Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

CIA’s “AngelFire” Modifies Windows’ Boot Sector to Load Malware

Wikileaks on Thursday published documents detailing AngelFire, a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to load and execute implants on Windows-based systems.

Wikileaks on Thursday published documents detailing AngelFire, a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to load and execute implants on Windows-based systems.

Similar to other “Vault7” tools that Wikileaks unveiled over the past several months, such as Grasshopper and AfterMidnight, AngelFire is a persistent framework targeting computers running Windows XP and Windows 7.

According to the published documents, the framework consists of five components: Solartime, Wolfcreek, Keystone (previously called MagicWand), BadMFS, and the Windows Transitory File system.

Solartime was designed to modify the partition boot sector so as to load the Wolfcreek implant when Windows loads boot time device drivers. Wolfcreek is a self-loading driver that can load additional drivers and user-mode applications after execution. By loading additional implants, memory leaks that could be detected on infected machines are created.

Part of the Wolfcreek implant, Keystone is responsible for starting malicious user applications. The leaked documents also reveal that the implants are loaded directly into memory and they never touch the file system. The created processes are named svchost.exe and all of their properties are consistent with a real instance of svchost.exe, including image path and parent process.

BadMFS is a covert file system created at the end of the active partition and used to store (both encrypted and obfuscated) all drivers and implants launched by Wolfcreek. Some versions of the library can be detected because reference to it is stored in a file named “zf“.

The Windows Transitory File system was meant as a new method of installing AngelFire, allowing an operator to create transitory files (instead of laying independent components on disk) for actions such as installation, adding files to, or removing files from AngelFire. These transitory files are added to the ‘UserInstallApp’.

According to the AngelFire user guide, the tool features a small footprint and comes with two installer versions, namely an executable and a fire-and-collect .dll installer. The implant framework is compatible with the 32-bit Windows XP, and Windows 7, and 64-bit Windows Server 2008 R2 and Windows 7.

The tool is also plagued with a variety of issues, the leaked documents say, including the lack of support for .dll persistence on Windows XP, an imperfect heuristic algorithm, incorrectly configured SEH environment during driver load, or the inability to dynamically determine the path of svchost.exe, among others.

Related: WikiLeaks: CIA Secretly Collected Data From Liaison Services

Related: CIA Tools for Stealing SSH Credentials Exposed by WikiLeaks

Related: WikiLeaks Details CIA’s Air-Gapped Network Hacking Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe


Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...