Friday, May 9, 2025
HomeMalwareVault 7 Leaks : CIA Hacking Tools "BothanSpy" and "Gyrfalcon" Steals SSH...

Vault 7 Leaks : CIA Hacking Tools “BothanSpy” and “Gyrfalcon” Steals SSH Credentials From Windows and Linux Computers – WikiLeaks

Published on

SIEM as a Service

Follow Us on Google News

WikiLeaks Revealed Another CIA Cyber Weapons called “BothanSpy” and “Gyrfalcon” steals the SSH Credentials from both Windows and Linux Platform and both tools are performing in Different OS Platform and Different Attack vector.

SSH (Secure Shell) Protocol is used for Communicate Network services securely from unsecured channel Especially for user Perform Remote Login and The standard TCP port 22 has been assigned for contacting SSH servers.

An implant BothanSpy Targets Windows Platform SSH client program Xshell and it Steals User Credentials for all active Sessions enabled Windows PC.

- Advertisement - Google News

These Stolen Credentials will be either username and password, password-authenticated SSH sessions or username, Filename of SSH key and password if public key authentication is used

BothanSpy finally exfiltration the stolen credentials to a CIA-controlled server or else save it in an encrypted file and later it exfiltration to the CIA Controlled Server.

An Implant Gyrfalcon Targets the Linux Platforms(centos,debian,rhel,suse,ubuntu) OpenSSH client.

This Tool has some advance functions that can not only steal user credentials of active SSH sessions but is also capable of collecting full or partial OpenSSH session traffic.

BothanSpy – Steals SSH Credentials from Windows

BothanSpy Only Targeting Windows Platform and Steals user credentials for all active SSH sessions and SSH client program Xshell.

According to CIA Document, BothanSpy will exfiltrate the stolen credentials through the Fire and Collect (F&C) channel and out to disk on the attacker-side.

Since BothanSpy Using F&C Channel, its never touches the Disk and it Writes Stolen Credentials to Disk that encrypted with AES.

BothanSpy.dll requires no configuration before it can be used and To setup the attack box touse F&C, copy the ice_handler.py script to the attack machine, and open a shell at this location.

Xshell should Run on the Targeting Windows Machine for BothanSpy perform itssuccessful Attack and it has active sessions, Otherwise, Xshell is not storing credential information in the location BothanSpy will search.

To Steal the Targets Credentials  from all running Xshell processes that have active SSH ,CIA Used Following Command

>BothanSpy BothanSpy.dll> Forget
folder on target>\<base file name> <passphrase>

BothanSpy Much concern with  Xshell versions and it failed to steal the credentials from some of the version (Xshell version 2 build 0910).

Important Consideration of  BothanSpy is, it will not perform version checking at any stage.

Gyrfalcon – Steals SSH Credentials from Linux

According to the CIA Document, Gyrfalcon is an SSH session “sharing” tool operates on outbound OpenSSH sessions from the target host which is Capable of log SSH sessions including Login credentials.

By Executing the command, a legitimate user on the remote host can able to access the logged credentials.

“It is configured in advance, executed on the remote host and left running. Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data”

Based on the Configuration with a list of target IP address/netmask combinations, this tool has the ability to track multiple outbound SSH sessions.

To Execute the Process, by added “a” Command and the Following information, operator promote into initiate the attack.

  • Specify an IPv4 or IPv6 address/netmask:
  •  Specify Collection Behavior 
  • Specify the path to executable file.

Document Intimate that, Gyrfalcon writes to a collection file in its working directory. The filename was specified in the config file. Gyrfalcon continues to stream data to this file during the course of its normal operation.

The operator must signal gyrfalcon to flush its collection buffers before the data can be collected.

All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed rootkit (JQC/KitV) on the target machine.

Previous CIA Leaked Tools by WikiLeaks

OutlawCountry – Vault 7 Leaks: CIA Malware “OutlawCountry” Controls Linux Machine and Redirect the Victims Traffic into CIA Controlled Machine – WikiLeaks

ELSA – Vault 7 Leaks: CIA Malware “ELSA” Tracking Geo-Location of WiFi Enabled Windows Computers – WikiLeaks

Brutal Kangaroo – CIA Hacking Tool “Brutal Kangaroo” Revealed to Hack Air-Gapped Networks by using USB Thumb Drives -WikiLeaks

CherryBlossom –  Wikileaks Revealed New CIA Wireless Hacking Tool “Cherry Blossom” Compromise Your Wireless Network Devices using MITM Attack

Pandemic –  New CIA Cyberweapon Malware “Pandemic” installed in Victims Machine and Replaced Target files where remote users use SMB to Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group (GTIG) has uncovered a sophisticated new malware dubbed LOSTKEYS,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...