HomeWinBuzzer NewsVault 7: Latest WikiLeaks Releases Reveals BothanSpy, an SSH Exploit for Windows

Vault 7: Latest WikiLeaks Releases Reveals BothanSpy, an SSH Exploit for Windows

BothanSpy allows for the interception and exfiltration of SSH passwords on Windows via XShell, while Gyrfalcon targets OpenSSH and various Linux distros. The documentation was last updated in 2015.


has released further documents as part of its ‘Vault 7' leaks, a collection of stolen CIA hacking tools. Three manuals reveal the existence of BothanSpy and Gyrfalcon, projects “to infiltrate and exfiltrate SSH credentials”.

Both have different attack vectors, but BothanSpy target's Windows via the SSH client, Xshell. It affects ongoing SSH sessions and transfers the data to an AES encrypted disk. This includes usernames and passwords or username, filename and private SSH keys for authenticated SSH.

BothanSpy can also extract that data to a CIA-controlled server and exfiltrate it there, or save an encrypted file for exfiltration later. The exploit takes the form of a Shellterm 3.x. extension. The document was updated as recently as 2015.

The name is a reference to the Star Wars trilogy, and the documents have tidbits like “Many Bothan spies will die to bring you this information, remember their sacrifice.”


Of course, the CIA has not stopped with Windows. Increasingly, users are using , especially when it comes to web hosting and privacy conscious activities. Gyrfalcon targets the OpenSSH client on Linux, producing much the same results.

However, with Gyrfalcon, the CIA can not just steal logins, but execute commands on behalf of the user. It can capture not just active SSH sessions, but “full or partial OpenSSH session traffic”. It works on centos, rhel, suse, Ubuntu and more, installing via a CIA-made rootkit.

Both of these tools are designed for maximum stealth. According to the documentation, BothanSpy uses a “very paranoid approach” when collecting data.

Operation of the Linux tool is a bit more complex, requiring knowledge of bash, chs, and sh to operate. It requires root privileges to install, though they aren't required to execute after that.

You can read more about these projects on the Vault 7 page on WikliLeaks, as well their documentation.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News