framework, Freeflow-compliant so supported by TURBULENCE architecture
455TRANSGRESSION - TAO/CES unit providing cryptanalytic support for various missions *
456TREACLEBETA - TAO hacking against the Pakistani terrorist group Lashkar-e-Taiba *
457TRINITY - Implant digital core concealed in COTTONMOUTH-I, providing ARM9 microcontroller, FPGA Flash and SDRAM memories *
458TUNINGFORK - Sustained collection linked to SEAGULLFARO, previously NSA database or cyber threat analysis tool *
459TURBINE - Active SIGINT: centralized automated command/control system for managing a large network of active computer implants for intelligence gathering (since 2010) *
460TURBOPANDA - A tool that can be used to communicate with a HALLUXWATER implant and allows read/write to memory, execute an address or packet; joint NSA/CIA project on Huawei network equipment *
461TUTELAGE - Active defense system with detection sensors that monitor network traffic at for example the NIPRNet in order to detect malicious code and network attacks, part of the TURBULENCE program *
462TWEEZERS - Major intrusion set effort *
463TWISTEDKILT - Writes to Host Protected area on hard drive to implant Swap and its implant installer payload, which can be used with the STYLISHCHAMP tool *
464 
465U
466UNCANNY - Video demodulation tool (now: BOTANICREALTY) *
467UNITEDRAKE - Computer exploit delivered by the FERRETCANON system * receiving e-mails and files *
468UnPacMan - Processing system on TAONet, part of DEEPFRIEDPIG *
469 
470V
471VAGRANT - Radar retro-reflector technique on video cable to reproduce open computer screens *
472VALIANTSURF - A "major system acquisition" that enables more efficient Computer Network Operations (CNO) by the TAO division; it will integrate into the TURBULENCE architecture *
473VALIDATOR - Computer exploit delivered by the FERRETCANON system for looking whether a computer has security software, runs as user process on target OS, modified for SCHOOLMONTANA, initiates a call home, passes to SOMBERKNAVE, downloads OLYMPUS and communicates with remote operation center *
474VICTORYDANCE - Joint NSA-CIA operation to map WiFi fingerprints of nearly every major town in Yemen *
475VIEWPLATE - Processor for external monitor recreating target monitor from red video
476VINYLSEAT - E-mails collected through hacking operations *
477VIOLETSPIRIT - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
478VITALAIR - NSA tool
479VITALAIR2 - Tool or database for automated scanned IP addresses for TAO known vulnerabilities *
480VOYEUR - US monitoring operation in which an Iranian hacking operation against the US was detected * *
481 
482VULCANDEATHGRIP - Repository for data collected from vPCS shaping under the STEELFLAUTA program *
483 
484W
485WAGONBED - Hardware GSM controller board implant on CrossBeam or HP Proliant G5 server that communicates over I2C interface
486WAITAUTO - Network used by the Remote Operations Center of NSA's TAO division *
487WALKERBLACK - Related to the MAKERSMARK intrusion set *
488WARNVULCANO - Something residing on the WAITAUTO network used for TAO botnet hacking *
489WARRIORPRIDE (WP) - Scalable, flexible and portable unified CNE platform used throughout the Five Eyes; equivalent at GCHQ is DAREDEVIL * It was for example used to break into iPhones *
490WATCHER - Tipping tool related to SECONDDATE operations, offered for sale by Shadow Brokers *
491WAXTITAN - TAO computer hacking project *
492WEASELWAGGLE - Major cyber threat category countered by the TUTELAGE system *
493WELLSPRING - Tool that strips out facial images from e-mails and other communications, and displays those that might contain passport images *
494WIDOWKEY - Major intrusion set effort, related to SUPERDRAKE *
495WHISTLINGDUXIE - TAO computer hacking project *
496WICKEDVICAR - Hacking tool used to perform remote survey and installation *
497WIDOWKEY - Major cyber threat category countered by the TUTELAGE system *
498WILDCHOCOBO - TAO computer hacking project *
499WILDCOUGAR - TAO computer hacking project *
500WILLOWVIXEN - Method to deploy malware by sending out spam e-mails that trick targets into clicking a malicious link * *
501WISTFULTOLL - Plug-in for UNITEDRAKE and STRAITBIZARRE used to harvest target forensics via Windows Management Instrumentation and Registry extractions, can be done through USB thumb drive *
502WINTERLIGHT - A QUANTUM computer hacking program in which Sweden takes part
503WOBBLYLLAMA - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
504RAW Paste Data
505A
506ACRIDMINI - TAO computer hacking project *
507ADJUTANT VENTURE - Intrusion set? *
508ALOOFNESS - Cyber threat actor *
509ALTEREDCARBON - An IRATEMONK implant for Seagate drives *
510AMULETSTELLAR - Cyber threat actor sending malicious e-mails *
511ANGRYNEIGHBOR - Family of radar retro-reflector tools used by NSA's TAO division *
512APERTURESCIENCE - TAO computer hacking project *
513ARGYLEALIEN - Method to cause a loss of data by exploiting zeroization of hard-drives *
514ARKSTREAM - Implant used to reflash BIOS, installed by remote access or intercepted shipping
515ARROWECLIPSE - Counter CNE tool *
516
517B
518BADDECISION (BDN) - Hacking tool to redirect users of a wireless/802.11 network to NSA FOXACID servers * *
519BALLOONKNOT - TAO computer hacking project *
520BANANAAID - NSA hacking tool or code included in the Shadow Brokers leak *
521BANANABALLOT - A BIOS module associated with an implant (likely BANANAGLEE) *
522BANNANADAIQUIRI - An implant associated with SCREAMINGPLOW *
523BANANAGLEE - A non-persistent firewall software implant for Cisco ASA and PIX devices that allows remote JETPLOW installation *
524BANANALIAR - A tool for connecting to an unspecified implant (likely BANANAGLEE) *
525BARGLEE - A software implant for a firewall of an unknown vendor *
526BARICE - A tool that provides a shell for installing the BARGLEE implant *
527BARNFIRE - TAO tool to erase the BIOS on a brand of servers that act as a backbone to many rival governments *
528BARPUNCH - A module for BANANAGLEE and BARGLEE implants *
529BEACHHEAD - Computer exploit delivered by the FERRETCANON system * *
530BEECHPONY - A firewall implant that is a predecessor of BANANAGLEE *
531BENIGNCERTAIN - A tool that appears to be for sending certain types of Internet Key Exchange (IKE) packets to a remote host and parsing the response *
532BERSERKR - Persistent backdoor that is implanted into the BIOS and runs from System Management Mode * *
533BILLOCEAN - Retrieves the serial number of a firewall, to be recorded in operation notes *
534BISHOP KNIGHT - Major cyber threat category of Chinese attacks against NASA, DoD, DoE, part of BYZANTINE HADES, countered by the TUTELAGE system * *
535BLACK ENERGY Bot - Major cyber threat category countered by the TUTELAGE system *
536BLATSTING - A firewall software implant that is used with EGREGIOUSBLUNDER (Fortigate) and ELIGIBLEBACHELOR (TOPSEC) *
537BLINDDATE (BD) - Survey and exploitation hardware with a mobile antenna system to run BADDECISION, which allows for a SECONDDATE attack * * *
538BLIND MARKSMAN - Major cyber threat category countered by the TUTELAGE system *
539BOOKISHMUTE - An exploit against an unknown firewall using Red Hat 6.0 *
540BORGERKING - Something related to Linux exploits *
541BOTANICREALTY - Video demodulation tool (formerly: UNCANNY) *
542BOXINGRUMBLE - Network attack that was countered by QUANTUMDNS *
543BRICKTOP - Project to learn about new malware by intercepting e-mail from several security companies (2009) *
544BROKENTIGO - Tool for computer network operations
545BULLDOZER - PCI bus hardware implant on intercepted shipping
546BUZZDIRECTION - A firewall software implant for Fortigate firewalls *
547BYZANTINE - First word of nicknames for programs involving defense against Chinese cyber-warfare and US offensive cyber-warfare *
548BYZANTINE ANCHOR - Chinese cyber attacks against a broad range of US targets since 2003, part of BYZANTINE HADES * *
549BYZANTINE CANDOR (BC) - Chinese cyber attacks against DoD and other US targets, part of BYZANTINE HADES, formerly TITAN RAIN III * * *
550BYZANTINE FOOTHOLD (BF) - Major cyber threat category of Chinese attacks against TRANSCOM, PACOM and others, countered by the TUTELAGE system * *
551BYZANTINE HADES - Chinese computer network exploitation (CNE) against the US * probably renamed to the LEGION-series *
552BYZANTINE PRAIRIE - Chinese cyber attacks but inactive since 2008, part of BYZANTINE HADES *
553BYZANTINE RAPTOR - Chinese cyber attacks against DoD and Congress, resurfaced 2008, part of BYZANTINE HADES * *
554BYZANTINE TRACE - Chinese cyber attacks against DoD, part of BYZANTINE HADES * already indentified in 2007 *
555BYZANTINE VIKING - Major cyber threat category countered by the TUTELAGE system *
556
557C
558CAPTIVATEDAUDIENCE - Computer implant plug-in to take over a targeted computer’s microphone and record conversations taking place near the device
559CARBON PEPTIDE - Major cyber threat category, part of BYZANTINE HADES, countered by the TUTELAGE system *
560CASTLECRASHER - Primary technique for executing DNT payloads for Windows computers *
561CASTLECREEK (CC) - Hacking tool *
562CATFLAP - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
563CENTRICDUD - Tool that can read and write bytes in the CMOS of a targeted Windows computer *
564CHAOSOVERLORD - TAO computer hacking project *
565CHARMS - Alleged NSA implant, offered for sale by Shadow Brokers *
566CHELSEABLUE - ? *
567CHIMNEYPOOL - Framework or specification of GENIE-compliance for hardware/software implants
568CHOCOLATESHIP - TAO computer hacking project *
569CHOCOPOP - SNOWGLOBE cyber threat process *
570CLIMBINGSHIRT - Expeditionary Access Operations (EAO) in Iraq *
571CLOUDSHIELD - System that terminates a client-side connection to a malicious server and blocks the server's response *
572CLUCKLINE - A module for BANANAGLEE implants *
573COLOSSUS - FTP mover on TAONet *
574COMMON - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
575COMMONDEER - Computer exploit for looking whether a computer has security software
576CONFICKER - Major cyber threat category countered by the TUTELAGE system *
577CONJECTURE - Network compatible with HOWLERMONKEY
578CONTAINMENTGRID - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
579COTTONMOUTH (CM) - Computer implant devices used by NSA's TAO division
580COTTONMOUTH-I (CM-I) - USB hardware implant providing wireless bridge into target network and loading of exploit software onto target PCs, formerly DEWSWEEPER
581COTTONMOUTH-II (CM-II) - USB hardware host tap provides covert link over USP into target's network co-located with long haul relay; dual-stacked USB connector, consists of CM-I digital hardware plus long haul relay concealed in chassis; hub with switches is concealed in a dual stacked USB connector and hard-wired to provide intra-chassis link.
582COTTONMOUTH-III (CM-III) - Radio Frequency link for commands to software implants and data infiltration/exfiltration, short range inter-chassis link within RJ45 Dual Stacked USB connector
583CROSSBEAM - GSM module mating commercial Motorola cell with WagonBed controller board for collecting voice data content via GPRS (web), circuit-switched data, data over voice, and DTMF to secure facility, implanted cell tower switch
584CROSSBONES - Cyber threat analysis tool * *
585CROSSEYEDSLOTH - TAO computer hacking project *
586CROWNPRINCE - Related to the MAKERSMARK intrusion set *
587CROWNROYAL - Related to the MAKERSMARK intrusion set *
588CRYPTICSENTINEL - Counter computer network exploitation (CCNE) project *
589CURSES - Alleged NSA implant, offered for sale by Shadow Brokers *
590CUTEBOY - Foreign (Chinese) computer network exploitation actor *
591CYBERCOP - Cyber attack visualisation tool
592CYBERQUEST (CQ) - Cyber threat discovery mission? (since 2008)*
593
594D
595DAMPCROWD - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
596DANCING PANDA - Hacking effort by China in which private e-mails of top US officials were obtained; renamed into LEGION AMETHYST (since 2010) * *
597DANDERSPRITZ – An implant for interacting with a compromised host and controlling Windows systems, published by the Shadow Brokers *
598DAREDEVIL - Shooter/implant as part of the QUANTUM system *
599DARKFIRE - TAO counter cyber attack project * *
600DARKHELMET - Counter computer network exploitation (CCNE) project *
601DARKTHUNDER - TAO traffic shaping program supporting SSO cable tapping collection *
602DEAD SEA - Computer network exploitation tool (?) *
603DEEPFRIEDPIG - Data processing system on TAONet, including SEAGULLFARO *
604DEFIANTWARRIOR - Program under which a host computer that is infected with an exploitable bot can hijacked through a QUANTUMBOT attack and redirected to the NSA *
605DEITYBOUNCE - Provides implanted software persistence on Dell PowerEdge RAID servers via motherboard BIOS using Intel's System Management Mode for periodic execution, installed via ArkStream to reflash the BIOS
606DEMENTIAWHEEL - Hacking tool *
607DESERTWINTER - Codeword found in the source code used by the Equation hacking group *
608DEWDROP - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
609DEWSWEEPER - Technique to tap USB hardware hosts *
610DIESEL RATTLE - Chinese cyber attacks against US ISPs, government, defense contractors and Japan, part of BYZANTINE HADES *
611DIRESCALLOP - Tool that disables DeepFreeze without the need for a reboot *
612DISABLEVALOR - Hacking tool *
613DISCOROUTE - NAC/GCHQ repository for router configuration files from CNE and passive SIGINT, like for example telnet sessions * *
614DISCOVERY - Major cyber threat category countered by the TUTELAGE system *
615DOCKETDICTATE - Something related to NSA's TAO division
616DOUBLEPULSAR - Payload uploaded through the FUZZBUNCH framework, published by the Shadow Brokers *
617DOURMAGNUM - Cyber threat activity from the Imam Hussein University *
618DRINKPARSLEY - Codeword found in the source code used by the Equation hacking group *
619DROPMIRE - Passive collection of emanations (e.g. from printers or faxes) by using a radio frequency antenna
620DROPOUTJEEP - STRAITBIZARRE-based software implant for iPhone, initially close access but later remotely
621DUBMOAT - Alleged NSA trojan, offered for sale by Shadow Brokers *
622DURABLENAPKIN - A tool for injecting packets on LANs *
623
624E
625EARLYSHOVEL - Alleged NSA exploit, offered for sale by Shadow Brokers *
626EASYKRAKEN - An IRATEMONK implantation for ARM-based Samsung drives *
627EBB - Alleged NSA exploit, offered for sale by Shadow Brokers *
628EBBISLAND - Alleged TAO exploit for the Solaris operating system, published by the Shadow Brokers *
629ECLECTICPILOT - ? *
630EGGBASKET - Alleged NSA exploit, offered for sale by Shadow Brokers *
631EGOTISTICALGIRAFFE (EGGI) - NSA program for exploiting the TOR network *
632EGOTISTICALGOAT (EGGO) - NSA tool for exploiting the TOR network *
633EGREGIOUSBLUNDER (EGBL) - A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie overflow vulnerability *
634ELATEDMONKEY - Alleged NSA exploit, offered for sale by Shadow Brokers *
635ELDESTMYRIAD - Alleged NSA exploit, offered for sale by Shadow Brokers *
636ELECTRICSLIDE - Alleged NSA exploit, offered for sale by Shadow Brokers *
637ELEGANTEAGLE - Alleged NSA exploit, offered for sale by Shadow Brokers *
638ELEONORE Exploit Kit - Major cyber threat category countered by the TUTELAGE system *
639ELGINGAMBLE - Alleged NSA exploit, offered for sale by Shadow Brokers *
640ELIGIBLEBACHELOR (ELBA) - An exploit for TOPSEC firewalls running the TOS operation system *
641ELIGIBLEBOMBSHELL (ELBO) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability *
642ELIGIBLECANDIDATE (ELCA) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability *
643ELIGIBLECONTESTANT (ELCO) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST paramter injection vulnerability *
644ENDLESSDONUT - Alleged NSA exploit, offered for sale by Shadow Brokers *
645ENEMYRUN - Alleged NSA implant, offered for sale by Shadow Brokers *
646ENGLANDBOGGY - Alleged NSA exploit, offered for sale by Shadow Brokers *
647ENVISIONCOLLISION - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
648ENVOYTOMATO - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
649EPICBANANA (EPBA) - A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices *
650EPICHERO - Alleged NSA exploit, offered for sale by Shadow Brokers *
651EQUATION Group - Nickname given by Kaspersky to a highly advanced computer hacking group, considered to be part of TAO *
652ERRONEOUSINGENUITY (ERIN) - NSA tool for exploiting the TOR network *
653ESCALATEPLOWMAN (ESPL) - A privilege escalation exploit against WatchGuard firewalls *
654ESTOPMOONLIT - Alleged NSA exploit, offered for sale by Shadow Brokers *
655ETERNALBLUE – TAO exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers * and included in the WanneCry ransomware worm (2017) *
656ETERNALCHAMPION – Exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers *
657ETERNALROMANCE – Exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers *
658ETERNALSYNERGY – Exploit for Windows 8 SP0 & Windows 2012 SP0, published by the Shadow Brokers *
659EVOLVINGSTRATEGY - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
660EWOK - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
661EXACTCHANGE - Alleged NSA exploit, offered for sale by Shadow Brokers *
662EXPOXYRASIN - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
663EXTRABACON (EXBA) - A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices *
664EXTREMEPARR - Alleged TAO exploit for the Solaris operating system, published by the Shadow Brokers *
665EXZE - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
666
667F
668FABULOUSFABLE (FABFAB) - Tool used in automated SECONDDATE tasking *
669FAKEDOUBT - An IRATEMONK implantation for ARM-based Hitachi drives *
670FALSEMOREL - Allows for the deduction of the "enable" password from data freely offered by an unspecified firewall *
671FANNER - Cyber threat actor *
672FASHIONCLEFT - TAO/DNT protocol used by implants to exfiltrate collected network packets to the Common Data Receptor (CDR)
673FEEDTROUGH - A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper NetScreen firewalls * *
674FERRETCANON - Subsystem of the FOXACID system *
675FESTIVEWRAPPER - Something used for TAO botnet hacking *
676FIGBUILD - External mission network for TAO/ROC hacking operations, connected to OPTICPINCH through ROOTKNOT (2009) *
677FINKCOAT - ? *
678FINKDIFFERENT (FIDI) - Tool used for exploiting TOR networks
679FIREWALK -Bidirectional network implant, passive gigabit ethernet traffic collector and active ethernet packet injector within RJ45 Dual Stacked USB connector, digital core used with HOWLERMONKEY, formerly RADON
680FLASHHANDLE Mission Management (FMM) - Database for generating and retaining crypto keys for encrypting data that have to be transferred onto internal TAO networks * provides this to SURPASSPIN *
681FLATLIQUID - TAO operation against the office of the Mexican president *
682FLAXENPRECEPT - Common Data Receptor interface(?) *
683FLOCKFORWARD - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
684FLUXBABBITT - Hardware implant for Dell PowerEdge RAID servers using Xeon processors
685FOGGYBOTTOM - Computer implant plug-in that records logs of internet browsing histories and collects login details and passwords used to access websites and email accounts
686FOGYNULL - DNT standard exfiltration protocol *
687FORKPTY - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
688FORRESTPLACE - Access system *
689FOSHO - A Python library for creating HTTP exploits *
690FOXACID (FA) - Originally a counter-terrorism mission against Al-Qaeda, now a network of covert internet servers used to exploit a target's browser through spam e-mail * *
691FOXSEARCH - Tool for monitoring a QUANTUM target which involves FOXACID servers
692FREEFLOW - One-way data diodes, see HANGARSURPLUS and SURPLUSHANGAR *
693FREEZEPOST - Something related to NSA's TAO division
694FROZENGAZE - System related to SECONDDATE operations *
695FRUGALSHOT - FOXACID servers for receiving callbacks from computers infected with NSA spying software *
696FUNNELAPS - DNT standard exfiltration data format *
697FUZZBUNCH - An exploit framework containing 15 exploits and advanced kernel-mode backdoors for Windows, published by the Shadow Brokers *
698
699G
700GADGET HISS - Computer network "intrusion set" already identified in 2007 *
701GECKO II - System consisting of hardware implant MR RF or GSM, UNITEDRAKE software implant, IRONCHEF persistence back door
702GENESIS - Modified GSM handset for covert network surveys, recording of RF spectrum use, and handset geolocation based on software defined radio
703GENIE - Overall close-access program, collection by Sigads US-3136 and US-3137 * *
704GHOST - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
705GHOSTRECON - Related to the VOYEUR intrusion set *
706GNOMEFISHER - Major cyber threat category countered by the TUTELAGE system *
707GNOMEVISION - Analytic tool for cyber attacks *
708GODSURGE - Runs on FLUXBABBITT circuit board to provide software persistence by exploiting JTAG debugging interface of server processors, requires interdiction and removal of motherboard of JTAG scan chain reconnection
709GOLLUM - Computer implant created by a partner agency *
710GOPHERRAGE - Pilot project that seeks to develop a hypervisor implant to provide implant capabilites and a back door *
711GOPHERSET - Software implant on GMS SIM phase 2+ Toolkit cards that exfiltrates contact list, SMS and call log from handset via SMS to user-defined phone; malware loaded using USB smartcard reader or over-the-air.
712GOSSIPGIRL - Cyber threat actor *
713GOTHAM - Processor for external monitor recreating target monitor from red video
714GOTHAMKNIGHT - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
715GOURMETTROUGH - Configurable implant for Juniper NetScreen firewalls including SSG type, minimal beaconing
716GROK - Computer implant plug-in used to log keystrokes
717GUMFISH - Computer implant plug-in to take over a computer’s webcam and snap photographs
718
719H
720HALLUXWATER - Software implant as boot ROM upgrade for Huawei Eudemon firewalls, finds patch points in inbound packet processing, used in O2, Vodafone and Deutsche Telekom
721HAMMERCHANT - Implant for network routers to intercept and perform exploitation attacks against data sent through a Virtual Private Network (VPN) and/or phone calls via Skype and other VoIP software *
722HAMMERMILL - Insertion Tool controls HEADWATER boot ROM backdoor
723HAMMERSTEIN - Implant for network routers to intercept and perform exploitation attacks against data sent through a Virtual Private Network (VPN) and/or phone calls via Skype and other VoIP software
724HANGARSURPLUS - Low-to-High diode used for botnet hacking *
725HAPPYFOOT - Program that intercepts traffic generated by mobile apps that send a smartphone’s location to advertising networks *
726HAPPYHOUR - Plug-in for the wireless survey and exploitation system BLINDDATE *
727HAWALA - ? *
728HEADMOVIES - TAO computer hacking project *
729HEADWATER - Permanent backdoor in boot ROM for Huawei routers stable to firmware updates, installed over internet, capture and examination of all IP packets passing through host router, controlled by Hammermill Insertion Tool
730HIDDENTEMPLE - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
731HIGHLANDS - Technique for close access collection from computer implants *
732HOGTECH - Streaming packets collected through hacking operations *
733HOWLERMONKEY (HM) - Generic radio frequency (RF) transceiver tool used for various applications *
734HUFF - System like FOXACID? *
735HYDROCASTLE - Tool or database with 802.11 configuration data extracted from CNE activity in specific locations *
736
737I
738ICYTWINS - Processing system for data collected from vPCS shaping under the STEELFLAUTA program *
739INCAADAM - Major intrusion set effort *
740INCISION - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
741INTOLERANT - Data set stolen by hackers, discovered and exploited by CSEC and Menwith Hill Station since 2010 *
742IRATEMONK - Hard drive firmware providing software persistence for desktops and laptops via Master Boot Record substitution, for Seagate Maxtor Samsung file systems FAR NRFS EXT3 UFS, payload is implant installer, shown at internet cafe *
743IRONAVENGER - NSA hacking operation against an ally and an adversary (2010) *
744IRONCHEF - Provides access persistence back door exploiting BIOS and SMM to communicate with a 2-way RF hardware implant
745IRONPERSISTANCE - Access Technologies Operations (ATO) operation support to DIA in Afghanistan *
746ITIME - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
747
748J
749JACKLADDER - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
750JEEPFLEA - TAO computer hacking project *
751JETPLOW - A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE *
752JIFFYRAUL - A module loaded into Cisco PIX firewalls with BANANAGLEE *
753JOLLYROGER - Tool that provides metadata that describe the networking environment of TAO-implanted Windows PCs *
754JUMPDOLLAR - Tool to support various file systems *
755JUNIORMINT - Implant digital core, either mini printed circuit board or ultra-mini Flip Chip Module, contains ARM9 micro-controller, FPGA Flash SDRAM and DDR2 memories
756
757
758[NSA codenames used under the SPINALTAP program]
759NSA codenames (not included on this page) used under the SPINALTAP program
760for combining data from active hacking operations
761and passive signals intelligence collection.
762
763K
764KIRKBOMB - Windows kernel examination to detect loaded drivers and processes *
765KOALAPUNCH - TAO computer hacking project *
766KONGUR - Software implant restorable by GINSU after OS upgrade or reinstall
767
768L
769LEAKYFAUCET - Flow repository of 802.11 WiFi IP addresses and clients via STUN data *
770LEGION AMBER - Chinese hacking operation against a major US software company *
771LEGION AMETHYST - Hacking effort by China in which private e-mails of top US officials were obtained; previously codenamed DANCING PANDA (since 2010) *
772LEGION JADE - A group of Chinese hackers *
773LEGION RUBY - A group of Chinese hackers *
774LEGION YANKEE - Chinese hacking operation against the Pentagon and defense contractors (2011)*
775LIFESAVER - Technique which images the hard drive of computers *
776LOUDAUTO - An ANGRYNEIGHBOR radar retro-reflector, microphone captures room audio by pulse position modulation of square wave
777LUTEUSICARUS - TAO computer hacking project *
778LUTEUSOBSTOS - Codeword found in the source code used by the Equation hacking group *
779
780M
781MADBISHOP - Hard drive implant *
782MAESTRO-II - Mini digital core implant, standard TAO implant architecture
783MAGICBEAN - Man-in-the-middle WiFi attack tool *
784MAGICJACK - Alleged NSA implant, offered for sale by Shadow Brokers *
785MAGICSQUIRREL - Man-in-the-middle WiFi attack tool *
786MAGNETIC - Technique of sensor collection of magnetic emanations *
787MAGNUMOPUS - TAO computer hacking project *
788MAKERSMARK - Major cyber threat category countered by the TUTELAGE system * identified in 2007 *
789MAVERICK CHURCH - Major cyber threat category countered by the TUTELAGE system, formerly BISHOP * part of BYZANTINE HADES *
790MIDDLEMAN - TAO covert network
791MINERALIZE - Technique for close access collection through LAN implants *
792MIRROR - Automated survey system that can for example identify the presence of a VPN; interface to the ROADBED system *
793MISTYVEAL (MV) - Another version of VALIDATOR for installation on a target's computer *
794MOCCASIN - A hardware implant, permanently connected to a USB keyboard *
795MONKEYCALENDAR - Software implant on GMS SIM cards that exfiltrates user geolocation data
796MOUSETRAP - Sandia implant for EFI *
797MURPHYSLAW - TAO computer hacking project *
798
799N
800NATIVE DANCER - Major cyber threat category countered by the TUTELAGE system *
801NEBULA - Base station router similar to CYCLONE Hx9
802NIGHTWATCH - Portable computer in shielded case for recreating target monitor from progressive-scan non-interlaced VAGRANT signals
803NIGHTSTAND (NS) - Plug-in for the wireless survey and exploitation system BLINDDATE, which injects a packet that forces a client to access a monitored listening post *
804NIGHTTRAIN - Major intrusion set effort *
805NITESTAND - See NIGHTSTAND
806NITRO ZEUS - Umbrella program for hacking operations against Iranian critical civilian and military infrastructure *
807NOPEN - A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6, offered for sale by Shadow Brokers *
808
809O
810ODDJOB – A HTTP command and control implant for installation on compromised Windows hosts, published by the Shadow Brokers *
811OLYMPIC - First word of nicknames for programs involving defense against Chinese cyber-warfare and US offensive cyber-warfare *
812OLYMPIC GAMES - Joint US and Israel operation against the Iranian nuclear program (aka Stuxnet)*
813OLYMPUS - Software component of VALIDATOR/SOMBERKNAVE used to communicate via wireless LAN 802.11 hardware *
814OPTICPINCH - Internal mission network for TAO/ROC hacking operations, connected to FIGBUILD through ROOTKNOT (2009) *
815ORANGUTAN - Implant, tool or exploit presumably used by TAO's Equation Group *
816ORLEANSTRIDE - Alleged NSA implant, offered for sale by Shadow Brokers *
817
818P
819PACKETWRENCH - Computer exploit delivered by the FERRETCANON system *
820PANDAROCK - A tool for connecting to a POLARPAWS implant *
821PANDORAS MAYHEM - Part of QUANTUM operations involving TUTELAGE *
822PARCHDUSK (PD) - Productions Operation of NSA's TAO division *
823PASSIONATEPOLKA - TAO tool for remotely bricking network cards *
824PASTEPIG - NetApp on the TAONet/NSANet DMZ *
825PATCHICILLIN - Implant, tool or exploit presumably used by TAO's Equation Group *
826PCLEAN - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
827PEDDLECHEAP - Computer exploit delivered by the FERRETCANON system *
828PERFECT CITIZEN - Research and engineering program to counter cyberattacks, in cooperation with Raytheon *
829PHOENIX Exploit Kit - Major cyber threat category countered by the TUTELAGE system *
830PHOTOANGLO - A continuous wave generator and receiver. The bugs on the other end are ANGRYNEIGHBOR class
831PITIEDFOOL - A suite of CNA tools for use against file systems. Overwrites data to the point it is irrecoverable.
832PLAIDDIANA - Major intrusion set effort *
833PLUCKHAGEN - An IRATEMONK implantation for ARM-based Fujitsu drives *
834POLARBREEZE - NSA technique to tap into nearby computers *
835POLARPAWS - An implant for a firewall form an unknown vendor *
836POLARSNEEZE - An implant for a firewall form an unknown vendor *
837POLARSTARKEY - Network Defense data source *
838POLITERAIN - CNA team or operation from the ATO unit of TAO *
839POPROCKS - Chinese cyber attacks against video conference provides, 2009 Navy Router Incident, part of BYZANTINE HADES *
840POPQUIZ - Project of NSA's Research Directorate to collect network metadata on high-bandwidth protocols such as HTTP, SMTP and DNS (2008) * or analytic tool for cyper attacks *
841PORK - Alleged NSA implant, offered for sale by Shadow Brokers *
842POTBED - TAO computer hacking project *
843PROTOSS - Local computer handling radio frequency signals from implants
844PUZZLECUBE - TAO tasking database * *
845
846Q
847QFIRE - A consolidated QUANTUMTHEORY platform to reduce latencies by co-locating passive sensors with local decisioning and traffic injection (under development in 2011)
848QUANTUM - Secret servers placed by NSA at key places on the internet backbone; part of the TURMOIL program *
849QUANTUMBISCUIT - Enhancement of QUANTUMINSERT for targets which are behind large proxies *
850QUANTUMBOT - Method for taking control of idle IRC bots and botnets) *
851QUANTUMBOT2 - Combination of Q-BOT and Q-BISCUIT for webbased botnets *
852QUANTUMCOOKIE - Method to force cookies onto target computers
853QUANTUMCOPPER - Method for corrupting file uploads and downloads *
854QUANTUMDIRK - Replacement for the QUANTUMINSERT hacking toolset that injects malicious content into chat services provided by websites such as Facebook and Yahoo *
855QUANTUMDNS - DNS injection/redirection based off of A record queries *
856QUANTUMHAND - Man-on-the-side technique using a fake Facebook server *
857QUANTUMINSERT (QI) - Man-on-the-side technique that redirects target internet traffic to a FOXACID server for exploitation *
858QUANTUMMUSH - Targeted spam exploitation method *
859QUANTUMNATION - Umbrella for COMMONDEER and VALIDATOR computer exploits
860QUANTUMPHANTOM - Hijacks any IP address to use as covert infrastructure *
861QUANTUMSKY - Malware used to block targets from accessing certain websites through RST packet spoofing *
862QUANTUMSMACKDOWN - Method for using packet injection to block attacks against DoD computers *
863QUANTUMSPIN - Exploitation method for instant messaging *
864QUANTUMSQUEEL - Method for injecting MySQL persistant database connections *
865QUANTUMSQUIRREL - Using any IP address as a covert infrastructure *
866QUANTUMTHEORY (QT) - Computer hacking toolbox, which dynamically injects packets into target's network session *
867QWERTY - TAO keylogger tool, probably a component of the WARRIORPRIDE malware framework *
868
869R
870RADON - Host tap that can inject Ethernet packets *
871RAGEMASTER - Part of ANGRYNEIGHBOR radar retro-reflectors, for red video graphics array cable in ferrite bead RFI chokers between video card and monitor, target for RF flooding and collection of VAGRANT video signal
872RAISEBED - Access system *
873RAPTOR JOY - Intrusion set? *
874RAPTOR ROLEX - Intrusion set? *
875RAPORT SAD - Intrusion set? *
876RATWHARF - Cyber mission *
877RECORDER - Major intrusion set effort *
878REGIN - Highly sophisticated spyware found in computers systems worldwide, supposedly used by NSA and GCHQ (discovered in 2013, codename by Microsoft) *
879REPLICANTFARM - Signature based output of the WARRIORPRIDE framework *
880RETICULUM - Implant, tool or exploit presumably used by TAO's Equation Group *
881RETURNSPRING - High-side server shown in UNITEDRAKE internet cafe monitoring graphic
882REXKWONDO - TAO project for shaping and MitM capabilities against Lebanon's internet traffic (2013) *
883ROGUESAMURAI - Test framework of TAO's persistence division for testing computer exploits *
884ROOTKNOT - One-way transfer device *
885
886S
887SADDLEBACK - Hacking tool that performs a firmware modification? *
888SCHOOLMONTANA - Software implant for Juniper J-series routers used to direct traffic between server, desktop computers, corporate network and internet
889SCREAMINGHARPY - TAO computer hacking project *
890SCREAMINGPLOW - Similar to JETPLOW *
891SEAGULLFARO - Processing system on TAONet, part of DEEPFRIEDPIG * part of OPTICPINCH in 2009 *
892SEASONEDMOTH (SMOTH) - Stage0 computer implant which dies after 30 days, deployed by the QUANTUMNATION method
893SECONDDATE - Method to influence real-time communications between client and server in order to redirect web-browsers to FOXACID malware servers, offered for sale by Shadow Brokers * component of BADDECISION *
894SEED SPHERE - Computer network "intrusion set" identified in 2007 * *
895SENTRY EAGLE (SEE) - Overarching umbrella program for ECI compartments and SAP programs of the National Initiative to protect US cyberspace
896SENTRY HAWK - ECI compartment of SENTRY EAGLE that protects information about Computer Network Exploitation *
897SENTRY FALCON - ECI compartment of SENTRY EAGLE that protects information about Computer Network Defense *
898SERUM - Bank of servers within ROC managing approvals and ticket system
899SHADOWDRAGON - Major intrusion set effort *
900SHAREDTAFFY - TAO computer hacking project *
901SHARPFOCUS (SF2) - Productions Operation of NSA's TAO division *
902SHARPSHADOW - TAO computer hacking project *
903SHELLGREY - DNT standard exfiltration metadata format *
904SHENTYSDELIGHT - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
905SHEPARD - Related to the MAKERSMARK intrusion set *
906SHORTSHEET - NSA tool for Computer Network Exploitation *
907SHOTGIANT - NSA operation for hacking and monitoring the Huawei network (since 2009)
908SHOUTPIG - FTP server on the TAONet/NSANet DMZ *
909SIDETRACK - Implant, tool or exploit presumably used by TAO's Equation Group *
910SIERRAMONTANA - Software implant for Juniper M-series routers used by enterprises and service providers
911SIFT - Alleged NSA implant, offered for sale by Shadow Brokers *
912SILLYBUNNY - Some kind of webbrowser tag which can be used as selector *
913SKIMCOUNTRY - Alleged NSA implant, offered for sale by Shadow Brokers *
914SKYHOOKCHOW - Codeword found in the source code used by the Equation hacking group *
915SLICKERVICAR - Used with UNITEDRAKE or STRAITBIZARRE to upload hard drive firmware to implant IRATEMONK
916SLIPSTREAM - Part of the WARRIORPRIDE framework *
917SLYHERETIC_CHECKER - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
918SNORT - Repository of computer network attack techniques/coding
919SNOWGLOBE - Hacking operations against the US that may have originated in France * *
920SODAPRESSED - Linux application presistence *
921SOMBERKNAVE - Windows XP wireless software implant providing covert internet connectivity, routing TCP traffic via an unused 802.11 network device allowing OLYMPUS or VALIDATOR to call home from air-gapped computer
922SOUFFLETROUGH - Software implant in BIOS Juniper SSG300 and SSG500 devices, permanent backdoor, modifies ScreenOS at boot, utilizes Intel's System Management Mode
923SPARROW II - Airborne wireless network detector running BLINDDATE tools via 802.11
924SPECULATION - Protocol for over-the-air communication between COTTONMOUTH computer implant devices, compatible with HOWLERMONKEY
925SPINALTAP - NSA program for combining data from active hacking operations and passive signals intelligence collection *
926SPITEFULANGEL - Hacking tool or method in or for the Python programming language *
927STEALTHFIGTHER - Codeword found in the source code used by the Equation hacking group *
928STEELFLAUTA - TAO traffic shaping program supporting SSO cable tapping collection
929STOICSURGEON - Hacking tool presumably used by TAO's Equation Group, offered for sale by Shadow Brokers *
930STORMPIG - Data cleanup tool on TAONet used for TAO botnet hacking *
931STRAITACID - Codeword found in the source code used by the Equation hacking group *
932STRAI(GH)TBIZARRE (SBZ) - TAO software implant used to communicate through covert channels * or spyware that can turn computers into disposable and non-attributable "shooter" nodes *
933STRAITSHOOTER - Codeword found in the source code used by the Equation hacking group *
934STRIFEWORLD - Alleged NSA implant, offered for sale by Shadow Brokers *
935STRIKEZONE - Device running HOWLERMONKEY personality
936STRONGMITE - Computer at remote operations center used for long range communications
937STUCCOMONTANA - Software implant for Juniper T-Series routers used in large fixed-line, mobile, video, and cloud networks, otherwise just like SCHOOLMONTANA
938STUMPCURSOR - Foreign computer accessing program of the NSA's Tailored Access Operations
939STUXNET - A computer worm that was used to destroy Iran's nuclear centrifuges (discovered in 2010)
940STYLISHCHAMP - Tool that can create a HPA on a hard drive and then provide raw reads and writes to this area *
941SUAVEEYEFUL - Alleged NSA implant, offered for sale by Shadow Brokers *
942SUBTLESNOW - Major cyber threat category countered by the TUTELAGE system *
943SUCTIONCHAR - Alleged NSA implant, offered for sale by Shadow Brokers *
944SUPERDRAKE - Cyber threat actor * related to WIDOWKEY *
945SURLEYSPAWN - Data RF retro-reflector, gathers keystrokes FSK frequency shift keyed radar retro-reflector, USB or IBM keyboards
946SURPASSPIN - Transfers commands and tasking instructions from TAO's internal to the external mission network * receives messages from the FLASHHANDLE Mission Manager *
947SURPLUSHANGAR (SH) - High-to-Low diode, used for the QUANTUM system * and botnet hacking *
948SUTURESAILOR - Printed circuit board digital core used with HOWLERMONKEY
949SWAP - Implanted software persistence by exploiting motherboard BIOS and hard drive Host Protected Area for execution before OS loads, operative on windows linux, freeBSD Solaris
950
951T
952TEFLONDOOR - A self-destructing post-exploitation shell for executing an arbitrary file *
953TITAN RAIN - Presumably Chinese attacks on American computer systems (since 2003)
954TOAST - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
955TORNSTEAK - Exploit solution for two firewall devices from a particular vendor *
956TOTECHASER - Software implant in flash ROM windows CE for Thuraya 2520 satellite/GSM/web/email/MMS/GPS
957TOTEGHOSTLY - Modular implant for windows mobile OS based on SB using CP framework, Freeflow-compliant so supported by TURBULENCE architecture
958TRANSGRESSION - TAO/CES unit providing cryptanalytic support for various missions *
959TREACLEBETA - TAO hacking against the Pakistani terrorist group Lashkar-e-Taiba *
960TRINITY - Implant digital core concealed in COTTONMOUTH-I, providing ARM9 microcontroller, FPGA Flash and SDRAM memories *
961TUNINGFORK - Sustained collection linked to SEAGULLFARO, previously NSA database or cyber threat analysis tool *
962TURBINE - Active SIGINT: centralized automated command/control system for managing a large network of active computer implants for intelligence gathering (since 2010) *
963TURBOPANDA - A tool that can be used to communicate with a HALLUXWATER implant and allows read/write to memory, execute an address or packet; joint NSA/CIA project on Huawei network equipment *
964TUTELAGE - Active defense system with detection sensors that monitor network traffic at for example the NIPRNet in order to detect malicious code and network attacks, part of the TURBULENCE program *
965TWEEZERS - Major intrusion set effort *
966TWISTEDKILT - Writes to Host Protected area on hard drive to implant Swap and its implant installer payload, which can be used with the STYLISHCHAMP tool *
967
968U
969UNCANNY - Video demodulation tool (now: BOTANICREALTY) *
970UNITEDRAKE - Computer exploit delivered by the FERRETCANON system * receiving e-mails and files *
971UnPacMan - Processing system on TAONet, part of DEEPFRIEDPIG *
972
973V
974VAGRANT - Radar retro-reflector technique on video cable to reproduce open computer screens *
975VALIANTSURF - A "major system acquisition" that enables more efficient Computer Network Operations (CNO) by the TAO division; it will integrate into the TURBULENCE architecture *
976VALIDATOR - Computer exploit delivered by the FERRETCANON system for looking whether a computer has security software, runs as user process on target OS, modified for SCHOOLMONTANA, initiates a call home, passes to SOMBERKNAVE, downloads OLYMPUS and communicates with remote operation center *
977VICTORYDANCE - Joint NSA-CIA operation to map WiFi fingerprints of nearly every major town in Yemen *
978VIEWPLATE - Processor for external monitor recreating target monitor from red video
979VINYLSEAT - E-mails collected through hacking operations *
980VIOLETSPIRIT - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
981VITALAIR - NSA tool
982VITALAIR2 - Tool or database for automated scanned IP addresses for TAO known vulnerabilities *
983VOYEUR - US monitoring operation in which an Iranian hacking operation against the US was detected * *
984
985VULCANDEATHGRIP - Repository for data collected from vPCS shaping under the STEELFLAUTA program *
986
987W
988WAGONBED - Hardware GSM controller board implant on CrossBeam or HP Proliant G5 server that communicates over I2C interface
989WAITAUTO - Network used by the Remote Operations Center of NSA's TAO division *
990WALKERBLACK - Related to the MAKERSMARK intrusion set *
991WARNVULCANO - Something residing on the WAITAUTO network used for TAO botnet hacking *
992WARRIORPRIDE (WP) - Scalable, flexible and portable unified CNE platform used throughout the Five Eyes; equivalent at GCHQ is DAREDEVIL * It was for example used to break into iPhones *
993WATCHER - Tipping tool related to SECONDDATE operations, offered for sale by Shadow Brokers *
994WAXTITAN - TAO computer hacking project *
995WEASELWAGGLE - Major cyber threat category countered by the TUTELAGE system *
996WELLSPRING - Tool that strips out facial images from e-mails and other communications, and displays those that might contain passport images *
997WIDOWKEY - Major intrusion set effort, related to SUPERDRAKE *
998WHISTLINGDUXIE - TAO computer hacking project *
999WICKEDVICAR - Hacking tool used to perform remote survey and installation *
1000WIDOWKEY - Major cyber threat category countered by the TUTELAGE system *
1001WILDCHOCOBO - TAO computer hacking project *
1002WILDCOUGAR - TAO computer hacking project *
1003WILLOWVIXEN - Method to deploy malware by sending out spam e-mails that trick targets into clicking a malicious link * *
1004WISTFULTOLL - Plug-in for UNITEDRAKE and STRAITBIZARRE used to harvest target forensics via Windows Management Instrumentation and Registry extractions, can be done through USB thumb drive *
1005WINTERLIGHT - A QUANTUM computer hacking program in which Sweden takes part
1006WOBBLYLLAMA - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
1007       
1008create new paste  /  dealsnew!  /  syntax languages  /  archive  /  faq  /  tools  /  night mode  /  api  /  scraping api
1009privacy statement  /  cookies policy  /  terms of service  /  security disclosure  /  dmca  /  contact
1010
1011Dedicated Server Hosting by Steadfast