DoublePulsar
DoublePulsar is a kernel-mode SMB backdoor/implant widely associated with the Equation Group and later exposed through the Shadow Brokers leak. It is commonly delivered after successful exploitation of Windows SMB vulnerabilities, especially via EternalBlue/EternalSynergy-class exploit chains, to provide a fileless foothold for code execution on previously compromised Windows systems. Multiple sources in the content describe it as persistent or as a backdoor used to access systems and execute additional code, though other reporting notes it is highly stealthy, writes no files to disk, and is removed on reboot unless reinstalled.
Operationally, DoublePulsar listens on SMB over TCP/445 and responds distinctively to specially crafted traffic, enabling remote detection. The content notes it can be identified through SMB queries and that its SMB MID field can be used as a covert signaling channel, including a presence check using MID 0x41 with a response of 0x51. Reported capabilities include loading DLLs or shellcode in memory, reflective image loading, and commands such as Ping, RunDLL, RunShellcode, OutputInstall, and Uninstall. It has been described as hijacking SMB handling in kernel memory and serving as a means to inject payloads such as DLLs into remote systems.
DoublePulsar has been repeatedly observed as an enabling component in major malware campaigns. WannaCry used EternalBlue to exploit MS17-010-vulnerable SMB services and then leveraged DoublePulsar to install and execute its ransomware payload; if DoublePulsar was already present, WannaCry could use it directly. Similar EternalBlue-plus-DoublePulsar propagation was also described for Satan ransomware and a staged Blackmoon/KRBanker campaign, where it was used for lateral movement and backdoor installation across networks. The content also references NotPetya as reusing EternalBlue and DoublePulsar.
The malware has also appeared in state-linked operations and tool reuse cases. BackdoorDiplomacy is described as having obtained and used leaked malware including DoublePulsar. Symantec reported that Buckeye/APT3/Gothic Panda/UPS Team/TG-0110 used a variant of the NSA-developed DoublePulsar backdoor as early as March 2016, before the public Shadow Brokers dump, against targets in Europe and Asia including research organizations, educational institutions, telecommunications networks, and at least one U.S. ally. More recent reporting in the content also cites Sandworm relying on older exploit chains including EternalBlue, DoublePulsar, and WannaCry in intrusions affecting industrial and OT environments.
High-confidence indicators and behaviors mentioned in the content include SMB traffic over port 445, distinctive SMB responses to crafted probes, MID-based signaling with 0x41/0x51, fileless in-memory operation, removal on reboot, and use alongside EternalBlue/MS17-010 exploitation. The content also notes historical internet-wide scanning and infection estimates ranging from tens of thousands to over 100,000 exposed Windows machines, as well as the release of tools capable of remotely detecting and uninstalling the implant.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010. The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems. If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.
The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems.
Symantec discovered that as early as March 2016, the Chinese hackers were using tweaked versions of two N.S.A. tools, called Eternal Synergy and Double Pulsar, in their attacks.
Symantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016... an advanced persistent threat hacking group... somehow got access to a variant of the NSA-developed “DoublePulsar” backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers.
The exploit chains in play included EternalBlue, DoublePulsar, and WannaCry, all tools that have been publicly known and patchable for years.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
The fake HandlerFunction is executed, but this function is the shellcode.
The infection of other machines on the network will be achieved with the following command: cmd /c cd /D C:\Users\Alluse~1\&blue.exe ...
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
As Ars reported last week, the ultra-stealthy DoublePulsar writes no files to the hard drives of computers it infects, a feature that causes it to be removed as soon as the computer restarts.
Lateral Movement
3 techniques
Lateral Movement
Researcher Kevin Beaumont told Ars that detecting DoublePulsar involves sending a series of SMB—short for server message block—queries to Internet-facing computers.
In essence, the transport code scanned the network for vulnerable computers, then used the EternalBlue exploit to access them by sending crafted packets from attackers, allowing them to execute arbitrary code remotely. | The references include WannaCry-related material such as “CVE-2017-0143,” “DoublePulsar Explained,” and “SMB Exploited: WannaCry Use of ‘EternalBlue.’”
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor implant referenced as part of exploit chains used in pre-compromised environments that Sandworm later leveraged to move deeper into industrial networks.
Backdoor component appearing in exploit chains that Sandworm capitalized on in already-compromised environments.
Referenced as an example of a real-world implant used alongside exploitation techniques.
Fileless kernel-mode SMB backdoor used by WannaCry to verify compromise and inject/run payloads on infected systems during automated spreading.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.