WikiLeaks revealed CIA Athena Spyware, the malware that targets all Windows versions

Pierluigi Paganini May 19, 2017

Wikileaks released the documentation for the Athena Spyware, a malware that could infect and remote control almost any Windows machine.

Last Friday, Wikileaks released the documentation for AfterMidnight and Assassin malware platforms, today the organization leaked a new batch of the CIA Vault 7 dump that includes the documentation related to a spyware framework dubbed Athena /Hera.

The batch of CIA files includes a user manual of the Athena platform, an overview of the technology, and a demo on how to use the malware.

Reading the documents it is possible to discover that any Windows systems could be infected by the two spyware, Athena works for XP through Windows 10 and Hera for Windows 8 through Windows 10.

The Athena / Hera malware were used by the CIA to take remote control over the infected Windows machines remotely.

“The Athena System fulfills COG/NOD’s need for a remote beacon/loader. Table 2 shows the system components available in Athena/Hera v1.0. The target computer operating systems are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32- bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10.” reads the system overview included in the user guide. “Ubuntu v14.04 is the validated Linux version. Apache 2.4 is the validated web server for the Listening Post.”

The Athena spyware was written in Python, is seems to be dated back August 2015, if confirmed it is worrying news because Microsoft released Windows 10 in July 2015.

Athena is the result of a joint work of CIA developers and peers at cyber security firm Siege Technologies that is specialized in offensive cyber security.

“Athena is a beacon loader developed with Siege Technologies. At the core it is a very simple implant application. It runs in user space and beacons from the srvhost process. The following diagram shows the concept of operation.” states the Athena Technology Overview.

CIA Athena spyware

The documents leaked by Wikileaks reveals that ability of the Athena spyware to modify its configuration in real time, customizing it to a specific operation.

“Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system,” WikiLeaks claims.

However, WikiLeaks has not provided any detail about the operations being conducted by the agency using Athena, but it is not hard to imagine how the intelligence agency would be using this program to spy on their targets.

Below the list of the mail dumps leaked by WikiLeaks:

  • The Year Zero that revealed CIA hacking exploits for hardware and software.
  • Weeping Angel spying tool to hack Samsung smart TV and use them as
  • The Dark Matter dump is containing iPhone and Mac hacking exploits.
  • The Marble batch focused on a framework used by the CIA to make hard the attribution of cyber attacks.
  • The Grasshopper batch that reveals a framework to customize malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
  • The Scribbles Project for document tracking.
  • Archimedes man-in-the-middle (MitM) attack tool.
  • AfterMidnight and Assassin malware platforms.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Athena Spyware, hacking)

[adrotate banner=”13″]



you might also like

leave a comment