Wikileaks Exposes CIA’ 3 Linux/macOS Malware- Aeris, Achilles, SeaPea

We all know what CIA is capable of but what WikiLeaks has been publishing lately under the Vault 7 leaks series is simply astonishing. According to the latest set of information provided by WikiLeaks in its ongoing Vault 7 leaks saga, the CIA developed three dangerous malware for Linux and macOS systems.

The malware were dubbed as Aeris, Achilles, and SeaPea. Aeris is an automated implant that infects Linux systems whereas Achilles and SeaPea infect macOS. The CIA developed the malware for its Imperial Project. Every one of the three hacking tools served a different purpose. Apparently, these were developed for targeting a certain set of operating systems.


Achilles is a utility specially developed for trojanizing macOS DMG installers. WikiLeaks exposed a one-page user guide as well explaining how this particular hacking tool worked. According to the user guide, this tool allowed an operator to fix an executable to a DMG file. This would be used for one-time execution only. When the DMG file is run, the original app is installed, and then the payload is installed. The payload is then removed from the DMG file.

We are not surprised to learn that the Achilles was designed as a one-time execution malware because this is a typical routine of the CIA since the agency is well-known for its preference on staying undetected on targeted computers. The malware has been tested to be compatible with Intel processors running 10.6 OS.


Aeris is the second tool exposed by WikiLeaks. This malware was named after the character called Aeris Gainsborough of the famous game Final Fantasy VII and is designed to infect POSIX systems. The implant/malware is equipped with data exfiltration utilities. These utilities can attack targeted hosts for data stealing through secure TLS-encrypted channels.

The user guide does not provide information about the way this malware collected data. We can only assume that it is part of a bigger chain of attack and that CIA was using it with other tools. The purpose of Aeris was to infect systems, download Aeris malware, locate required data and perform exfiltration of information.

The key features of Aeris include standalone support for HTTPSLS, TLS encrypted communications, configurable beacon interval, structure command, and control server and create compatibility with NOD cryptographic specification. Aeris is distributed through a set of Python utilities. The coding for this hacking tool is done in C while it affects the following systems:

Debian Linux 7 (i386), Debian Linux 7 (amd64), Debian Linux 7 (ARM), Red Hat Enterprise Linux 6 (i386), Red Hat Enterprise Linux 6 (amd64), Solaris 11 (i386), Solaris 11 (SPARC), FreeBSD 8 (i386), FreeBSD 8 (amd64), CentOS 5.3 (i386) and CentOS 5.7 (i386).


It is the third malware exposed by WikiLeaks. SeaPea is an OS X rootkit. The manual for SeaPea was released previously by WikiLeaks in another set of CIA data exposure called DarkSeaSkies. It was published in March and showcased a collection of tools, which helped in hacking iPhones and Macs. The purpose of this malware was to provide CIA with a kernel-level implant.

This implant supposedly allowed the CIA operators to distribute persisting infections on OS X systems when the system is rebooted. Furthermore, the malware can hide directories and files, initiate socket connections and launch required malicious processes.

The manual of SeaPea is dated to be created during the summer of 2011. It is listed as “tested operating systems” on two older versions of OS X called Mac OS X 10.6/Snow Leopard and Mac OS X 10.7/Lion. The malware works by assigning processes to any one of the three categories namely: Normal, Elite and Super-Elite. The commands in SeaPea are executed as Elite processes.

BothanSpy and Gyrfalcon: Steals SSH credentials from Linux & Windows devices
OutlawCountry and ElsaMalware targeting Linux devices and tracking user geolocation
Brutal Kangaroo: CIA hacking tools for hacking air-gapped PCs
Cherry Blossom: CherryBlossom & CherryBomb: Infecting WiFi routers for years
Pandemic: A malware hacking Windows devices
AfterMidnight and Assassin: CIA remote control & subversion malware hacking Windows
Dark Matter: CIA hacking tool infiltrating iPhones and MacBooks
Athena: A malware targeting Windows operating system
Archimedes: A program helping CIA to hack computers inside a Local Area Network
HIVE: CIA implants to transfer exfiltrated information from target machines
Grasshopper: A malware payloads for Microsoft Windows operating systems
Marble: A framework used to hamper antivirus companies from attributing malware
Dark Matter: A CIA project that infects Apple Mac firmware
Highrise: An Android malware spies on SMS Messages

Related Posts