The WikiLeaks-hosted “Vault7” collection of documents allegedly leaked from within the CIA’s Computer Operations Group is a messy mix of jargon, incomplete info and broken (or redacted) links. The information is interesting, but it’s quite difficult to find a basic description of many of the terms used, even using the search function. So for everybody’s convenience I’ve gone through the whole pile of docs and listed as many of the tools and techniques mentioned by spook IT as I could find.

If there’s any indication of what the thing does, I’ve included it, though some of these are just educated guesses based on the devices being tested on, comments from their developers and so on. All data (such as OS versions affected) is as of the latest document I could find in the leaked files. Images are all from the leaks, as well.

I’ve included tools that seemed significant but had no real information on them at the bottom of each list. I did not include links because projects and their descriptions are often spread across multiple pages or PDFs. I also did not include commercial tools (such as Lockheed Martin’s DART software testing suite) or operation names (like JQJHAIRPIECE) that seem to merely be specific deployments of other tools.

This list is by no means comprehensive or authoritative, nor should the leaked files be considered comprehensive of the hacking tools created and used by the CIA. I’ll be updating it as I find more or things are un-redacted.

Embedded Development Branch (EDB)

This branch is concerned with compromising and embedding implants in purpose-built devices like VoIP phones, workstations and smart devices like TVs. They do both hardware and software design.

Pterodactyl – A “custom hardware solution to support media copying”; it uses small single-board computers like Raspberry Pi to copy data from an asset computer

– A “custom hardware solution to support media copying”; it uses small single-board computers like Raspberry Pi to copy data from an asset computer SparrowHawk – Keylogger intended for use across multiple architectures and Unix-based platforms

– Keylogger intended for use across multiple architectures and Unix-based platforms DerStarke – Boot-level rootkit implant for Apple computers

– Boot-level rootkit implant for Apple computers GyrFalcon – Tracks the client of an OpenSSH connection and collects password, username and connection data

– Tracks the client of an OpenSSH connection and collects password, username and connection data SnowyOwl – Uses OpenSSH session to inject code to target asset

– Uses OpenSSH session to inject code to target asset HarpyEagle – Hardware-specific tool to gain root access to Apple’s Airport Extreme and Time Capsule

– Hardware-specific tool to gain root access to Apple’s Airport Extreme and Time Capsule BaldEagle – An exploit for Unix systems’ Hardware Abstraction Layer

– An exploit for Unix systems’ Hardware Abstraction Layer MaddeningWhispers – Remote access to devices compromised with the Vanguard exploit

– Remote access to devices compromised with the Vanguard exploit CRUCIBLE – An “automated exploit identification” tool

– An “automated exploit identification” tool YarnBall – Covert USB storage for deployment of payloads and storage of exfiltrated data

– Covert USB storage for deployment of payloads and storage of exfiltrated data GreenPacket – Router implant kit

– Router implant kit QuarkMatter – Another boot-level rootkit implant for Apple computers

– Another boot-level rootkit implant for Apple computers Weeping Angel – Smart TV implant kit (we wrote about it separately)

– Smart TV implant kit (we wrote about it separately) Hive – Basic implant suite for Windows and Unix setups aimed at “providing an initial foothold for the deployment of other full featured tools”

– Basic implant suite for Windows and Unix setups aimed at “providing an initial foothold for the deployment of other full featured tools” Honeycomb – Server for data coming from Swindle or Blot proxy servers

– Server for data coming from Swindle or Blot proxy servers CutThroat – Virtual machine system apparently for hosting proxy servers to send asset data to

– Virtual machine system apparently for hosting proxy servers to send asset data to Bee Sting – iFrame injection technique for HTTP connections

– iFrame injection technique for HTTP connections Sontaran – An attempt to compromise the Siemens OpenStage VoIP phone

– An attempt to compromise the Siemens OpenStage VoIP phone Secret Squirrel (SQRL) – ???

Remote Development Branch

There isn’t much data on RDB; the only tool listed is for getting at secure databases, so that’s a hint.

Umbrage – This team, among other things, seems to have collected hacker tools and techniques in use around the web, and also sorted through the Hacking Team leak for useful code and documentation — helpful for development or attribution of hacks

– This team, among other things, seems to have collected hacker tools and techniques in use around the web, and also sorted through the Hacking Team leak for useful code and documentation — helpful for development or attribution of hacks ShoulderSurfer – Tool used to extract data from Microsoft Exchange databases

Operational Support Branch

In addition to maintaining some useful all-purpose utilities, OSB creates custom solutions for individual operations or assets, with a focus on compromising Windows machines and apps.

Time Stomper – Used to modify timestamps on files so that they match what an operation or asset requires

Munge Payload – Tool for encrypting payloads and/or modifying them to avoid detection

– Tool for encrypting payloads and/or modifying them to avoid detection Magical Mutt – Appears to be a malware-style DLL injector and process monitor

– Appears to be a malware-style DLL injector and process monitor Flash Bang – Hijack that breaks out of the Internet Explorer sandboxed process and then escalates privileges on the target machine

– Hijack that breaks out of the Internet Explorer sandboxed process and then escalates privileges on the target machine RickyBobby – Basic Windows implant comprising DLLs and scripts that sends its info to listening post server app Cal — yes, they’re Talladega Nights references

– Basic Windows implant comprising DLLs and scripts that sends its info to listening post server app Cal — yes, they’re Talladega Nights references Fight Club – Set of infected VLC, WinRAR, TrueCrypt, Shamela and Microsoft Office Standalone installers that deployed RickyBobby instances, for placement on thumbdrives used in an operation

– Set of infected VLC, WinRAR, TrueCrypt, Shamela and Microsoft Office Standalone installers that deployed RickyBobby instances, for placement on thumbdrives used in an operation Melomy DriveIn – Hijack of a VLC DLL that launches a RickyBobby instance — unclear if it’s the one in Fight Club

– Hijack of a VLC DLL that launches a RickyBobby instance — unclear if it’s the one in Fight Club Rain Maker – Compromised portable VLC player that covertly collects files from an air-gapped computer when launched from a user’s USB drive

– Compromised portable VLC player that covertly collects files from an air-gapped computer when launched from a user’s USB drive Improvise – Set of interoperable tools used to collect and exfiltrate data from a Windows, Mac or Linux machine — with bar-themed names (Margarita, Dancefloor, Jukebox) corresponding to the OS

– Set of interoperable tools used to collect and exfiltrate data from a Windows, Mac or Linux machine — with bar-themed names (Margarita, Dancefloor, Jukebox) corresponding to the OS Basic Bit – Keylogger for Windows machines

– Keylogger for Windows machines Fine Dining – Not software exactly but apparently a menu that operatives can order from to get a custom tool for an operation — a fake PDF that launches on a Mac and scours the drive for all audio files, for instance

– Not software exactly but apparently a menu that operatives can order from to get a custom tool for an operation — a fake PDF that launches on a Mac and scours the drive for all audio files, for instance HammerDrill – CD/DVD monitoring tool that also allows files to be compromised as they’re being written to a disc

– CD/DVD monitoring tool that also allows files to be compromised as they’re being written to a disc Taxman – ???

– ??? HyenasHurdle – ???

Automated Implant Branch

AIB seems to concern itself with self-running implants. Many of these are not documented or described, but have file lists that reveal a little about their purpose.

Frog Prince – Fully integrated implant system inclusive of command and control, listening post and implant software

– Fully integrated implant system inclusive of command and control, listening post and implant software Grasshopper – Highly configurable tool used to place various implants on Windows machines ( Cricket is a relative)

– Highly configurable tool used to place various implants on Windows machines ( is a relative) Caterpillar – Tool for preparing files acquired from a system for secure transport

– Tool for preparing files acquired from a system for secure transport AntHill – Appears to be a file management component for installed implants

– Appears to be a file management component for installed implants The Gibson – Appears to be a component of command and control servers and listening posts.

– Appears to be a component of command and control servers and listening posts. Galleon – Set of nautically themed scripts and tools for securely copying files to a target computer

– Set of nautically themed scripts and tools for securely copying files to a target computer Assassin – ???

– ??? HercBeetle – ???

– ??? CandyMountain – ???

– ??? Hornet – ???

– ??? Cascade – ???

– ??? MagicVikings – ???

Network Devices Branch

This branch is all about routers and switches, from industrial-level gear to home devices, all of which require device or class-specific exploits and kits. The leaks largely consist of highly technical test results and developer instructions that only hint at the software’s capabilities.

Cannoli – Implant for Linksys devices

– Implant for Linksys devices WAG200G – Implant installer for Linksys routers that works alongside Cannoli

– Implant installer for Linksys routers that works alongside Cannoli Slasher – Appears to be a port monitor

– Appears to be a port monitor Cinnamon – Implant for Cisco routers

– Implant for Cisco routers Earl Grey – Another implant possibly for Cisco routers

– Another implant possibly for Cisco routers Aquaman – Implant for Linux-based systems, possibly routers (HGs or home gateways) in particular

– Implant for Linux-based systems, possibly routers (HGs or home gateways) in particular Bumble – Implant for HP routers

– Implant for HP routers Perseus – Appears to be an implant for routers using PowerPC architecture

– Appears to be an implant for routers using PowerPC architecture Panda Poke – A “credless” exploit (i.e. requires no login credentials) for Huawei router devices

– A “credless” exploit (i.e. requires no login credentials) for Huawei router devices Panda Flight – Covert tunneling tool for Huawei devices

– Covert tunneling tool for Huawei devices Panda Sneeze – Unclear purpose but part of the Panda suite along with PandaMitt, PandaScore and others

– Unclear purpose but part of the Panda suite along with PandaMitt, PandaScore and others ChimayRed – Exploit used against MikroTik routers running RouterOS that allows payloads to be installed on the device

– Exploit used against MikroTik routers running RouterOS that allows payloads to be installed on the device Felix – Appears to be a listening post for MikroTik routers

– Appears to be a listening post for MikroTik routers HG – Possibly HunGrrr, general-purpose tool for accessing remote networking devices; used as a component or step in many tests and projects

– Possibly HunGrrr, general-purpose tool for accessing remote networking devices; used as a component or step in many tests and projects BuzFuz – ???

– ??? Cytolysis – ???

– ??? Powerman – ???

Non-branch-specific Projects

These aren’t listed under any specific branch, though some refer to being under the jurisdiction of one or another, or based on a project out of EDB, NDB, etc.

AfterMidnight – Seems to be a Windows privilege escalation scheme that uses one DLL to gain access for another (a “Gremlin”)

– Seems to be a Windows privilege escalation scheme that uses one DLL to gain access for another (a “Gremlin”) Packrat – Tool for creating and automating listening posts with open-source and commercial software

– Tool for creating and automating listening posts with open-source and commercial software RoidRage – Implant/exploit for Android devices up to 5.X

– Implant/exploit for Android devices up to 5.X The.Net – Network configuration tool that imitates real-world internet and intranet conditions in a set of fictional corporations (Umbrella, Abstergo, etc.)

– Network configuration tool that imitates real-world internet and intranet conditions in a set of fictional corporations (Umbrella, Abstergo, etc.) Philosoraptor – Unclear, but “stated goal” is to demonstrate the business value of new tool suites and automated testing using a legitimate operational software product

– Unclear, but “stated goal” is to demonstrate the business value of new tool suites and automated testing using a legitimate operational software product Marble Framework – Obfuscation tool that modifies source files so they can’t be traced to developers or teams

– Obfuscation tool that modifies source files so they can’t be traced to developers or teams Kraken – Appears to be an organizational tool for task management and project tracking

– Appears to be an organizational tool for task management and project tracking Fluxwire – Contractor-provided distributed/mesh network tool (with extensive documentation) used to organize connected assets, supporting 9 OSes and 6 architectures

Cocoon – ???

– ??? Tremor – ???

iOS-specific

Some tools seem to be only mobile-specific, but these are largely aimed at iOS devices.

Adderall – Tool to pull files and kernel cache from iOS devices

– Tool to pull files and kernel cache from iOS devices ElderPiggy – Privilege escalation tool

– Privilege escalation tool NightVision – Reads and records device’s kernel memory

– Reads and records device’s kernel memory Nightskies – iOS implant, installed via CrunchyLimeSkies

– iOS implant, installed via CrunchyLimeSkies Mcnugget – Mission control utility for iOS implants

– Mission control utility for iOS implants HAMR – Framework for “throwing” browser exploits

– Framework for “throwing” browser exploits DRBOOM – Single-step implant installer for iOS up to 8.2

Android-specific

A number of exploits are referred to but redacted, so they’re not listed here.

AngerQuake (renamed AngerManagement) – Collection of HAMR-related plug-ins for remote exploitation of Android devices

(renamed AngerManagement) – Collection of HAMR-related plug-ins for remote exploitation of Android devices Orion – Remote exploit for Android devices

– Remote exploit for Android devices Freedroid – Privilege escalation tool

This article will be continuously updated. Did you find more info on any of these tools? Comment below or contact the author.