Equation
G002014 reportsaliases · Equation
14
Reports
12
Techniques
8
Tactics
4
Countries
48%
Hunt coverage
1
Aliases
Analyst assessment — key judgments
- Signature techniques: T1588.006 (Vulnerabilities), T1589.001 (Credentials), AML.T0016.002 (Generative AI).
- Primary targeting: US, IN, TW, DE.
- Steady activity: 4 report(s) in last 30d vs 4 prior (+0%).
- Recent movement: 2 new technique(s), 48 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 48% of 21 observed techniques (11 gap(s)).
- Assessment confidence: medium (62).
Activity & trend
SteadyLast 30d: 4 vs 4 prior (+0%)· first reported 2026-03-24 · last 2026-07-13
2
7d
4
30d
13
90d
14
All
1.0
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
New techniques
T1689AML.T0069.002Targeting gained
INTWTargeting lost
DENew infrastructure
https://dodcio.defense.gov/Portals/0/Dochttps://dodcio.defense.gov/Portals/0/Doc8c4a30f1f7d1ba896a8593f0331202ae6f66e88912078fa347d7e4f80e9bd3d0https://scottaaronson.blog/?p=9718https://csrc.nist.gov/projects/pqc-dig-shttps://falcon-sign.info/https://educatedguesswork.org/posts/pq-ehttps://thomwiggers.nl/https://pqshield.github.io/nist-sigs-zoohttps://eprint.iacr.org/2022/975.pdfhttps://nvlpubs.nist.gov/nistpubs/ir/202Vulnerabilities in this actor's reporting · 5
- CVE-2017-0199KEV1 rpt
- CVE-2017-11882KEV1 rpt
- CVE-2018-0802KEV1 rpt
- CVE-2023-36884KEV1 rpt
- CVE-2026-21513KEV1 rpt
Overview
Analyst triage
Intelligence summary
Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1588.006 · Vulnerabilitiesconf 757
- T1589.001 · Credentialsconf 754
- AML.T0016.002 · Generative AIconf 653
- T1684.001 · Impersonationconf 652
- AML.T0073 · Impersonationconf 652
- T1021.007 · Cloud Servicesconf 652
- T1588.007 · Artificial Intelligenceconf 601
- T1689 · Downgrade Attackconf 601
- T1027.015 · Compressionconf 601
- T1213.002 · Sharepointconf 601
- T1213.001 · Confluenceconf 601
- T1219 · Remote Access Toolsconf 601evidence: A tale of two eras
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|