DanderSpritz is the companion to the FuzzBunch exploitation framework. Both were leaked by The Shadow Brokers on April 14th, 2017 as part of the “Lost in Translation” leak. These tools are widely accepted as belonging to the Equation Group (NSA). It’s a modular, stealthy, and fully functional framework for post-exploitation activities on Windows and Linux hosts. DanderSpritz modules include tools to evade detection by bypassing anti-virus & security tools, disable and delete Windows event logs, establish persistence, perform local and network reconnaissance, move laterally within a network, and exfiltrate data.

Exploitation frameworks allow attackers to select, configure and deploy different malicious scripts, or modules, against one or more targets. Exploits leverage vulnerabilities in order to give an attacker access to a compromised system. Post-Exploitation frameworks are designed to deploy additional modules specific to mission objectives after the initial compromise.

Included Components

DarkSkyline Captures network traffic, performs packet filtering and parsing
DarkPulsar Legacy implant/backdoor, similar to PeddleCheap
DecibelMinute Install/uninstall tool for KillSuit (termination module)
DoubleFeature Logs & reports tools that could be deployed on the target
DoormanGauze A kernel level network driver designed to bypass the standard Windows TCP/IP stack
ExpandingPulley Listening Post developed in 2001 and abandoned in 2008, predecessor to DanderSpritz
FlewAvenue DoormanGauze component
GreaterDoctor GreaterSurgeon Parser/Processor
GangsterTheif GreaterDoctor output parser. Identifies other persistently installed malicious software
GreaterSurgeon Dumps memory from a specified process
Gui DanderSpirtz GUI
Ops An extensive set of python / dss scripts designed to perform system reconnaissance
PassFreely Bypasses authorization for oracle databases
PaperCut Performs operations on file handles opened by other processes
PeddleCheap The main implant (loaded via DoublePulsar) that executes DanderSpritz instructions
ScRe Interacts with SQL databases
Strangeland Keystroke logger
Tasking Handles DanderSpritz collection tasks
TerritorialDispute Identifies other nation state tools that may be persistently installed
UtilityBurst Persistence mechanism via driver injection
ZippyBang Custom Mimikatz-like tool use for credential harvesting


  • https://medium.com/francisck/the-equation-groups-post-exploitation-tools-danderspritz-and-more-part-1-a1a6372435cd

  • https://github.com/francisck/DanderSpritz_docs

  • https://danderspritz.com/

Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).

Add To Cart