In the Equation Group dump many of the implants can announce themselves with beacons, especially the BIOS implants. These beacons are disguised as normal network packets, likely directed at fake hosts, to be intercepted by intermediate infrastructure. The list in BLATSTING beacon listening post module gives a possible list of disguises:

I’ve done a bit of reverse-engineering on the BLATSTING “modular rootkit” implant which was part of the recent Equation Group leak. I find it interesting as it injects into the Linux kernel, intercepts network traffic, and even injects packets as to redirect browser users to a site with pre-packaged exploits.

I’m happy with the job I’m doing, happy to work with a few very smart people on an extremely interesting project, involving various entirely new challenges, that could have enormous impact. But on the other hand Bitcoin infrastucture development must be one of the most hostile and crazy working environments in existence, at least in software development.