Vault 7: Projects

IOC ERB: 26
Jan 2009
7
SECRET//NOFORN
SECRET//NOFORN
IV&V Overview (cont.)
Nightskies beacons to the LP after the tool reaches its
beacon interval and then Safari or Firefox surfs to a
web page. Then it; received files, sent files, and
executed files on the target based on the Listening Post
(LP) instructions
Nightskies, it’s files, and it’s processes are hidden from
users and from root.
DarkSeaSkies removed itself automatically when
several conditions were met:
When the target had not been able to reach the LP for 180
days.
When it booted to another OS five times in a row.
If it had a kernel panic three times in a row.
If the nvram status variable was set to either a 1 or a 5.