cia-malware
A team of hackers at the CIA, the Central Intelligence Agency, allegedly used a Windows hacking tool against its targets to gain persistent remote access.

As part of its Vault 7 leaks, WikiLeaks today revealed details about a new implant developed by the CIA, dubbed AngelFire, to target computers running Windows operating system.

AngelFire framework implants a persistent backdoor on the target Windows computers by modifying their partition boot sector.

AngelFire framework consists five following components:

1. Solartime — it modifies the partition boot sector to load and execute the Wolfcreek (kernel code) every time the system boots up.

2. Wolfcreek — a self-loading driver (kernel code that Solartime executes) that loads other drivers and user-mode applications

3. Keystone — a component that utilizes DLL injection technique to execute the malicious user applications directly into system memory without dropping them into the file system.

4. BadMFS — a covert file system that attempts to install itself in non-partitioned space available on the targeted computer and stores all drivers and implants that Wolfcreek starts.

5. Windows Transitory File system — a new method of installing AngelFire, which allows the CIA operator to create transitory files for specific tasks like adding and removing files to AngelFire, rather than laying independent components on disk.

According to a user manual leaked by WikiLeaks, AngelFire requires administrative privileges on a target computer for successful installation.

The 32-bit version of implant works against Windows XP and Windows 7, while the 64-bit implant can target Server 2008 R2, Windows 7.

Previous Vault 7 CIA Leaks


Last week, WikiLeaks published another CIA project, dubbed ExpressLane, which detailed about the spying software that the CIA agents used to spy on their intelligence partners around the world, including FBI, DHS and the NSA.

Since March, WikiLeaks has published 22 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:


  • CouchPotato — A CIA project that revealed its ability to spy on video streams remotely in real-time.
  • Dumbo — A CIA project that disclosed its ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.
  • Imperial — A CIA project that revealed details of 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux OS.
  • UCL/Raytheon — An alleged CIA contractor that analysed in-the-wild advanced malware and submitted at least five reports to the agency for help it develops its malware.
  • Highrise — An alleged CIA project that allowed the US agency to stealthy collect and forward stolen data from compromised smartphones to its server via SMS messages.
  • BothanSpy and Gyrfalcon — Two alleged CIA implants that allowed the spy agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux computers using different attack vectors.
  • OutlawCountry — An alleged CIA project that allowed the agency to hack and remotely spy on computers running Linux operating systems.
  • ELSA — Alleged CIA malware that tracks geo-location of targeted laptops and computers running the Microsoft Windows OS.
  • Brutal Kangaroo — A tool suite for Microsoft Windows OS used by the CIA agents to target closed networks or air-gap computers within an organisation or enterprise without requiring any direct access.
  • Cherry Blossom — A framework employed by the agency to monitor the Internet activity of the targeted systems by exploiting flaws in Wi-Fi devices.
  • Pandemic — A CIA's project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other PCs of interest inside the same network.
  • Athena — A spyware framework that the agency designed to take full control over the infected Windows systems remotely and works against every version of Windows OS–from Windows XP to Windows 10.
  • AfterMidnight and Assassin — 2 alleged CIA malware frameworks for the Microsoft Windows platform that's meant to monitor and report back actions on the infected remote host PC and execute malicious actions.
  • Archimedes — Man-in-the-middle (MitM) attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
  • Scribbles — Software allegedly designed to embed 'web beacons' into confidential documents, allowing the CIA agents to track insiders and whistleblowers.
  • Grasshopper — A framework which allowed the spying agency to easily create custom malware for breaking into Microsoft's Windows OS and bypassing antivirus protection.
  • Marble — Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
  • Dark Matter — Hacking exploits the spying agency designed to target iPhones and Macs.
  • Weeping Angel — Spying tool used by the CIA agents to infiltrate smart TV's, transforming them into covert microphones.
  • Year Zero — CIA hacking exploits for popular hardware and software.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.