On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft's Windows OS and evidence the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world.

The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a blog post, as the group did in the past.

Called "Lost in Translation," the blog post contains the usual indecipherable ramblings the Shadow Brokers have published in the past, and a link to a Yandex Disk file storage repo.

Shadow Brokers dump

The password for these files is "Reeeeeeeeeeeeeee", and they've already been unzipped and hosted on GitHub by security researchers.


Last year, the Shadow Brokers claimed to have stolen these files from a cyber-espionage group known as the Equation Group, which many security firms claim is the NSA. They put up the tools up for auction, but nobody was interested in paying the hefty price of 1 million Bitcoin (around $570 million at the time).

Equation Group had backdoors inside many banks around the world

Last week, the Shadow Brokers dumped the password for the files they had put up for auction last summer. Missing from last week's dump were the Windows files they put up for individual auctions over the winter.

This dump contains three folders named Windows, Swift, and OddJob. The Windows folder contains several Windows hacking tools, albeit these are not the same tools that were put up for sale last December. The folder OddJob contains an eponymous implant that can be delivered to Windows operating systems. Details on this implant are scarce at the moment.

The folder claiming to hold SWIFT data contains SQL scripts that search for SWIFT-specific data inside databases, and text and Excel files hinting the Equation Group had hacked and gained access to several banks across the world, mainly in Middle Eastern countries such as Palestine, UAE, Kuwait, Qatar, and Yemen.

Shadow Brokers Excel file containing a list of compromised bank servers

This folder is by far the most interesting of the three, as it alludes the Equation Group (NSA) had been infiltrating banks, and secretly keeping an eye on SWIFT transactions. The files included in the dump indicate the Equation Group had targeted and successfully infiltrated the SWIFT Service Bureau of the Middle East (EastNets), one of the SWIFT departments managing and monitoring SWIFT transactions across Middle East banks.

In a statement posted on its website, EastNets denied it had ever been compromised, even if the Shadow Brokers dump included a file with all the Bureau's compromised administrator accounts, some of which correspond to real-world employees.

Summary of leaked data

As the tools were dumped two hours before this article's publication, we have very little information about their purpose except tweets from security researchers that have managed to figure out the role of some of these hacking tools:

EASYBEE appears to be an MDaemon email server vulnerability [source, source, source]
EASYPI is an IBM Lotus Notes exploit [source, source] that gets detected as Stuxnet [source]
EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 to 7.0.2 [source, source]
EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor [source, source]
ETERNALROMANCE is a SMBv1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges [source, source]
EDUCATEDSCHOLAR is a SMB exploit [source, source]
EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 [source, source]
EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino [source, source]
ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users [source, source]
ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003 [source, source]
ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 [source, source, source]
ETERNALBLUE is a SMBv2 exploit [source]
ETERNALCHAMPION is a SMBv1 exploit [source]
ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers [source, source]
ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003 [source, source]
ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later [source, source]
EXPANDINGPULLEY is another Windows implant [source]
GROK is a keylogger for Windows, also known about since Snowden [source]
ETRE is an exploit for IMail 8.10 to 8.22 [source]
FUZZBUNCH is an exploit framework, similar to MetaSploit [source, source], which was also part of the December-January "Windows Tools" Shadow Brokers auction [source]
DOUBLEPULSAR is a RING-0 multi-version kernel mode payload [source]
PASSFREELY is a tool that bypasses authentication for Oracle servers [source]
EquationGroup had scripts that could scrape Oracle databases for SWIFT data [source, source]
ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later [source, source], also not detected by any AV vendors [source]
Metadata [possibly faked, possibly real] links NSA to Equation Group [source]
NSA used TrueCrypt for storing operation notes [source]
Some of the Windows exploits released today were undetectable on VirusTotal [source]
Some EquationGroup humor in the oddjob instructions manual [source, source]
JEEPFLEA_MARKET appears to be an operation for collecting data from several banks around the world [source], previously linked to the NSA by Snowden [source, source]
The Equation Group targeted EastNets, a SWIFT connectivity provider [source, source, source, source, source]

This post will most likely be updated with new information as it becomes available.