Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actorsExploits 2 CVEs

EternalSynergy

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2017-0143Windows SMBv1 Remote Code Execution VulnerabilityExploited in the wild

CVE-2017-0143 Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit Mitigation: Update affected Microsoft products with the latest security patches | CVE-2017-0143 Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit | CVE-2017-0143 ... Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit

via cisa advisoriescisa.gov
CVE-2017-0146EternalChampion (Race Condition in SMBv1)

The three exploits are EternalChampion, EternalRomance, and EternalSynergy... CVE-2017-0143... Exploited by EternalRomance EternalSynergy; CVE-2017-0146... Exploited by EternalChampion EternalSynergy.

via bleeping computerbleepingcomputer.com
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
BackdoorDiplomacy

BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.

via mitre attack websiteattack.mitre.org
Equation Group

Symantec discovered that as early as March 2016, the Chinese hackers were using tweaked versions of two N.S.A. tools, called Eternal Synergy and Double Pulsar, in their attacks.

via new york timesnytimes.com
APT3

Symantec discovered that as early as March 2016, the Chinese hackers were using tweaked versions of two N.S.A. tools, called Eternal Synergy and Double Pulsar, in their attacks.

via new york timesnytimes.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.001MalwareEvidence1

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

Initial Access

1 technique
T1078Valid AccountsEvidence1

"Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session," Dillon says.

Persistence

1 technique
T1078Valid AccountsEvidence1

"Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session," Dillon says.

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence1

Sean Dillon ... modified the source code for some of these lesser-known exploits so they would be able to work and run SYSTEM-level code on a wide variety of Windows OS versions.

T1078Valid AccountsEvidence1

"Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session," Dillon says.

Stealth

1 technique
T1078Valid AccountsEvidence1

"Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session," Dillon says.

Lateral Movement

2 techniques
T1021.002SMB/Windows Admin SharesEvidence1

"The [Metasploit Framework] module is leaner ... and has Metasploit's psexec DCERPC implementation bolted onto it."

T1210Exploitation of Remote ServicesEvidence1

Dillon has crafted his modified exploits to take advantage of the following vulnerabilities: CVE-2017-0143 ... EternalRomance EternalSynergy; CVE-2017-0146 ... EternalChampion EternalSynergy.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
mitre attack websiteNews
Oct 31, 2024
Obtain Capabilities: Malware, Sub-technique T1588.001 - Enterprise | MITRE ATT&CK®

A leaked exploit capability used in threat actor operations.

Read more
wired com securityNews
May 7, 2019
The Strange Journey of an NSA Zero-Day-Into Multiple Enemies' Hands | WIRED

NSA SMB exploit tool referenced as part of the leaked NSA toolkit; used for compromising Windows systems via SMB.

Read more
new york timesNews
May 6, 2019
How Chinese Spies Got the N.S.A.’s Hacking Tools, and Used Them for Attacks - The New York Times

An NSA-linked exploit tool that Chinese intelligence contractors captured and modified for follow-on intrusions against organizations in multiple countries.

Read more
bleeping computerNews
Feb 5, 2018
NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000

Leaked NSA SMB exploit ported to run across many Windows versions and associated with SYSTEM-level access via SMB session structure manipulation.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.