WikiLeaks has released documents from the CIA's Angelfire project, a five-component utility that can load and run custom implants on Windows XP or Windows 7.
Angelfire's components are Solartime, Wolfcreek, Keystone, BadMFS and the Windows Transitory Filesystem.
The dump of documents is part of the ongoing Vault 7 leaks which began on 7 March and are claimed to be the largest leak of CIA material.
Each component has a particular role, according to the documentation released by WikiLeaks. Solartime can change the boot sector partition to make it possible for Wolfcreek to run when device drivers are loaded at boot time.
{loadposition sam08}Additional implants can be loaded but this would cause memory leaks that can be detected on infected machines, indicating that the software is not the best written.
Keystone is part of Wolfcreek and can start malicious user applications. Implants that are run do not touch the filesystem of the infected machine so it is not detected, as it disguises itself as C:\Windows\system32\svchost.exe, the name of a legitimate Windows service.
BadMFS implements a covert filesystem which is created at the end of the active partition and stores all drivers and implants that Wolfcreek runs.
The last component, Windows Transitory Filesystem, is a new method of getting Angelfire on a system. It allows an attacker to create transitory files for specific actions.