(Updated: September 28, 2023)
Below is a listing of more than 500 codewords used by or related to the NSA division Tailored Access Operations (TAO), which is responsible for computer and network hacking as well as for physical 'close access' operations to bridge an air gap.
> See also the main listing of NSA Nicknames and Codewords
Similar lists are available on this website for GCHQ, CSE and BND. See also the lists of abbreviations of SIGINT and COMSEC, and general telephony and internet terms.
Please keep in mind that a listing like this will always be work in progress!
A
ACRIDMINI - TAO computer hacking project *
ADJUTANT VENTURE - Intrusion set? *
ALOOFNESS - Cyber threat actor *
ALTEREDCARBON - An IRATEMONK implant for Seagate drives * *
AMULETSTELLAR - Cyber threat actor sending malicious e-mails *
ANGRYNEIGHBOR - Family of radar retro-reflector tools used by NSA's TAO division *
APERTURESCIENCE - TAO computer hacking project *
ARGYLEALIEN - Method to cause a loss of data by exploiting zeroization of hard-drives *
ARKSTREAM - Implant used to reflash BIOS, installed by remote access or intercepted shipping
ARROWECLIPSE - TAO operation to monitor the Chinese hacker group BYZANTINE CANDOR * *
AZTECTOMB - Some kind of TAO project *
B
BADDECISION (BDN) - Hacking tool to redirect users of a wireless/802.11 network to NSA FOXACID servers * *
BALLOONKNOT - TAO computer hacking project *
BANANAAID - NSA hacking tool or code included in the Shadow Brokers leak *
BANANABALLOT - A BIOS module associated with an implant (likely BANANAGLEE) *
BANNANADAIQUIRI - An implant associated with SCREAMINGPLOW *
BANANAGLEE - A non-persistent firewall software implant for Cisco ASA and PIX devices that allows remote JETPLOW installation *
BANANALIAR - A tool for connecting to an unspecified implant (likely BANANAGLEE) *
BARGLEE - A software implant for a firewall of an unknown vendor *
BARICE - A tool that provides a shell for installing the BARGLEE implant *
BARNFIRE - TAO tool to erase the BIOS on a brand of servers that act as a backbone to many rival governments *
BARPUNCH - A module for BANANAGLEE and BARGLEE implants *
BEACHHEAD - Computer exploit delivered by the FERRETCANON system * *
BEECHPONY - A firewall implant that is a predecessor of BANANAGLEE *
BEIGETHICKET - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers *
BENIGNCERTAIN - A tool that appears to be for sending certain types of Internet Key Exchange (IKE) packets to a remote host and parsing the response *
BERSERKR - Persistent backdoor that is implanted into the BIOS and runs from System Management Mode * *
BILLOCEAN - Retrieves the serial number of a firewall, to be recorded in operation notes *
BISHOP KNIGHT - Major cyber threat category of Chinese attacks against NASA, DoD, DoE, part of BYZANTINE HADES, countered by the TUTELAGE system * *
BLACK ENERGY Bot - Major cyber threat category countered by the TUTELAGE system *
BLATSTING - A firewall software implant that is used with EGREGIOUSBLUNDER (Fortigate) and ELIGIBLEBACHELOR (TOPSEC) *
BLINDDATE (BD) - Survey and exploitation hardware with a mobile antenna system to run BADDECISION, which allows for a SECONDDATE attack * * * *
BLIND MARKSMAN - Major cyber threat category countered by the TUTELAGE system *
BLUISHDEFER - A subsystem mentioned in the UNITEDRAKE Manual as released by the Shadow Brokers
BOOKISHMUTE - An exploit against an unknown firewall using Red Hat 6.0 *
BORGERKING - Something related to Linux exploits *
BOTANICREALTY - Video demodulation tool (formerly: UNCANNY) *
BOXINGRUMBLE - Network attack that was countered by QUANTUMDNS *
BRICKTOP - Project to learn about new malware by intercepting e-mail from several security companies (2009) *
BROKENTIGO - Tool for computer network operations
BULLDOZER - PCI bus hardware implant on intercepted shipping
BUZZDIRECTION - A firewall software implant for Fortigate firewalls *
BYZANTINE - First word of nicknames for programs involving defense against Chinese cyber-warfare and US offensive cyber-warfare *
BYZANTINE ANCHOR - Chinese cyber attacks against a broad range of US targets since 2003, part of BYZANTINE HADES * *
BYZANTINE CANDOR (BC) - Chinese cyber attacks against DoD and other US targets, part of BYZANTINE HADES, formerly TITAN RAIN III * * *
BYZANTINE FOOTHOLD (BF) - Major cyber threat category of Chinese attacks against TRANSCOM, PACOM and others, countered by the TUTELAGE system * *
BYZANTINE HADES - Chinese computer network exploitation (CNE) against the US * probably renamed to the LEGION-series *
BYZANTINE PRAIRIE - Chinese cyber attacks but inactive since 2008, part of BYZANTINE HADES *
BYZANTINE RAPTOR - Chinese cyber attacks against DoD and Congress, resurfaced 2008, part of BYZANTINE HADES * *
BYZANTINE TRACE - Chinese cyber attacks against DoD, part of BYZANTINE HADES * already indentified in 2007 *
BYZANTINE VIKING - Major cyber threat category countered by the TUTELAGE system *
C
CAPTIVATEDAUDIENCE - Computer implant plug-in to take over a targeted computer’s microphone and record conversations taking place near the device
CARBON PEPTIDE - Major cyber threat category, part of BYZANTINE HADES, countered by the TUTELAGE system *
CASTLECRASHER - Primary technique for executing DNT payloads for Windows computers *
CASTLECREEK (CC) - Hacking tool *
CATFLAP - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
CENTRICDUD - Tool that can read and write bytes in the CMOS of a targeted Windows computer *
CHAOSOVERLORD - TAO computer hacking project *
CHARMS - Alleged NSA implant, offered for sale by Shadow Brokers *
CHELSEABLUE - ? *
CHIMNEYPOOL - Framework or specification of GENIE-compliance for hardware/software implants
CHOCOLATESHIP - TAO computer hacking project *
CHOCOPOP - SNOWGLOBE cyber threat process *
CLIMBINGSHIRT - Expeditionary Access Operations (EAO) in Iraq *
CLOUDSHIELD - System that terminates a client-side connection to a malicious server and blocks the server's response *
CLUCKLINE - A module for BANANAGLEE implants *
COLOSSUS - FTP mover on TAONet *
COMMON - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
COMMONDEER - Computer exploit for looking whether a computer has security software
CONFICKER - Major cyber threat category countered by the TUTELAGE system *
CONJECTURE - Network compatible with HOWLERMONKEY
CONTAINMENTGRID - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
COTTONMOUTH (CM) - Computer implant devices used by NSA's TAO division
COTTONMOUTH-I (CM-I) - USB hardware implant providing wireless bridge into target network and loading of exploit software onto target PCs, formerly DEWSWEEPER
COTTONMOUTH-II (CM-II) - USB hardware host tap provides covert link over USP into target's network co-located with long haul relay; dual-stacked USB connector, consists of CM-I digital hardware plus long haul relay concealed in chassis; hub with switches is concealed in a dual stacked USB connector and hard-wired to provide intra-chassis link.
COTTONMOUTH-III (CM-III) - Radio Frequency link for commands to software implants and data infiltration/exfiltration, short range inter-chassis link within RJ45 Dual Stacked USB connector
CROSSBEAM - GSM module mating commercial Motorola cell with WagonBed controller board for collecting voice data content via GPRS (web), circuit-switched data, data over voice, and DTMF to secure facility, implanted cell tower switch
CROSSBONES - Cyber threat analysis tool * *
CROSSEYEDSLOTH - TAO computer hacking project *
CROWNPRINCE - Related to the MAKERSMARK intrusion set *
CROWNROYAL - Related to the MAKERSMARK intrusion set *
CRYPTICSENTINEL - Counter computer network exploitation (CCNE) project *
CURSES - Alleged NSA implant, offered for sale by Shadow Brokers *
CUTEBOY - Foreign (Chinese) computer network exploitation actor *
CYBERCOP - Cyber attack visualisation tool
CYBERQUEST (CQ) - Cyber threat discovery mission? (since 2008)*
D
DAMPCROWD - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
DANCING PANDA - Hacking effort by China in which private e-mails of top US officials were obtained; renamed into LEGION AMETHYST (since 2010) * *
DANDERSPRITZ – An implant for interacting with a compromised host and controlling Windows systems, published by the Shadow Brokers *
DAREDEVIL - Shooter/implant as part of the QUANTUM system *
DARKFIRE - TAO counter cyber attack project * *
DARKHELMET - Counter computer network exploitation (CCNE) project *
DARKTHUNDER - TAO traffic shaping program supporting SSO cable tapping collection *
DAYTONSUNDAY - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers *
DEAD SEA - Computer network exploitation tool (?) *
DEEPFRIEDPIG - Data processing system on TAONet, including SEAGULLFARO *
DEFIANTWARRIOR - Program under which a host computer that is infected with an exploitable bot can hijacked through a QUANTUMBOT attack and redirected to the NSA *
DEITYBOUNCE - Provides implanted software persistence on Dell PowerEdge RAID servers via motherboard BIOS using Intel's System Management Mode for periodic execution, installed via ArkStream to reflash the BIOS
DEMENTIAWHEEL (DEWH) - Hacking tool * known as "Fanny" in the security community *
DESERTWINTER - Codeword found in the source code used by the Equation hacking group *
DEWDROP - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
DEWSWEEPER - Technique to tap USB hardware hosts *
DIESEL RATTLE - Chinese cyber attacks against US ISPs, government, defense contractors and Japan, part of BYZANTINE HADES *
DIRESCALLOP - Tool that disables DeepFreeze without the need for a reboot *
DISABLEVALOR - Hacking tool *
DISCOROUTE - NAC/GCHQ repository for router configuration files from CNE and passive SIGINT, like for example telnet sessions * *
DISCOVERY - Major cyber threat category countered by the TUTELAGE system *
DOCKETDICTATE - Something related to NSA's TAO division
DOGROUND - Tool that seems to hide all traces of implant installation, as revealed by the Shadow Brokers *
DOUBLEPULSAR - Payload uploaded through the FUZZBUNCH framework, published by the Shadow Brokers *
DOURMAGNUM - Cyber threat activity from the Imam Hussein University *
DRINKPARSLEY - Codeword found in the source code used by the Equation hacking group *
DROPMIRE - Passive collection of emanations (e.g. from printers or faxes) by using a radio frequency antenna
DROPOUTJEEP - STRAITBIZARRE-based software implant for iPhone, initially close access but later remotely
DUBMOAT - Alleged NSA trojan, offered for sale by Shadow Brokers *
DURABLENAPKIN - A tool for injecting packets on LANs *
E
EARLYSHOVEL - Alleged NSA exploit, offered for sale by Shadow Brokers *
EASYHOOKUP (ESH) - An exploit for the CVE-2010-2568 (MS10-046) vulnerability
EASYKRAKEN - An IRATEMONK implantation for ARM-based Samsung drives *
EBB - Alleged NSA exploit, offered for sale by Shadow Brokers *
EBBISLAND - Alleged TAO exploit for the Solaris operating system, published by the Shadow Brokers *
ECLECTICPILOT - ? *
ECLIPSEDWING - Exploit for the CVE-2008-4250 (MS08-067) vulnerability
EGGBASKET - Alleged NSA exploit, offered for sale by Shadow Brokers *
EGOTISTICALGIRAFFE (EGGI) - NSA program for exploiting the TOR network *
EGOTISTICALGOAT (EGGO) - NSA tool for exploiting the TOR network *
EGREGIOUSBLUNDER (EGBL) - A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie overflow vulnerability *
ELATEDMONKEY - Alleged NSA exploit, offered for sale by Shadow Brokers *
ELDESTMYRIAD - Alleged NSA exploit, offered for sale by Shadow Brokers *
ELECTRICSLIDE - Alleged NSA exploit, offered for sale by Shadow Brokers *
ELEGANTEAGLE - Alleged NSA exploit, offered for sale by Shadow Brokers *
ELEONORE Exploit Kit - Major cyber threat category countered by the TUTELAGE system *
ELGINGAMBLE - Alleged NSA exploit, offered for sale by Shadow Brokers *
ELIGIBLEBACHELOR (ELBA) - An exploit for TOPSEC firewalls running the TOS operation system *
ELIGIBLEBOMBSHELL (ELBO) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability *
ELIGIBLECANDIDATE (ELCA) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability *
ELIGIBLECONTESTANT (ELCO) - A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST paramter injection vulnerability *
EMERALDTHREAD - Exploit for the CVE-2010-2729 (MS10-061) vulnerability *
ENDLESSDONUT - Alleged NSA exploit, offered for sale by Shadow Brokers *
ENEMYRUN - Alleged NSA implant, offered for sale by Shadow Brokers *
ENGLANDBOGGY - Alleged NSA exploit, offered for sale by Shadow Brokers *
ENVISIONCOLLISION - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
ENVOYTOMATO - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
EPICBANANA (EPBA) - A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices *
EPICHERO - Alleged NSA exploit, offered for sale by Shadow Brokers *
EQUATION Group - Nickname given by Kaspersky to a highly advanced computer hacking group, considered to be part of TAO *
ERRONEOUSINGENUITY (ERIN) - NSA tool for exploiting the TOR network *
ESCALATEPLOWMAN (ESPL) - A privilege escalation exploit against WatchGuard firewalls *
ESTOPMOONLIT - Alleged NSA exploit, offered for sale by Shadow Brokers *
ETERNALBLUE – TAO exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers * and included in the WanneCry ransomware worm (2017) *
ETERNALCHAMPION – Exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers *
ETERNALROMANCE – Exploit for Windows XP, 2003, Vista, 7 & 2008, published by the Shadow Brokers *
ETERNALSYNERGY – Exploit for Windows 8 SP0 & Windows 2012 SP0, published by the Shadow Brokers *
EVOLVINGSTRATEGY - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
EWOK - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
EWORKFRENZY - Lotus Domino 6.5.4 and 7.0.2 exploit, published by the Shadow Brokers *
EXACTCHANGE - Alleged NSA exploit, offered for sale by Shadow Brokers *
EXPLODINGCAN - Remote IIS 6.0 exploit for Windows 2003, published by the Shadow Brokers *
EXPOXYRASIN - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
EXTRABACON (EXBA) - A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices *
EXTREMEPARR - Alleged TAO exploit for the Solaris operating system, published by the Shadow Brokers *
EXZE - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
F
FABULOUSFABLE (FABFAB) - Tool used in automated SECONDDATE tasking *
FAKEDOUBT - An IRATEMONK implantation for ARM-based Hitachi drives *
FALSEMOREL - Allows for the deduction of the "enable" password from data freely offered by an unspecified firewall *
FANNER - Cyber threat actor *
FASHIONCLEFT - TAO/DNT protocol used by implants to exfiltrate collected network packets to the Common Data Receptor (CDR)
FEEDTROUGH - A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper NetScreen firewalls * *
FELONYCROWBAR - System used to configure the UNITEDRAKE framework
FERRETCANON - Subsystem of the FOXACID system *
FESTIVEWRAPPER - Something used for TAO botnet hacking *
FIGBUILD - External mission network for TAO/ROC hacking operations, connected to OPTICPINCH through ROOTKNOT (2009) *
FINKCOAT - ? *
FINKDIFFERENT (FIDI) - Tool used for exploiting TOR networks
FIREWALK -Bidirectional network implant, passive gigabit ethernet traffic collector and active ethernet packet injector within RJ45 Dual Stacked USB connector, digital core used with HOWLERMONKEY, formerly RADON
FLASHHANDLE Mission Management (FMM) - Database for generating and retaining crypto keys for encrypting data that have to be transferred onto internal TAO networks * provides this to SURPASSPIN *
FLATLIQUID - TAO operation against the office of the Mexican president *
FLAXENPRECEPT - Common Data Receptor interface(?) *
FLEWAVENUE - Something mentioned in the UNITEDRAKE interface, as revealed by the Shadow Brokers *
FLOCKFORWARD - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
FLUXBABBITT - Hardware implant for Dell PowerEdge RAID servers using Xeon processors
FOGGYBOTTOM - Computer implant plug-in that records logs of internet browsing histories and collects login details and passwords used to access websites and email accounts
FOGGYBOTTOM2 - Hacking tool mentioned in the UNITEDRAKE interface, as revealed by the Shadow Brokers *
FOGYNULL - DNT standard exfiltration protocol *
FORKPTY - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
FORRESTPLACE - Access system *
FOSHO - A Python library for creating HTTP exploits *
FOXACID (FA) - Originally a counter-terrorism mission against Al-Qaeda, now a network of covert internet servers used to exploit a target's browser through spam e-mail * *
FOXSEARCH - Tool for monitoring a QUANTUM target which involves FOXACID servers
FREEFLOW - One-way data diodes, see HANGARSURPLUS and SURPLUSHANGAR *
FREEZEPOST - Something related to NSA's TAO division
FROZENGAZE - System related to SECONDDATE operations *
FRUGALSHOT - FOXACID servers for receiving callbacks from computers infected with NSA spying software *
FUNNELAPS - DNT standard exfiltration data format *
FUZZBUNCH - An exploit framework containing 15 exploits and advanced kernel-mode backdoors for Windows, published by the Shadow Brokers *
G
GADGET HISS - Computer network "intrusion set" already identified in 2007 *
GECKO II - System consisting of hardware implant MR RF or GSM, UNITEDRAKE software implant, IRONCHEF persistence back door
GENESIS - Modified GSM handset for covert network surveys, recording of RF spectrum use, and handset geolocation based on software defined radio
GENIE - Overall close-access program, collection by Sigads US-3136 and US-3137 * *
GHOST - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
GHOSTRECON - Related to the VOYEUR intrusion set *
GNOMEFISHER - Major cyber threat category countered by the TUTELAGE system *
GNOMEVISION - Analytic tool for cyber attacks *
GODSURGE - Runs on FLUXBABBITT circuit board to provide software persistence by exploiting JTAG debugging interface of server processors, requires interdiction and removal of motherboard of JTAG scan chain reconnection
GOLLUM - Computer implant created by a partner agency *
GOPHERRAGE - Pilot project that seeks to develop a hypervisor implant to provide implant capabilites and a back door *
GOPHERSET - Software implant on GMS SIM phase 2+ Toolkit cards that exfiltrates contact list, SMS and call log from handset via SMS to user-defined phone; malware loaded using USB smartcard reader or over-the-air.
GOSSIPGIRL - Cyber threat actor *
GOTHAM - Processor for external monitor recreating target monitor from red video
GOTHAMKNIGHT - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
GOURMETTROUGH - Configurable implant for Juniper NetScreen firewalls including SSG type, minimal beaconing
GROK - Computer implant plug-in used to log keystrokes *
GUMFISH - Computer implant plug-in to take over a computer’s webcam and snap photographs
H
HALLUXWATER - Software implant as boot ROM upgrade for Huawei Eudemon firewalls, finds patch points in inbound packet processing, used in O2, Vodafone and Deutsche Telekom
HAMMERCHANT - Implant for network routers to intercept and perform exploitation attacks against data sent through a Virtual Private Network (VPN) and/or phone calls via Skype and other VoIP software *
HAMMERMILL - Insertion Tool controls HEADWATER boot ROM backdoor
HAMMERSTEIN - Implant for network routers to intercept and perform exploitation attacks against data sent through a Virtual Private Network (VPN) and/or phone calls via Skype and other VoIP software
HANGARSURPLUS - Low-to-High diode used for botnet hacking *
HAPPYFOOT - Program that intercepts traffic generated by mobile apps that send a smartphone’s location to advertising networks *
HAPPYHOUR - Plug-in for the wireless survey and exploitation system BLINDDATE *
HAWALA - ? *
HEADMOVIES - TAO computer hacking project *
HEADWATER - Permanent backdoor in boot ROM for Huawei routers stable to firmware updates, installed over internet, capture and examination of all IP packets passing through host router, controlled by Hammermill Insertion Tool
HEAVENSLEW - Subcomponent of the UNITEDRAKE system, mention in the manual released by the Shadow Brokers
HIDDENTEMPLE - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
HIGHLANDS - Technique for close access collection from computer implants *
HOGTECH - Streaming packets collected through hacking operations *
HOWLERMONKEY (HM) - Generic radio frequency (RF) transceiver tool used for various applications *
HUFF - System like FOXACID? *
HYDROCASTLE - Tool or database with 802.11 configuration data extracted from CNE activity in specific locations *
I
ICYTWINS - Processing system for data collected from vPCS shaping under the STEELFLAUTA program *
INCAADAM - Major intrusion set effort *
INCISION - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
INFOSPYDER - Mentioned in the UNITEDRAKE interface, as revealed by the Shadow Brokers *
INTOLERANT - Data set stolen by hackers, discovered and exploited by CSEC and Menwith Hill Station since 2010 *
IRATEMONK - Hard drive firmware providing software persistence for desktops and laptops via Master Boot Record substitution, for Seagate Maxtor Samsung file systems FAR NRFS EXT3 UFS, payload is implant installer, shown at internet cafe *
IRONAVENGER - NSA hacking operation against an ally and an adversary (2010) * *
IRONCHEF - Provides access persistence back door exploiting BIOS and SMM to communicate with a 2-way RF hardware implant
IRONPERSISTANCE - Access Technologies Operations (ATO) operation support to DIA in Afghanistan *
ITIME - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
J
JACKLADDER - Implant presumably used by TAO's Equation Group and offered for sale by Shadow Brokers *
JEEPFLEA - TAO computer hacking project *
JEEPFLEA_MARKET - NSA/CSS Texas hacking operation against the SWIFT Service Bureau EastNets, with offices in Belgium, Jordan, Egypt and UAE *
JEEPFLEA_POWDER - NSA/CSS Texas hacking operation against the SWIFT Service Bureau BCG, which serves Panama and Venezuela *
JETPLOW - A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE *
JIFFYRAUL - A module loaded into Cisco PIX firewalls with BANANAGLEE *
JOLLYROGER - Tool that provides metadata that describe the networking environment of TAO-implanted Windows PCs *
JUMPDOLLAR - Tool to support various file systems *
JUNIORMINT - Implant digital core, either mini printed circuit board or ultra-mini Flip Chip Module, contains ARM9 micro-controller, FPGA Flash SDRAM and DDR2 memories
JUSTVISITING (JUVI) - Module that seems part of UNITEDRAKE, as revealed by the Shadow Brokers *
NSA codenames (not included on this page) used under the SPINALTAP program
for combining data from active hacking operations
and passive signals intelligence collection.
K
KILLSUIT - Mentioned in the UNITEDRAKE interface, as revealed by the Shadow Brokers *
KIRKBOMB - Windows kernel examination to detect loaded drivers and processes *
KOALAPUNCH - TAO computer hacking project *
KONGUR - Software implant restorable by GINSU after OS upgrade or reinstall
KRISPYKREME - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers * *
L
LEAKYFAUCET - Flow repository of 802.11 WiFi IP addresses and clients via STUN data *
LEGION AMBER - Chinese hacking operation against a major US software company *
LEGION AMETHYST - Hacking effort by China in which private e-mails of top US officials were obtained; previously codenamed DANCING PANDA (since 2010) *
LEGION JADE - A group of Chinese hackers *
LEGION RUBY - A group of Chinese hackers *
LEGION YANKEE - Chinese hacking operation against the Pentagon and defense contractors (2011)*
LIFESAVER - Technique which images the hard drive of computers * *
LOUDAUTO - An ANGRYNEIGHBOR radar retro-reflector, microphone captures room audio by pulse position modulation of square wave
LUTEUSICARUS - TAO computer hacking project *
LUTEUSOBSTOS - Codeword found in the source code used by the Equation hacking group *
M
MADBISHOP - Hard drive implant *
MAESTRO-II - Mini digital core implant, standard TAO implant architecture
MAGICBEAN - Man-in-the-middle WiFi attack tool *
MAGICJACK - Alleged NSA implant, offered for sale by Shadow Brokers *
MAGICSQUIRREL - Man-in-the-middle WiFi attack tool *
MAGNETIC - Technique of sensor collection of magnetic emanations *
MAGNUMOPUS - TAO computer hacking project *
MAKERSMARK - Major cyber threat category countered by the TUTELAGE system * identified in 2007 * *
MAVERICK CHURCH - Major cyber threat category countered by the TUTELAGE system, formerly BISHOP * part of BYZANTINE HADES *
MIDDLEMAN - TAO covert network
MINERALIZE - Technique for close access collection through LAN implants *
MIRROR - Automated survey system that can for example identify the presence of a VPN; interface to the ROADBED system *
MISTYVEAL (MV) - Another version of VALIDATOR for installation on a target's computer *
MOCCASIN - A hardware implant, permanently connected to a USB keyboard *
MONKEYCALENDAR - Software implant on GMS SIM cards that exfiltrates user geolocation data
MOUSETRAP - Sandia implant for EFI *
MURPHYSLAW - TAO computer hacking project *
N
NATIVE DANCER - Major cyber threat category countered by the TUTELAGE system *
NEBULA - Base station router similar to CYCLONE Hx9
NETSPYDER - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers *
NIGHTWATCH - Portable computer in shielded case for recreating target monitor from progressive-scan non-interlaced VAGRANT signals
NIGHTSTAND (NS) - Plug-in for the wireless survey and exploitation system BLINDDATE, which injects a packet that forces a client to access a monitored listening post *
NIGHTTRAIN - Part of a program to spy on a close US ally during operations alongside the ally against a common foe * *
NITESTAND - See NIGHTSTAND
NITRO ZEUS - Umbrella program for hacking operations against Iranian critical civilian and military infrastructure *
NOPEN - A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6, offered for sale by Shadow Brokers *
O
ODDJOB – A HTTP command and control implant for installation on compromised Windows hosts, published by the Shadow Brokers *
OLYMPIC - First word of nicknames for programs involving defense against Chinese cyber-warfare and US offensive cyber-warfare *
OLYMPIC GAMES - Joint US and Israel operation against the Iranian nuclear program (aka Stuxnet)*
OLYMPUS - Software component of VALIDATOR/SOMBERKNAVE used to communicate via wireless LAN 802.11 hardware *
OPTICPINCH - Internal mission network for TAO/ROC hacking operations, connected to FIGBUILD through ROOTKNOT (2009) *
ORANGUTAN - Implant, tool or exploit presumably used by TAO's Equation Group *
ORLEANSTRIDE - Alleged NSA implant, offered for sale by Shadow Brokers *
P
PACKETWRENCH - Computer exploit delivered by the FERRETCANON system *
PANDAROCK - A tool for connecting to a POLARPAWS implant *
PANDORAS MAYHEM - Part of QUANTUM operations involving TUTELAGE *
PARCHDUSK (PD) - Productions Operation of NSA's TAO division *
PASSIONATEPOLKA - TAO tool for remotely bricking network cards *
PASTEPIG - NetApp on the TAONet/NSANet DMZ *
PATCHICILLIN - Implant, tool or exploit presumably used by TAO's Equation Group *
PCLEAN - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
PEDDLECHEAP - Computer exploit delivered by the FERRETCANON system *
PERFECT CITIZEN - Research and engineering program to counter cyberattacks, in cooperation with Raytheon *
PHOENIX Exploit Kit - Major cyber threat category countered by the TUTELAGE system *
PHOTOANGLO - Continuous wave generator and receiver. The bugs on the other end are ANGRYNEIGHBOR class
PITIEDFOOL - Suite of CNA tools to attack the Windows operating system, overwrites data to the point it is irrecoverable *
PLAIDDIANA - Major intrusion set effort *
PLUCKHAGEN - An IRATEMONK implantation for ARM-based Fujitsu drives *
POLARBREEZE - NSA technique to tap into nearby computers *
POLARPAWS - An implant for a firewall form an unknown vendor *
POLARSNEEZE - An implant for a firewall form an unknown vendor *
POLARSTARKEY - Network Defense data source *
POLITERAIN - Offensive CNA team from the ATO unit of TAO * *
POPROCKS - Chinese cyber attacks against video conference provides, 2009 Navy Router Incident, part of BYZANTINE HADES *
POPQUIZ - Project of NSA's Research Directorate to collect network metadata on high-bandwidth protocols such as HTTP, SMTP and DNS (2008) * or analytic tool for cyper attacks *
PORK - Alleged NSA implant, offered for sale by Shadow Brokers *
POTBED - TAO computer hacking project *
PROTOSS - Local computer handling radio frequency signals from implants
PUZZLECUBE - TAO tasking database * *
Q
QFIRE - A consolidated QUANTUMTHEORY platform to reduce latencies by co-locating passive sensors with local decisioning and traffic injection (under development in 2011)
QUANTUM - Secret servers placed by NSA at key places on the internet backbone; part of the TURMOIL program *
QUANTUMBISCUIT - Enhancement of QUANTUMINSERT for targets which are behind large proxies *
QUANTUMBOT - Method for taking control of idle IRC bots and botnets) *
QUANTUMBOT2 - Combination of Q-BOT and Q-BISCUIT for webbased botnets *
QUANTUMCOOKIE - Method to force cookies onto target computers
QUANTUMCOPPER - Method for corrupting file uploads and downloads *
QUANTUMDIRK - Replacement for the QUANTUMINSERT hacking toolset that injects malicious content into chat services provided by websites such as Facebook and Yahoo *
QUANTUMDNS - DNS injection/redirection based off of A record queries *
QUANTUMHAND - Man-on-the-side technique using a fake Facebook server *
QUANTUMINSERT (QI) - Man-on-the-side technique that redirects target internet traffic to a FOXACID server for exploitation *
QUANTUMMUSH - Targeted spam exploitation method *
QUANTUMNATION - Umbrella for COMMONDEER and VALIDATOR computer exploits
QUANTUMPHANTOM - Hijacks any IP address to use as covert infrastructure *
QUANTUMSKY - Malware used to block targets from accessing certain websites through RST packet spoofing *
QUANTUMSMACKDOWN - Method for using packet injection to block attacks against DoD computers *
QUANTUMSPIN - Exploitation method for instant messaging *
QUANTUMSQUEEL - Method for injecting MySQL persistant database connections *
QUANTUMSQUIRREL - Using any IP address as a covert infrastructure *
QUANTUMTHEORY (QT) - Computer hacking toolbox, which dynamically injects packets into target's network session *
QWERTY - TAO keylogger tool, probably a component of the WARRIORPRIDE malware framework *
R
RADON - Host tap that can inject Ethernet packets *
RAGEMASTER - Part of ANGRYNEIGHBOR radar retro-reflectors, for red video graphics array cable in ferrite bead RFI chokers between video card and monitor, target for RF flooding and collection of VAGRANT video signal
RAISEBED - Access system *
RAPTOR JOY - Intrusion set? *
RAPTOR ROLEX - Intrusion set? *
RAPORT SAD - Intrusion set? *
RATWHARF - Cyber mission *
RECORDER - Major intrusion set effort *
REGIN - Highly sophisticated spyware found in computers systems worldwide, supposedly used by NSA and GCHQ (discovered in 2013, codename by Microsoft) *
REPLICANTFARM - Signature based output of the WARRIORPRIDE framework *
RETICULUM - Implant, tool or exploit presumably used by TAO's Equation Group *
RETURNSPRING - High-side server shown in UNITEDRAKE internet cafe monitoring graphic
REXKWONDO - TAO project for shaping and MitM capabilities against Lebanon's internet traffic (2013) *
ROGUESAMURAI - Test framework of TAO's persistence division for testing computer exploits *
ROOTKNOT - One-way transfer device *
S
SADDLEBACK - Hacking tool that performs a firmware modification? *
SALVAGERABBIT - Mentioned in the UNITEDRAKE interface, as revealed by the Shadow Brokers *
SCHOOLMONTANA - Software implant for Juniper J-series routers used to direct traffic between server, desktop computers, corporate network and internet
SCREAMINGHARPY - TAO computer hacking project *
SCREAMINGPLOW - Similar to JETPLOW *
SEAGULLFARO - Processing system on TAONet, part of DEEPFRIEDPIG * part of OPTICPINCH in 2009 *
SEASONEDMOTH (SMOTH) - Stage0 computer implant which dies after 30 days, deployed by the QUANTUMNATION method
SECONDDATE - Man-in-the-Middle attack method for real-time communications between client and server in order to redirect web-browsers to FOXACID malware servers, offered for sale by Shadow Brokers * * * component of BADDECISION *
SEED SPHERE - Computer network "intrusion set" identified in 2007 * *
SENTRY EAGLE (SEE) - Overarching umbrella program for ECI compartments and SAP programs of the National Initiative to protect US cyberspace
SENTRY HAWK - ECI compartment of SENTRY EAGLE that protects information about Computer Network Exploitation *
SENTRY FALCON - ECI compartment of SENTRY EAGLE that protects information about Computer Network Defense *
SERUM - Bank of servers within ROC managing approvals and ticket system
SHADOWDRAGON - Major intrusion set effort *
SHAREDTAFFY - TAO computer hacking project *
SHARPFOCUS (SF2) - Productions Operation of NSA's TAO division *
SHARPSHADOW - TAO computer hacking project *
SHELLGREY - DNT standard exfiltration metadata format *
SHENTYSDELIGHT - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
SHEPARD - Related to the MAKERSMARK intrusion set *
SHORTSHEET - NSA tool for Computer Network Exploitation *
SHOTGIANT - NSA operation for hacking and monitoring the Huawei network (since 2009)
SHOUTPIG - FTP server on the TAONet/NSANet DMZ *
SIDETRACK - Implant, tool or exploit presumably used by TAO's Equation Group *
SIERRAMONTANA - Software implant for Juniper M-series routers used by enterprises and service providers
SIFT - Alleged NSA implant, offered for sale by Shadow Brokers *
SILLYBUNNY - Some kind of webbrowser tag which can be used as selector *
SKIMCOUNTRY - Alleged NSA implant, offered for sale by Shadow Brokers *
SKYHOOKCHOW - Codeword found in the source code used by the Equation hacking group *
SLICKERVICAR - Used with UNITEDRAKE or STRAITBIZARRE to upload hard drive firmware to implant IRATEMONK
SLIPSTREAM - Part of the WARRIORPRIDE framework *
SLYHERETIC_CHECKER - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
SNORT - Repository of computer network attack techniques/coding
SNOWGLOBE - Hacking operations against the US that may have originated in France * *
SODAPRESSED - Linux application presistence *
SOLARTIME (SOTI) - Module that seems part of UNITEDRAKE, as revealed by the Shadow Brokers *
SOMBERKNAVE - Windows XP wireless software implant providing covert internet connectivity, routing TCP traffic via an unused 802.11 network device allowing OLYMPUS or VALIDATOR to call home from air-gapped computer
SOUFFLETROUGH - Software implant in BIOS Juniper SSG300 and SSG500 devices, permanent backdoor, modifies ScreenOS at boot, utilizes Intel's System Management Mode
SPARROW II - Airborne wireless network detector running BLINDDATE tools via 802.11
SPECULATION - Protocol for over-the-air communication between COTTONMOUTH computer implant devices, compatible with HOWLERMONKEY
SPINALTAP - NSA program for combining data from active hacking operations and passive signals intelligence collection *
SPITEFULANGEL - Hacking tool or method in or for the Python programming language *
SQUASHCHUNKY - Mentioned in the UNITEDRAKE interface, as revealed by the Shadow Brokers *
STEALTHFIGTHER - Codeword found in the source code used by the Equation hacking group *
STEELFLAUTA - TAO traffic shaping program supporting SSO cable tapping collection
STOICSURGEON - Hacking tool presumably used by TAO's Equation Group, offered for sale by Shadow Brokers *
STORMPIG - Data cleanup tool on TAONet used for TAO botnet hacking *
STOWAGEWINK - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers *
STRAITACID - Codeword found in the source code used by the Equation hacking group *
STRAI(GH)TBIZARRE (SBZ) - TAO software implant used to communicate through covert channels * or spyware that can turn computers into disposable and non-attributable "shooter" nodes *
STRAITSHOOTER - Codeword found in the source code used by the Equation hacking group *
STRIFEWORLD - Alleged NSA implant, offered for sale by Shadow Brokers *
STRIKEZONE - Device running HOWLERMONKEY personality
STRONGMITE - Computer at remote operations center used for long range communications
STUCCOMONTANA - Software implant for Juniper T-Series routers used in large fixed-line, mobile, video, and cloud networks, otherwise just like SCHOOLMONTANA
STUMPCURSOR - Foreign computer accessing program of the NSA's Tailored Access Operations
STUXNET - A computer worm that was used to destroy Iran's nuclear centrifuges (discovered in 2010)
STYLISHCHAMP - Tool that can create a HPA on a hard drive and then provide raw reads and writes to this area *
SUAVEEYEFUL - Alleged NSA FreeBSD software implant targeting MiraPoint email appliances; offered for sale by Shadow Brokers *
SUBTLESNOW - Major cyber threat category countered by the TUTELAGE system *
SUCTIONCHAR - Alleged NSA implant, offered for sale by Shadow Brokers *
SULPHURWRITE - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers *
SUPERDRAKE - Cyber threat actor * related to WIDOWKEY *
SURLEYSPAWN - Data RF retro-reflector, gathers keystrokes FSK frequency shift keyed radar retro-reflector, USB or IBM keyboards
SURPASSPIN - Transfers commands and tasking instructions from TAO's internal to the external mission network * receives messages from the FLASHHANDLE Mission Manager *
SURPLUSHANGAR (SH) - High-to-Low diode, used for the QUANTUM system * and botnet hacking *
SUTURESAILOR - Printed circuit board digital core used with HOWLERMONKEY
SWAP - Implanted software persistence by exploiting motherboard BIOS and hard drive Host Protected Area for execution before OS loads, operative on windows linux, freeBSD Solaris
T
TEFLONDOOR - A self-destructing post-exploitation shell for executing an arbitrary file *
THERMALDIFFUSION - Mentioned in the UNITEDRAKE interface, as revealed by the Shadow Brokers *
TITAN RAIN - Presumably Chinese attacks on American computer systems (since 2003)
TOAST - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
TORNSTEAK - Exploit solution for two firewall devices from a particular vendor *
TOTECHASER - Software implant in flash ROM windows CE for Thuraya 2520 satellite/GSM/web/email/MMS/GPS
TOTEGHOSTLY - Modular implant for windows mobile OS based on SB using CP framework, Freeflow-compliant so supported by TURBULENCE architecture
TRANSGRESSION - TAO/CES unit providing cryptanalytic support for various missions * *
TREACLEBETA - TAO hacking against the Pakistani terrorist group Lashkar-e-Taiba *
TRINITY - Implant digital core concealed in COTTONMOUTH-I, providing ARM9 microcontroller, FPGA Flash and SDRAM memories *
TRUANTCHILD - Helper library for parsing and validation of paramaters, part of the Exploit Development Framework (EDF)
TUNINGFORK - Sustained collection linked to SEAGULLFARO, previously NSA database or cyber threat analysis tool *
TURBINE - Active SIGINT: centralized automated command/control system for managing a large network of active computer implants for intelligence gathering (since 2010) *
TURBOPANDA - A tool that can be used to communicate with a HALLUXWATER implant and allows read/write to memory, execute an address or packet; joint NSA/CIA project on Huawei network equipment *
TUTELAGE - Active defense system with detection sensors that monitor network traffic at for example the NIPRNet in order to detect malicious code and network attacks, part of the TURBULENCE program *
TWEEZERS - Major intrusion set effort *
TWISTEDKILT - Writes to Host Protected area on hard drive to implant Swap and its implant installer payload, which can be used with the STYLISHCHAMP tool *
U
UNCANNY - Video demodulation tool (now: BOTANICREALTY) *
UNITEDRAKE (UR) - Fully extensible remote collection system designed for Windows targets,* delivered by the FERRETCANON system * receiving e-mails and files *
UNPACMAN - Processing system on TAONet, part of DEEPFRIEDPIG * *
V
VAGRANT - Radar retro-reflector technique on video cable to reproduce open computer screens *
VALIANTSURF - A "major system acquisition" that enables more efficient Computer Network Operations (CNO) by the TAO division; it will integrate into the TURBULENCE architecture *
VALIDATOR - Computer exploit delivered by the FERRETCANON system for looking whether a computer has security software, runs as user process on target OS, modified for SCHOOLMONTANA, initiates a call home, passes to SOMBERKNAVE, downloads OLYMPUS and communicates with remote operation center * known as "DoubleFantasy" in the security community *
VICTORYDANCE - Joint NSA-CIA operation to map WiFi fingerprints of nearly every major town in Yemen *
VIEWPLATE - Processor for external monitor recreating target monitor from red video
VINYLSEAT - E-mails collected through hacking operations *
VIOLETSPIRIT - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
VITALAIR - NSA tool
VITALAIR2 - Tool or database for automated scanned IP addresses for TAO known vulnerabilities *
VOYEUR - US monitoring operation in which an Iranian hacking operation against the US was detected * *
VULCANDEATHGRIP - Repository for data collected from vPCS shaping under the STEELFLAUTA program * or tool that seizes encryption keys during the handshake of two devices as they establish a secure link *
VULCANMINDMELD - ? *
W
WAGONBED - Hardware GSM controller board implant on CrossBeam or HP Proliant G5 server that communicates over I2C interface
WAITAUTO - Network used by the Remote Operations Center of NSA's TAO division *
WALKERBLACK - Related to the MAKERSMARK intrusion set * *
WARNVULCANO - Something residing on the WAITAUTO network used for TAO botnet hacking *
WARRIORPRIDE (WP) - Scalable, flexible and portable unified CNE platform used throughout the Five Eyes; equivalent at GCHQ is DAREDEVIL * It was for example used to break into iPhones *
WATCHER - Tipping tool related to SECONDDATE operations, offered for sale by Shadow Brokers *
WAXTITAN - TAO computer hacking project *
WEASELWAGGLE - Major cyber threat category countered by the TUTELAGE system *
WELLSPRING - Tool that strips out facial images from e-mails and other communications, and displays those that might contain passport images *
WIDOWKEY - Major intrusion set effort, related to SUPERDRAKE *
WHISTLINGDUXIE - TAO computer hacking project *
WHITESPYDER - Mentioned in the UNITEDRAKE interface, as revealed by the Shadow Brokers *
WICKEDVICAR - Hacking tool used to perform remote survey and installation *
WIDOWKEY - Major cyber threat category countered by the TUTELAGE system *
WILDCHOCOBO - TAO computer hacking project *
WILDCOUGAR - TAO computer hacking project *
WILLOWVIXEN - Method to deploy malware by sending out spam e-mails that trick targets into clicking a malicious link * *
WISTFULTOLL - Plug-in for UNITEDRAKE and STRAITBIZARRE used to harvest target forensics via Windows Management Instrumentation and Registry extractions, can be done through USB thumb drive * *
WINTERLIGHT - A QUANTUM computer hacking program in which Sweden takes part
WOBBLYLLAMA - A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit *
X
XTRACTPLEASING - Extracts something from a file and produces a PCAP file as output *
Y
YELLOWPIN - Printed circuit board digital core used with HOWLERMONKEY
YELLOWSPIRIT - Alleged NSA hacking tool, offered for sale by Shadow Brokers *
YELLPIG - FTP server on the TAONet/NSANet DMZ *
Z
ZEBEDEE - Related to the MAKERSMARK intrusion set * *
ZESTYLEAK - A software implant for Juniper NetScreen firewalls allowing remote JETPLOW firmware installation, also listed as a module for BANANAGLEE *
ZEUS - Major cyber threat category countered by the TUTELAGE system *
ZORIPIG - Itx on the TAONet/NSANet DMZ *
Links and Sources
- Musalbas.com: Equation Group Firewall Operations Catalogue from the Shadow Brokers leak
- IC Off The Record: NSA ANT Product Catalog
NSA Cyber Weapons / Sophisticated Malware Leaked
ReplyDeletemagnet:?xt=urn:btih:40a5f1514514fb67943f137f7fde0a7b5e991f76
FULL INSTRUCTIONS:
http://archive.is/rdYpc
http://pastebin.com/NDTU5kJQ
LINKS:
https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU
https://app.box.com/s/amgkpu1d9ttijyeyw2m4lso3egb4sola
https://www.dropbox.com/s/g8kvfl4xtj2vr24/EQGRP-Auction-Files.zip
https://ln.sync.com/dl/5bd1916d0#eet5ufvg-tjijei4j-vtadjk6b-imyg2qkd
https://yadi.sk/d/QY6smCgTtoNz6
http://www7.zippyshare.com/v/Ts54bb2p/file.html
https://github.com/nneonneo/eqgrp-free-file
https://codeload.github.com/nneonneo/eqgrp-free-file/zip/master
NSA Malware Scripts via WikiLeaks
https://cryptome.org/2016/08/nsa-malware-scripts.zip
Eyeballing NSA Leaks (2013 - 2016, Up To Date!)
ReplyDeleteOperation KILLCEN began archiving all the Snownden leaks (official documents, slides, screenshots and news articles) when they first started being reported. I believe the first leak exposing NSA's PRISM program.
Over the last few years, KILLCEN mirrored three archives full of collected material, and has been working on the fourth archive ever since the third archive was mirrored. Time to mirror the fourth archive:
Eyeballing_Snowden_Info_Folder_04.zip (08-22-2016)
https://mega.nz/#!2l80kDLD!_LgvwKfoEMm33eYLlOS6F142KLpFgI0jTOldApynaMU
The past three archives can be found here:
Eyeballing_Snowden_Info_Folder_03.zip (07-07-2015)
https://mega.nz/#!O4Uy3azI!rDelJUnzg5oNutAG5rvFbnllIrnKKszzxf_fZkTbNXw
Eyeballing_Snowden_Info_Folder_02.zip (01-02-2015)
https://mega.nz/#!fxlBURiZ!LuigCR1iTN2wumi4HfMVhLvz62ryoMNdI3y-vqUw5VM
Eyeballing_Snowden_Info_Folder_01.zip (01-02-2015)
https://mega.nz/#!69EnARYT!DmMPM9YceyL563EVfNph9t-OzjWZ2_Fo3xS_wxq9byQ
I consolidated ALL four archives from 2013 - 2016 and compressed them to tarball/gzip using Ark. You can download all consolidated files here:
Eyeballing_Snowden_Leaks_2013-16.tar.gz
https://mega.nz/#!GZcDTI5Y!eH6lBCGXsB5CT3SK0sG2ndn0cIgukBUg4GeTqQ0TXF8
All files were stored offline, most on DVD backups to prevent hacking or remote hijacking.
Security tip: Always open archives on an old air-gapped (offline) computer, never trust anything you download to be safe.