MalwareRansomwareUsed by 5 actorsExploits 2 CVEs

EternalBlue

EternalBlue is a leaked NSA-developed Windows SMBv1 remote code execution exploit associated with MS17-010 and CVE-2017-0144. It targets vulnerable Windows systems, particularly versions prior to Windows 8 and pre-Windows 10 systems, by abusing flaws in the SMBv1 implementation in srv.sys. The exploit was publicly released by The Shadow Brokers on 2017-04-14 in the "Lost in Translation" leak and is frequently described in the content as a family or collection of Windows zero-day vulnerabilities. Its capabilities include unauthenticated compromise of vulnerable hosts, kernel-level code execution, lateral movement across networks, and wormable self-propagation. Technical analysis in the content states that EternalBlue uses crafted SMB transactions and heap grooming to trigger a non-paged pool overflow and overwrite srvnet-related kernel structures, enabling execution of payloads such as DoublePulsar.

The exploit became widely known because it was repurposed in major destructive and ransomware outbreaks including WannaCry, NotPetya, and Bad Rabbit. In WannaCry, EternalBlue was used for initial SMB exploitation and was paired with the DoublePulsar backdoor to install and execute the ransomware payload while scanning TCP port 445 and propagating across internal and external networks. NotPetya also used EternalBlue for rapid spread, contributing to global damage after initially targeting Ukraine. The content also states that EternalBlue was reportedly used to spread ransomware in Baltimore, was used by the Blackmoon/KRBanker campaign’s spreader alongside DoublePulsar and EternalRomance, and has been obtained or used by actors including BackdoorDiplomacy and Buckeye/APT3. The leak and subsequent abuse of EternalBlue are repeatedly cited as examples of how stockpiled offensive cyber capabilities can escape into criminal and state-linked operations.

High-confidence indicators and associations mentioned in the content include SMBv1, MS17-010, CVE-2017-0144, TCP port 445 scanning, pairing with DoublePulsar, and public exploit implementations in Metasploit. A vulnerable system may be identified as susceptible to the MS17-010 EternalBlue attack by scanners such as Nessus. Microsoft released patches for the underlying SMB vulnerabilities in March 2017 under MS17-010.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES

CVE-2017-0144EternalBlue SMBv1 Remote Code Execution

By using the Nessus vulnerability scanner, a system vulnerable to the MS17–010 Eternalblue attack was discovered.

via medium petergombosmedium.com

CVE-2017-0143Windows SMBv1 Remote Code Execution VulnerabilityExploited in the wild

CVE-2017-0143 Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit Mitigation: Update affected Microsoft products with the latest security patches | CVE-2017-0143 Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit

via cisa advisoriescisa.gov

THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BackdoorDiplomacy

BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.

via mitre attack websiteattack.mitre.org

Shadow Brokers

If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit.

via sophos othersophos.com

The Shadow Brokers

The EternalBlue exploitation tool was leaked by “The Shadow Brokers” group on April 14, 2017, in their fifth leak, “Lost in Translation.”

via checkpoint research blogresearch.checkpoint.com

NSA

"...the Shadow Brokers hacked and disclosed a cache of stockpiled NSA cyber capabilities, including the EternalBlue vulnerability, which was later used in the devastating WannaCry and NotPetya ransomware attacks."

via eth zurich newsethz.ch

Lazarus

"The NSA-developed Windows exploit EternalBlue was stolen and exposed in 2017, eventually enabling destructive operations like North Korea’s WannaCry attack and Russia-linked NotPetya hacks."

via nextgovnextgov.com

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1588.001MalwareEvidence1

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence2

A single vulnerable and internet-exposed system was enough to wreak havoc.

Execution

2 techniques

T1203Exploitation for Client ExecutionEvidence7

Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems...

T1574Hijack Execution FlowEvidence1

Controlling the MDL lets you “write-what-where” the primitive.

Privilege Escalation

1 technique

T1068Exploitation for Privilege EscalationEvidence1

Sean Dillon ... modified the source code for some of these lesser-known exploits so they would be able to work and run SYSTEM-level code on a wide variety of Windows OS versions.

Stealth

1 technique

T1574Hijack Execution FlowEvidence1

Controlling the MDL lets you “write-what-where” the primitive.

Defense Impairment

1 technique

T1222File and Directory Permissions ModificationEvidence1

A bug in the process of converting FEA (File Extended Attributes) from Os2 structure to NT structure by the Windows SMB implementation (srv.sys driver) leads to buffer overflow in the non-paged kernel pool.

Discovery

1 technique

T1046Network Service DiscoveryEvidence3

North Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers later built it into NotPetya, which spiraled beyond its initial Ukrainian targets and caused an estimated $10 billion in damages globally.

Lateral Movement

4 techniques

T1021Remote ServicesEvidence1

Around January this year, Microsoft was tipped off ... that the NSA's Eternalblue cyber-weapon, which can compromise pre-Windows 10 systems via an SMBv1 networking bug, had been stolen and was about to leak into the public domain.

T1021.002SMB/Windows Admin SharesEvidence1

Our analysis of the artifacts and network traffic at victim networks indicate that modified versions of the EternalBlue and EternalRomance SMB exploits were used, at least in part, to spread laterally.

T1210Exploitation of Remote ServicesEvidence26

Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically.

T1570Lateral Tool TransferEvidence4

Among the tools released, the Shadow Brokers published EternalBlue — a family of zero-day vulnerabilities targeting Windows that allowed hackers to break into computers on a hacked network, rapidly expand their access, and deploy self-propagating worms.

Command and Control

1 technique

T1001Data ObfuscationEvidence1

Thus, it’s possible to send: SMB_COM_NT_TRANSACT followed by SMB_COM_TRANSACTION2_SECONDARY. This situation can lead to wrong data parsing, and this bug enables Bug A by treating Dword as Word.

Exfiltration

1 technique

T1537Transfer Data to Cloud AccountEvidence1

The first installment centers on the Shadow Brokers — an enigmatic group that surfaced online, dumped a trove of hacking tools believed to belong to the NSA, and then vanished.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

cysecurity newsNews

Jun 4, 2026

Shadow Brokers Mystery Remains One of Cybersecurity’s Biggest Unsolved Cases - CySecurity News - Latest Information Security and Hacking Incidents

A leaked NSA-linked Windows exploit set described as enabling system intrusion, lateral movement, and automatic malware propagation. It later underpinned major destructive attacks.

techcrunch com securityNews

May 26, 2026

Ghost hackers: the cybersecurity mystery that nobody has solved | TechCrunch

A leaked NSA-linked exploit family targeting Windows that enabled network compromise, lateral spread, and deployment of self-propagating worms.

iss4cf0ng githubNews

Apr 5, 2026

[Studying] Inside WannaCry: Exploit, Worming, and TOR Communication Explained | ISSAC/iss4cf0ng's blog

SMBv1 remote code execution exploit used by WannaCry for initial access and worm-like propagation by triggering a kernel memory corruption condition via crafted SMB packets.

scworldNews

Mar 4, 2026

Coruna exploit kit: Suspected government hacking tools surface in cybercriminal hands | brief | SC Media

Leaked NSA exploit later abused broadly by criminals, including in ransomware campaigns.

+19 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.