Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
function can capture wireless traffic. The implant function can perform wireless
firmware upgrades and incorporates the exploitation tools (for determining
administrator passwords) and Wireless Upgrade Packages (for devices that don’t
allow wireless firmware upgrades). Claymore can run in a mobile environment
(i.e., on a laptop) or in a fixed environment with a large antenna for longer ranges.
See the “Claymore User’s Manual” for more information.
• Using the Device’s Firmware Upgrade Web Page over a Wired (LAN) Link –
this technique would likely be used in a supply chain operation.
(S) Once a wireless device has been implanted (i.e., it is a Flytrap), it will Beacon (over
the internet according to parameters that have been built into the implant) to a command
& control server referred to as the CherryTree (CT). The Beacon contains device status
and security information that the CT logs to a database. In response to the Beacon, the
CherryTree sends a Mission with operator-defined tasking. An operator can use
CherryWeb (CW), a browser-based user interface, to view Flytrap status and security
info, plan Mission tasking, view Mission-related data, and perform system administration
tasks.
(S) Missions may include tasking on Targets to monitor, actions/exploits to perform on a
Target, and instructions on when and how to send the next Beacon. Target types include:
• Email addresses
• Chat usernames (see CBUM for supported chat services)
• MAC addresses
• VoIP numbers (for devices that support VoIP)
(S) Target actions/exploits include:
• Copying of a Target’s network traffic
• Redirection of a Target’s browser (e.g., to Windex for browser exploitation)
• Proxying a Target’s network connections
(S) Additionally, Mission tasking can include “global actions”, i.e. – actions not triggered
by Target detection. Global actions include:
• Copying all network traffic
• Proxying all network connections
• Harvesting of email addresses, chat usernames, and VoIP numbers
• VPN Link wherein a VPN tunnel is established between the Flytrap and a CB-
owned VPN server and gives an operator access to clients on the Flytrap’s
WLAN/LAN.
• Application Execution wherein an application can be pushed to and executed on
a Flytrap.
(S) Upon receipt of a Mission, a Flytrap will begin Mission execution, typically
configuring the necessary implant modules on the Flytrap, running the necessary
6