If you don’t know what this is, stop here.

This repository contains malware samples and research materials for academic, reverse engineering, and forensics purposes only.

Do NOT run anything outside of isolated environments (e.g., air-gapped VMs).

• Related to Brutal_Kangaroo
• Connected to nls_933w.dll
• Infects via USB using CVE-2010-2568
• Shares DNA with Stuxnet and Flame, gauss and duqu respectievely

• modules LNK 1 RAPID7 fanny_bmp_check - By Me
• vulnerabilities LNK 2 RAPID7 fanny_bmp_check - By Me
• metasploit-framework LNK 3 SRC of fanny_bmp_check - By Me

✔️ Demonstrates that the rootkit hides .lnk and keyword-matching files even from system UI dialogs. Which demonstrates it's not just a simple file hider, it's a generalized rootkit that hides dirs(verify this claim)/files[x]/even strings[x]

A full report was written, but will be rewritten soon for clarity and accuracy. The update will focus on:

• Technical deep dives
• Relationship to Equation Group tools
• Ethical simulation techniques

Fanny detection added to:

• Rapid7 Metasploit
• Metasploit Module: fanny_bmp_check
• POC Video

Name:         Fanny.BMP (aka DementiaWheel)
Type:         USB-propagating Worm
Exploits:     CVE-2010-2568 (LNK exploit)
Targets:      Windows XP → Windows 10
Payloads:     Explorer rootkit, USB storage exfiltration, persistence via ACM driver

CVE:          CVE-2010-2568
Reference:    https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787/

You can detect Fanny infections using the fanny_bmp_check module in Metasploit:

meterpreter > run post/windows/gather/forensics/fanny_bmp_check

Expected output:

[+] HKEY_LOCAL_MACHINE\SYSTEM\...\ECELP4\Driver found
[+] HKEY_LOCAL_MACHINE\SYSTEM\...\ECELP4\filter2 found
...

• Rootkit behavior demo
• Crash test from hiding corrupted .lnk files

Creating .lnk files named __e__.lnk under XP with shelldoc.dll active may crash Explorer.

✔️ This has been captured and documented in video + screenshots.

• Improved USB C2 bridge w/ Metasploit
• C+Lua tooling for USB backdoor command & control
• Fully structured academic writeup
• Screenshots and annotated source

• Stuxnet Source
• Agent.BTZ Sample
• DUQU
• Gauss-Src
• flame-sourcecode V2
• MINI-FLAME-Skywiper

To help defenders, researchers, and detection engineers. These files are hard to find. Collecting + analyzing them helps strengthen infosec.

• Securelist: Equation Group
• Rapid7 Blog
• Fanny Detection Module

Branch of interest:

• 🔗 only_malware branch (live payloads)

Thanks to

• Fyyre - for your DrvMon
• Hfiref0x - for your KDU
• GPT(O3-PRO) For helping me check the formulation of this repo, like MarkDown, etc.
• FSU's 2 Students Alejandro Ugas and McDougall for their Research