DoublePulsar exploit kit: A deep dive into the NSA hacking tool’s massive attacks

• DoublePulsar hacking tool was stolen and leaked online by ‘The Shadow Brokers’ threat group in 2017.
• DoublePulsar has infected more than 200,000 Microsoft Windows computers in only a few weeks of being leaked.

DoublePulsar is a hacking tool developed by the U.S. National Security Agency's (NSA). The hacking tool was stolen and leaked online by ‘The Shadow Brokers’ threat group in 2017.

DoublePulsar is a Ring-0 kernel mode payload that acts as a backdoor into compromised Windows systems. This exploit kit allows an attacker to remotely execute arbitrary shell code on the compromised systems.

Worth noting

• DoublePulsar has infected more than 200,000 Microsoft Windows computers in only a few weeks of being leaked online.
• This tool was used along with the EternalBlue exploit kit in the WannaCry ransomware attack that occurred in May 2017.
• DoublePulsar cannot be used on its own, but along with other NSA tools such as EternalBlue, EternalSynergy, EternalRomance, and more.

The big picture

After the exploit kit has been leaked online, it has been widely used by attackers to compromise Windows systems.

In May 2018, a researcher claimed that the DoublePulsar compromised almost 200 Windows boxes worldwide. DoublePulsar compromised Windows boxes by delivering malware via the TCP port 445 through the EternalBlue exploit kit.

Once installed, DoublePulsar waits for certain types of data to be sent over the TCP port 445.

This NSA hacking tool has also been modified by an infosec researcher in order to work on the Windows IoT operating system.