WikiLeaks has published a document detailing a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices.
The malware code-named Elsa implements geolocation feature, it scans visible WiFi access points and records their details, such as the ESS identifier, MAC address and signal strength at regular intervals.
Wikileaks published the user manual as part of Vault 7 dump, the document is dated September 2013 and there is no other information about its improvements.
The malware also works when the Wi-Fi enabled device is offline or isn’t connected to an access point.
When the device is connected online, the malware leverages public geo-location databases from Google or Microsoft to resolve the position.
The data recorded by the ELSA malware is encrypted and logged, CIA agents can access them only manually retrieving the log by connecting to the Wi-Fi connected device.
“ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals.” reads the post published by Wikileaks. “To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point/geo-location information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device – again using separate CIA exploits and backdoors.”
The data is encrypted and logged, and the malware’s operator can manually retrieve this log by connecting to the infected device. The ELSA malware could be customized by CIA operators in order to match the target environment and mission objectives.
“The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method,” continues WikiLeaks. “Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.”
Below the list of release published by Wikileaks since March:
[adrotate banner=”9″]
(Security Affairs – Elsa malware, CIA)
[adrotate banner=”13″]
Fintech firm Figure confirmed a data breach after hackers used social engineering to trick an…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in BeyondTrust RS and…
A new alleged Russia-linked APT group targeted Ukrainian defense, government, and energy groups, with CANFAIL…
A new threat actor, UAT-9921, uses the modular VoidLink framework to target technology and financial…
Attackers quickly targeted BeyondTrust flaw CVE-2026-1731 after a PoC was released, enabling unauthenticated remote code…
Google says nation-state actors used Gemini AI for reconnaissance and attack support in cyber operations.…
This website uses cookies.