On April 14, 2017, a mysterious group of hackers known as the Shadow Brokers published a collection of hacking tools that ended up changing the internet forever.

Known as the “Lost in Translation” dump, this collection of files included tens of hacking tools and exploits stolen from the US National Security Agency (NSA), exploits that many believed the US was using to hack other countries.

Today, three years later, the most known file included in the leak is, by far, ETERNALBLUE, the exploit that was at the heart of the WannaCry and NotPetya ransomware outbreaks.

However, while ETERNALBLUE is the most recognizable name in the Shadow Brokers leak, there is one file that has haunted and fascinated the cyber-security community above any other.

Named “sigs.py,” this file is what many consider a treasure trove of cyber-espionage operations and threat intelligence.

The file is believed to be a simple malware scanner that NSA operators would deploy on hacked computers and use to search for the presence of other APTs (advanced persistent threats, a term used to describe nation-state hacking groups).

It contained 44 signatures to detect files (hacking tools) deployed by other hacking groups, numbered from #1 to #45, with #42 missing.

The file immediately captivated security researchers. Many realized that they weren’t even close to detecting as many APTs as the NSA was listing in the sigs.py file.

To this day, three years later, 15 signatures from the sigs.py file still remain without attribution, showing how the NSA still has superior insight into foreign hacking operations compared to many cyber-security vendors today.

However, today, in a presentation at the OPCDE virtual cyber-security summit, a security researcher has uncovered a new APT — the one sitting behind signature #37.

More precisely, the researcher corrected an incorrect attribution of signature #37 to Iron Tiger, a suspected Chinese-linked cyber-espionage group.