DoublePulsar Global Implants: On the rise?
This research documents the rising prevalence of DoublePulsar, a backdoor implant that emerged following The Shadow Brokers’ leak of NSA Equation Group tools.
The Leak
In April 2017, the Shadow Brokers released NSA hacking tools via their “Lost in Translation” leak, including FUZZBUNCH - a framework for executing exploits against Windows systems.
DoublePulsar Details
DoublePulsar functioned as a kernel-level backdoor targeting vulnerabilities in Microsoft’s Remote Desktop Protocol (RDP) and Server Message Block (SMB) protocols.
Research Methodology
Below0Day conducted internet-wide scans using masscan, identifying hosts with open port 445 (SMB). We utilized Countercept’s detection script to identify infected systems and mapped results geographically.
Infection Statistics
| Date | Infected Hosts | Total Hosts Scanned (Port 445) |
|---|---|---|
| April 18 | 30,626 | 5.5M |
| April 21 | 56,586 | 5.2M |
| April 26 | 344,000+ | (BinaryEdge data) |
Findings
- April 18 scan: Detected approximately 30,626 infected hosts among 5.5 million with port 445 open
- April 21 scan: Found roughly 56,586 infected hosts among 5.2 million scanned systems
Methodology
Researchers used:
- masscan for reconnaissance
- Countercept’s detection script for identification
- PyGeoIpMap for geographic visualization
Conclusion
The research indicated “these numbers might only be increasing,” suggesting growing global infection rates. Below0Day offered detection and remediation services, noting that as of April 26, 2017, independent researchers documented “344,000+” infections worldwide.
Recommendations
- Apply MS17-010 patches immediately
- Disable SMBv1 on all systems
- Scan for indicators of compromise
- Re-image confirmed infections
- Segment networks to limit exposure
The spread of DoublePulsar demonstrates the rapid weaponization of leaked tools by threat actors globally. Organizations must assume breach and actively hunt for indicators of compromise.