After looking over that Wikileaks flow chart yesterday I got curious about what the Automated Implants Branch could be?
They design software to Automatically Implant whatever payload on the target machine the CIA requires, to either exfiltrate data, and / or RAT (Remote Access Tool) the machine.
You mentioned the grasshopper program. Look to the documentation. https://wikileaks.org/ciav7p1/cms/space_3276805.htmlhttps://wikileaks.org/ciav7p1/cms/page_12353656.htmlhttps://wikileaks.org/ciav7p1/cms/page_17072532.html
C++ code too... fast, - mixed with a python build script that calls cmd.exe -quiet. RAT access is provided via XML (eXtensible Markup Language). Runs strictly in memory. Actively evades anti-virus scanners. Custom tailors malware payload depending on what software is already installed on the target machine.
It can also exfiltrate the the build logs with error codes for the malware (payload) they load on the target machine, so the malware installation process can be adapted to bypass any build / installation errors.
This program is highly adaptable, automated as much as possible, and polymorphic. It also implements an un-install procedure which implies once this program has access, implants the payload(s), and compromises the target, it can be removed to thwart forensics or if something goes wrong during installation.
System hooks, low level procedure calls, and running as a registered service, make detection difficult during installation, and almost impossible post-installation - unless you know where to look. This is why it's always good to make a baseline log of running services and Registry Hive snapshots on a fresh windoze install. There is freeware out there that will do this and compare it to the current configuration. (Don't remember the names of the programs off hand.)
This is a nasty little piece of work, but interesting in how they decided to implement it .
This is how the program survives reboots - since it runs in RAM.