Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Shadow Brokers Now Selling Windows, AV Exploits in New ZeroNet Marketplace

The group calling itself “Shadow Brokers” has apparently decided to start selling Windows exploits and what appear to be anti-virus bypass tools on a BitTorrent-powered ZeroNet peer to peer web platform.

The group calling itself “Shadow Brokers” has apparently decided to start selling Windows exploits and what appear to be anti-virus bypass tools on a BitTorrent-powered ZeroNet peer to peer web platform.

Last year, the mysterious group leaked a series of firewall exploits, implants and other tools that they supposedly had stolen from the NSA-linked Equation Group. In an attempt to cash in on a set of other exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools, the group announced an all-pay auction, but failed to reach the targeted goal.

The group also tried to make money through crowdfunding, setting a goal at 10,000 Bitcoins (rougly $7.8 million at the time), but later decided to sell the exploits directly, for a total of only 1,000 Bitcoins (currently ~$805,000). The group also offered interested parties the option of buying individual exploits. In October, the group released a batch of files supposedly linked to the Equation Group.

Starting last month, the group began directing interested buyers to a website hosted on ZeroNet, where the stolen exploits were put up for sale priced between 1 and 100 Bitcoins (BTC) each (or 1,000 BTC for the entire batch). Files were sorted by type, and buyers were encouraged to contact a Shadow Brokers member to make a purchase.

The group is now advertising what they claim to be Windows exploits and toolkits, including a series of tools that appear to have been designed specifically for anti-virus bypass purposes, Jacob Williams has discovered. This is the first time the group has advertised the Windows exploits, with only UNIX-targeting hacking tools released before.

Screenshots the group posted on Twitter suggest the tools were split into two packages, with one of them, called FuzzBunch, containing what appear to be remote code execution (RCE) exploits for IIS servers, the RDP, RPC, and SMB (Server Message Block) protocols, along with supposedly a zero-day exploit for SMB.

The entire batch is advertised for 750 BTC (~ $600,000), while the FuzzBunch package can be bought separately for 650 BTC. The exploits can be bought for 250 BTC. The zero-day for SMB is priced at 250 BTC as well.

Additionally, the group also appears to be selling bypass tools for “Personal Security Products” from leading anti-virus vendors, including Avast, Avira, ESET, Kaspersky Lab, McAfee, Microsoft, Panda, and Symantec, among others. These, however, haven’t been confirmed as of now.

Previously, the group had released some working tools, which suggests that their claims could be true. According to a Flashpoint report released in December last year, the data was stolen in July 2013, although timestamps have been modified, most likely to hinder analysis.

The security researchers also suggested that the files have been copied from an internal system or a code repository, based on the extensive use of Markdown, a markup language commonly used in code repositories. Flashpoint said it had “medium confidence” that a rogue insider was involved in the theft.

“Insiders with access to sensitive information can cause extensive damage, as Edward Snowden proved in June 2013. While the timeline of events shows that this is not directly related to Snowden, the close proximity of events raises the question if there were multiple insiders acting independently during 2013,” Flashpoint said last month.

Related: “Shadow Brokers” Put NSA Exploits Up for Direct Sale

Related: Over 840,000 Cisco Devices Affected by NSA-Linked Flaw

Related: Industry Reactions to Shadow Brokers Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.