cyber_threat_intelligence/actors/APT18/README.md

# APT18 - Cyber Threat Intelligence

These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)

## Campaigns

The following _campaigns_ are known and can be associated with APT18:

* Wekby

## IOC - Indicator of Compromise

These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT18.

ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [23.252.166.89](https://vuldb.com/?ip.23.252.166.89) | - | Wekby | High
2 | [23.252.166.99](https://vuldb.com/?ip.23.252.166.99) | - | Wekby | High
3 | [107.180.58.70](https://vuldb.com/?ip.107.180.58.70) | ip-107-180-58-70.ip.secureserver.net | Wekby | High
4 | ... | ... | ... | ...

There are 2 more IOC items available. Please use our online service to access the data.

## References

The following list contains _external sources_ which discuss the actor and the associated activities:

* https://github.com/fireeye/iocs/blob/master/APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc
* https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

## Literature

The following _articles_ explain our unique predictive cyber threat intelligence:

* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

## License

(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00			`# APT18 - Cyber Threat Intelligence`

Update 2022-03-18 09:38:46 +00:00			These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2022-03-18 09:38:46 +00:00			`_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`## Campaigns`

Update 2022-03-18 09:38:46 +00:00			`The following _campaigns_ are known and can be associated with APT18:`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`* Wekby`

			`## IOC - Indicator of Compromise`

Update 2022-03-18 09:38:46 +00:00			`These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT18.`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2022-03-18 09:38:46 +00:00			`ID \| IP address \| Hostname \| Campaign \| Confidence`
			`-- \| ---------- \| -------- \| -------- \| ----------`
			`1 \| [23.252.166.89](https://vuldb.com/?ip.23.252.166.89) \| - \| Wekby \| High`
			`2 \| [23.252.166.99](https://vuldb.com/?ip.23.252.166.99) \| - \| Wekby \| High`
			`3 \| [107.180.58.70](https://vuldb.com/?ip.107.180.58.70) \| ip-107-180-58-70.ip.secureserver.net \| Wekby \| High`
			`4 \| ... \| ... \| ... \| ...`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`There are 2 more IOC items available. Please use our online service to access the data.`

			`## References`

Update 2022-03-18 09:38:46 +00:00			`The following list contains _external sources_ which discuss the actor and the associated activities:`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
			`* https://github.com/fireeye/iocs/blob/master/APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc`
			`* https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/`

			`## Literature`

Update 2022-03-18 09:38:46 +00:00			`The following _articles_ explain our unique predictive cyber threat intelligence:`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00
Update 2022-01-26 14:36:47 +00:00			`* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)`
Converted from AsciiDoc to Markdown 2021-09-30 09:58:16 +00:00			`* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)`

			`## License`

Update 2022-01-26 14:36:47 +00:00			`(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!`