The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on June 22, 2017

CIA malware codenames are freaking amazing.

CIA malware codenames are freaking amazing.
Matthew Hughes
Story by

Matthew Hughes

Former TNW Reporter

Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twi Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twitter.

America’s Central Intelligence Agency has a bit of a bad reputation. That’s possibly because they’re digital voyeurs; high-tech Peeping Toms that almost certainly have footage of you laying a steaming cable, shot through the telephoto lens of a Predator drone.

But in this article, I want to shine a light on an often-overlooked side of the CIA. It turns out that in addition to being skilled codebreakers, mathematicians, and spooks, the CIA also contains some creative geniuses who have conceived some truly imaginative (and bonkers) names for their top-secret projects. Here are some of my favourites.

Brutal Kangaroo

Anyone else thinking of Kangaroo Jack right now? Unearthed by Wikileaks earlier today, Brutal Kangaroo is a malware program that can propagate throughout a closed, air-gapped network using infected USB flash drives. It’s very Stuxnet, in that respect. The big difference is that while Stuxnet was used to destroy nuclear centrifuges, Brutal Kangaroo exfiltrates data out of the closed network using some clever steganography tactics.

It’s all very Ronseal-esque; it does what it says in the tin. With respect to the fact that it makes a mockery of air-gapped computers, it’s brutal. Given that the malware and the stolen data ‘hops’ between systems, it’s a bit like a kangaroo.


This malware targets Samsung’s F-Series Smart TVs, allowing the CIA to record what’s going on from the device’s built-in microphone. It’s so named because that’s what happens when you watch those naughty pay-per-view channels.

Starmie and Snubble

Weirdly, the CIA has a lot of malware named after Pokemon characters. I guess there are similarities between the CIA and Ash Ketchum, with the respect that both are trying to catch ‘em all. Except in the case of the CIA, they’re talking about ISIS members, and instead of Pokeballs, they use Hellfire missiles.

Gaping hole of DOOM

Oh shit, the CIA named a Comodo AV exploit after your mom.

Creatine and RoidRage

Both of these target Android. Creatine exploits flaws in the drivers for Qualcomm’s Adreno GPU, while RoidRage is used to monitor all radio functions and steal SMS messages. The documentation for these consists of “DO YOU EVEN LIFT BRAH?” repeated ad-nauseum.

Munge Payload

This tool is used to encrypt and modify payloads so as to avoid detection by an adversary, and sounds dirtrrrrty. A bit like a Carry On euphemism for a sexually transmitted infection. If you think you might have munge payloads, speak to your physician.

Panda Sneeze

It’s not immediately obvious what this does. But either way, it’s adorable.


Similarly, this specimen targeting HP routers is just way too cute.

Honorable mention: Tempora

I’m cheating here because Tempora isn’t the CIA’s code. It’s actually from Britain’s GCHQ, and allowed them to capture and analyse network traffic from submarine cables.

I don’t even know what Tempora means, but it sounds delicious. I bet it goes well with a bit of lemon and honey sauce.

The list goes on-and-on

No matter what you think about the CIA, you have to accept that there are some bloody amazing names here. I’m eagerly anticipating the next Wikileaks release, just to see what they’ve come up with next.

If you’ve got a personal favorite, feel free to leave it in the comments below.