The Central Intelligence Agency (CIA) targets Windows users via a framework called Grasshopper that it uses to customize and execute malware, according to 27 documents published by WikiLeaks in the latest installment of its Vault7 leaks.
The agency can use custom installers tailored to the version of Windows and antivirus software a user is running. The documents also detail persistence mechanisms, those tools that malware uses to evade detection. In one mechanism, Stolen Goods, the CIA use Carberp financial malware that first appeared in 2013.
The documents indicate that the agency made modifications to Carberp and then used Grasshopper to tailor it to victims computers and persist by evading AV scans and reinstalling itself.