One of the malware tools linked to the US National Security Agency (NSA), leaked early this month by the Shadow Brokers hacking group, has infected almost 200,000 Windows PCs - with the number rising by almost 80,000 alone over the weekend.
The tools, released to the open-source developer website Github, have been gratefully scooped up by malware writers of varying levels of competency and pimped via phishing emails across the internet.
And researchers at Swiss security company Binary Edge claim to have found 183,107 compromised PCs connected to the internet after conducting scans for the DoublePulsar malware. Conducted every day over the past four days, the number of infected PCs has increased dramatically with each scan, according to Binary Edge.
|DoublePulsar infections worldwide|
|Monday 24 April||183,107|
|Sunday 23 April||164,715|
|Saturday 22 April||116,074|
|Friday 21 April||106,410|
|Source: Binary Edge|
The company's scans indicate that the US, in particular, has been targeted, with almost 70,000 infections, followed by China and Hong Kong, Taiwan, Russia and the UK, where it found around 2,500 infected PCs.
Scans by other security research groups have also revealed widespread infections of PCs worldwide with the DoublePulsar malware, which is believed to have been coded by the NSA.
Binary Edge described the malware as "beautifully designed" and suggested that it could've been used for months or years by a variety of actors, and not just the NSA.
The malware has also been analysed in detail by another group of security researchers, called Countercept.
"While there is a lot of interesting content [in the Shadow Brokers tool dump], one particular component that attracted our attention initially was the DoublePulsar payload," wrote Countercept in a research posting.
It continued: "This is because it seems to be a very stealthy kernel-mode payload that is the default payload for many exploits.
"Additionally, it can then be used to inject arbitrary DLLs into user land processes. We have also identified a potentially useful memory signature to detect whether this technique has been used on hosts that have not been rebooted since."
Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.
Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.
Attendance is free to qualifying IT professionals and IT leaders - register now!
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software