I've finished reading all of the leak now (except the Broadcom manual that was included for some reason?), and at least to me, the most interesting piece is the manual for DerStarke [0].<p>It's a diskless, EFI-persistent implant for Mac OS X 10.8 and 10.9, that does most of its network communications through a browser process. The manual explicitly calls out that this is done to make it difficult to detect the implant using tools like Little Snitch.<p>This is in contrast to a lot of the tools referenced in the previous leak, which went to great efforts to keep their disk / memory footprint low, but didn't otherwise get into much of the details about how they cloaked their network comms.<p>Overall, the leak didn't include any capabilities that I was surprised to see. Things like using adapters to install an implant on boot (Sonic Screwdriver [1] in this dump) are super cool, but they aren't anything we haven't seen done before. See Thunderstrike [2] for a really great lecture on this type of attack.<p>Also, obligatory warning about WikiLeaks dumps: it's usually worth just reading the leaked documents themselves, and avoiding the editorializing that WikiLeaks always does. They tend to make unsubstantiated claims that end up getting the brunt of the media's focus.<p>[0] <a href="https://wikileaks.org/vault7/darkmatter/document/DerStarke_v1_4_DOC/" rel="nofollow">https://wikileaks.org/vault7/darkmatter/document/DerStarke_v...</a><p>[1] <a href="https://wikileaks.org/vault7/darkmatter/document/SonicScrewdriver_1p0" rel="nofollow">https://wikileaks.org/vault7/darkmatter/document/SonicScrewd...</a><p>[2] <a href="https://events.ccc.de/congress/2014/Fahrplan/events/6128.html" rel="nofollow">https://events.ccc.de/congress/2014/Fahrplan/events/6128.htm...</a>