The malware is known as Elsa and has to be installed using separate CIA exploits, according to the manual which was released on Wednesday. It runs on either 32-bit or 64-bit Windows 7.
It then scans visible Wi-Fi access points and periodically records the name of the connection, the MAC address and the signal strength.
The manual dates back to September 2013. It says: "Elsa provides pattern of life geolocation information by recording the details of Wi-Fi access points near the target machine and transmitting that metadata to third-party databases for resolution into latitude, longitude and an accuracy measure.
The target machine does not need to be connected to an access point for the exploit to work; it only needs to be on and have its Wi-Fi device enabled.
When connected to the Internet, the malware stores geolocation data, collected from publicly available Microsoft and Google databases, along with timestamps.
Any collected data needs to be exfiltrated by an operator using other CIA exploits.
The first Vault 7 dump was on 7 March and it is claimed to be the biggest leak of CIA documents so far.