Sale of exploit chain and infrastructure dump for Wickr Compliance Cloud (0-day exploitation chain + analytical package + extracted production binaries)

🌐 Dark WebYesterday, 14:21
For informational purposes only
Affected products: Wickr Compliance Cloud, instances in AWS GovCloud Package size: ~17 MB of main binary + 300+ MB of shared libs + accompanying analysis
The author announces the sale of a comprehensive package for compromising Wickr Compliance Cloud. According to the author, the lot consists of three blocks:
  1. Production binaries with symbols. The package includes the main executable file wickrio_compliance in unstripped form (with an open symbol table) and the declared 622 described C++ VTable structures. In fact, this is a ready-made roadmap for VTable hijacking and searching for memory corruption (which usually requires lengthy reverse engineering).
  2. Attack on FIPS 140-3 verification. A zero-day in fips.so is announced, which, according to the description, uses the feature of the RELRO configuration and allows to overwrite the GOT.PLT records of standard memory comparison and copy functions, bypassing the HMAC self-test of the cryptographic module itself. In practice, this means a potential bypass of the FIPS 140-3 integrity self-check and the possibility of interfering with the processing of keys and plaintext in RAM. According to the author, this is a direct attack on the essence of FIPS 140-3 - mandatory certification of cryptography for US government workloads.
  3. Infrastructure reconnaissance. According to the seller, the binaries contain hardcoded endpoints associated with classified American networks at the Secret and Top Secret levels, AWS account identifiers at the prod/alpha/beta/GovCloud levels, and names of S3 buckets for registration keys.
Wickr - a messenger with end-to-end encryption, acquired by AWS in June 2021. After the deal, AWS phased out the consumer segment and focused on enterprise and government clients. Wickr Compliance Cloud is an enterprise-level with archiving for audits and regulatory compliance. According to AWS, Wickr RAM has an Authority to Operate at Impact Level 5 (IL5) with DoD reciprocity and is approved for use, including by operators in SCIF rooms for communication with deployed personnel via NIPRnet. This is the only American collaboration service with full functionality that meets all NSA security criteria, accredited by the Air Force and AFSOC. In 2025, the US Army separately expanded access to the Army Enterprise Wickr deployed in the cArmy landing zone, with plans to integrate it with Army Vantage and the Army Intelligence Data Platform. In other words - this is a communication platform for the DoD, the intelligence community, and federal contractors.
Vendors
Wickr
Aws
Products
Army Enterprise Wickr
Army Intelligence Data Platform
Army Vantage
Aws Govcloud
Fips.So
Niprnet
More
Published
2026-06-17, 14:21