Update

APT41/README.md

@@ -1,6 +1,6 @@
 # APT41 - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT41](https://vuldb.com/?actor.apt41). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT41](https://vuldb.com/?actor.apt41). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt41](https://vuldb.com/?actor.apt41)
 
@@ -31,7 +31,7 @@ ID | IP address | Hostname | Confidence
 2 | 43.255.191.255 | - | High
 3 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
 4 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
-5 | 45.138.157.78 | vpnru07.12.21.example.com | High
+5 | 45.138.157.78 | vm303301.pq.hosting | High
 6 | 61.78.62.21 | - | High
 7 | 61.195.98.245 | h61-195-98-245.ablenetvps.ne.jp | High
 8 | 66.42.48.186 | 66.42.48.186.vultr.com | Medium
@@ -44,8 +44,8 @@ ID | IP address | Hostname | Confidence
 15 | 67.198.161.252 | 67.198.161.252.CUSTOMER.KRYPT.COM | High
 16 | 74.82.201.8 | 74.82.201.8.16clouds.com | High
 17 | 91.208.184.78 | wk-azure.biz | High
-18 | 103.19.3.21 | - | High
-19 | 103.19.3.109 | - | High
+18 | 103.19.3.21 | 103.19.3.21.static.xtom.com | High
+19 | 103.19.3.109 | 103.19.3.109.static.xtom.com | High
 20 | ... | ... | ...
 
 There are 38 more IOC items available. Please use our online service to access the data.
@@ -61,7 +61,7 @@ ID | Technique | Description | Confidence
 3 | T1211 | 7PK Security Features | High
 4 | ... | ... | ...
 
-There are 5 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -69,19 +69,19 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/etc/config/rpcd` | High
-2 | File | `/forum/away.php` | High
-3 | File | `/get_getnetworkconf.cgi` | High
-4 | File | `/lists/admin/` | High
-5 | File | `/login.cgi?logout=1` | High
-6 | File | `/public/login.htm` | High
-7 | File | `/tmp/app/.env` | High
-8 | File | `/wp-admin/admin-ajax.php` | High
-9 | File | `/_next` | Low
-10 | File | `addentry.php` | Medium
+1 | File | `/api/blade-log/api/list` | High
+2 | File | `/category_view.php` | High
+3 | File | `/cgi-bin/system_mgr.cgi` | High
+4 | File | `/debug/pprof` | Medium
+5 | File | `/etc/config/rpcd` | High
+6 | File | `/forum/away.php` | High
+7 | File | `/get_getnetworkconf.cgi` | High
+8 | File | `/lists/admin/` | High
+9 | File | `/login.cgi?logout=1` | High
+10 | File | `/public/login.htm` | High
 11 | ... | ... | ...
 
-There are 109 more IOA items available. Please use our online service to access the data.
+There are 126 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -103,9 +103,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Armor Piercer/README.md

@@ -1,6 +1,6 @@
 # Armor Piercer - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Armor Piercer](https://vuldb.com/?actor.armor_piercer). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Armor Piercer](https://vuldb.com/?actor.armor_piercer). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.armor_piercer](https://vuldb.com/?actor.armor_piercer)
 
@@ -40,14 +40,15 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `category.cfm` | Medium
-2 | File | `itemlookup.asp` | High
-3 | File | `mat5.c` | Low
-4 | File | `phddns.lua` | Medium
-5 | File | `register.php` | Medium
-6 | Argument | `cat` | Low
-7 | Argument | `new-interface` | High
-8 | Argument | `PATH_INFO` | Medium
+1 | File | `app\admin\controller\sys\Uploads.php` | High
+2 | File | `category.cfm` | Medium
+3 | File | `itemlookup.asp` | High
+4 | File | `mat5.c` | Low
+5 | File | `phddns.lua` | Medium
+6 | File | `register.php` | Medium
+7 | Argument | `cat` | Low
+8 | Argument | `new-interface` | High
+9 | Argument | `PATH_INFO` | Medium
 
 ## References
 
@@ -59,9 +60,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Bunse/README.md

@@ -0,0 +1,54 @@
+# Bunse - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bunse](https://vuldb.com/?actor.bunse). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bunse](https://vuldb.com/?actor.bunse)
+
+## Campaigns
+
+The following campaigns are known and can be associated with Bunse:
+
+* Afghanistan and India
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bunse:
+
+* ES
+* US
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Bunse.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 62.171.157.185 | vmi479022.contaboserver.net | High
+2 | 95.111.241.233 | vmi698587.contaboserver.net | High
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bunse. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `data/gbconfiguration.dat` | High
+2 | File | `detail.asp` | Medium
+3 | Argument | `iType` | Low
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Cerber/README.md

@@ -1,6 +1,6 @@
 # Cerber - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Cerber](https://vuldb.com/?actor.cerber). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cerber](https://vuldb.com/?actor.cerber). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.cerber](https://vuldb.com/?actor.cerber)
 
@@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cerber:
 
 * US
-* IR
 * CN
+* DE
 * ...
 
-There are 3 more country items available. Please use our online service to access the data.
+There are 6 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -21,29 +21,29 @@ These indicators of compromise indicate associated network ressources which are
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 5.196.159.173 | - | High
-2 | 23.152.0.36 | tcts-000036.techtrapes.com | High
-3 | 34.199.22.139 | ec2-34-199-22-139.compute-1.amazonaws.com | Medium
-4 | 45.56.79.23 | li929-23.members.linode.com | High
-5 | 52.2.101.52 | ec2-52-2-101-52.compute-1.amazonaws.com | Medium
-6 | 52.21.132.24 | ec2-52-21-132-24.compute-1.amazonaws.com | Medium
-7 | 54.84.252.139 | ec2-54-84-252-139.compute-1.amazonaws.com | Medium
-8 | 54.87.5.88 | ec2-54-87-5-88.compute-1.amazonaws.com | Medium
-9 | 54.88.175.149 | ec2-54-88-175-149.compute-1.amazonaws.com | Medium
-10 | 54.152.181.87 | ec2-54-152-181-87.compute-1.amazonaws.com | Medium
-11 | 78.128.92.96 | - | High
-12 | 85.93.0.0 | - | High
-13 | 87.96.148.0 | h87-96-148-0.cust.a3fiber.se | High
-14 | 87.97.148.0 | - | High
-15 | 87.98.148.0 | sbg5-mail-137.bouncer.cloud | High
-16 | 87.106.18.141 | - | High
-17 | 91.119.56.0 | 91-119-56-0.dsl.dynamic.surfer.at | High
-18 | 91.119.216.0 | 91-119-216-0.dsl.dynamic.surfer.at | High
-19 | 91.120.56.0 | - | High
-20 | 91.120.216.0 | - | High
+1 | 5.9.49.12 | static.12.49.9.5.clients.your-server.de | High
+2 | 5.135.183.146 | freya.stelas.de | High
+3 | 5.196.159.173 | - | High
+4 | 13.107.21.200 | - | High
+5 | 23.94.5.133 | 23-94-5-133-host.colocrossing.com | High
+6 | 23.152.0.36 | tcts-000036.techtrapes.com | High
+7 | 34.199.22.139 | ec2-34-199-22-139.compute-1.amazonaws.com | Medium
+8 | 45.32.28.232 | - | High
+9 | 45.56.79.23 | li929-23.members.linode.com | High
+10 | 45.56.117.118 | li935-118.members.linode.com | High
+11 | 45.63.25.55 | 45.63.25.55.vultr.com | Medium
+12 | 45.63.99.180 | 45.63.99.180.uk003.ys.com | High
+13 | 52.2.101.52 | ec2-52-2-101-52.compute-1.amazonaws.com | Medium
+14 | 52.21.132.24 | ec2-52-21-132-24.compute-1.amazonaws.com | Medium
+15 | 54.84.252.139 | ec2-54-84-252-139.compute-1.amazonaws.com | Medium
+16 | 54.87.5.88 | ec2-54-87-5-88.compute-1.amazonaws.com | Medium
+17 | 54.88.175.149 | ec2-54-88-175-149.compute-1.amazonaws.com | Medium
+18 | 54.152.181.87 | ec2-54-152-181-87.compute-1.amazonaws.com | Medium
+19 | 78.128.92.96 | - | High
+20 | 84.201.32.108 | - | High
 21 | ... | ... | ...
 
-There are 41 more IOC items available. Please use our online service to access the data.
+There are 60 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -66,18 +66,18 @@ These indicators of attack list the potential fragments used for technical activ
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
 1 | File | `+CSCO` | Low
-2 | File | `/cgi-bin/login_action.cgi` | High
-3 | File | `/cns/` | Low
-4 | File | `/DbXmlInfo.xml` | High
-5 | File | `/etc/auditlog-keeper.conf` | High
-6 | File | `/forms/web_importTFTP` | High
-7 | File | `/OA_HTML/cabo/jsps/a.jsp` | High
-8 | File | `/plugin/extended-choice-parameter/js/` | High
-9 | File | `/rest/api/1.0/render` | High
-10 | File | `/shell?cmd` | Medium
+2 | File | `.htaccess` | Medium
+3 | File | `/cgi-bin/login_action.cgi` | High
+4 | File | `/cns/` | Low
+5 | File | `/DbXmlInfo.xml` | High
+6 | File | `/etc/auditlog-keeper.conf` | High
+7 | File | `/forms/web_importTFTP` | High
+8 | File | `/OA_HTML/cabo/jsps/a.jsp` | High
+9 | File | `/plugin/extended-choice-parameter/js/` | High
+10 | File | `/rest/api/1.0/render` | High
 11 | ... | ... | ...
 
-There are 521 more IOA items available. Please use our online service to access the data.
+There are 634 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -91,14 +91,15 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Cryptbot/README.md

@@ -0,0 +1,38 @@
+# Cryptbot - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cryptbot](https://vuldb.com/?actor.cryptbot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.cryptbot](https://vuldb.com/?actor.cryptbot)
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Cryptbot.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 8.248.153.254 | - | High
+2 | 8.248.163.254 | - | High
+3 | 8.248.167.254 | - | High
+4 | 8.249.223.254 | - | High
+5 | 8.249.233.254 | - | High
+6 | 8.253.45.239 | - | High
+7 | ... | ... | ...
+
+There are 10 more IOC items available. Please use our online service to access the data.
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1008-1015.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

DEV-0322/README.md

@@ -1,6 +1,6 @@
 # DEV-0322 - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [DEV-0322](https://vuldb.com/?actor.dev-0322). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DEV-0322](https://vuldb.com/?actor.dev-0322). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dev-0322](https://vuldb.com/?actor.dev-0322)
 
@@ -9,11 +9,13 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 The following campaigns are known and can be associated with DEV-0322:
 
 * CVE-2021-35211
+* ManageEngine ADSelfService Plus
 
 ## Countries
 
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DEV-0322:
 
+* US
 * CN
 
 ## IOC - Indicator of Compromise
@@ -22,12 +24,27 @@ These indicators of compromise indicate associated network ressources which are
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 68.235.178.32 | huntres-cgo-cm1-68-235-178-32.vianet.ca | High
-2 | 97.77.97.58 | rrcs-97-77-97-58.sw.biz.rr.com | High
-3 | 98.176.196.89 | ip98-176-196-89.sd.sd.cox.net | High
+1 | 24.64.36.238 | mail.target-realty.com | High
+2 | 45.63.62.109 | 45.63.62.109.vultr.com | Medium
+3 | 45.76.173.103 | 45.76.173.103.vultr.com | Medium
+4 | 45.77.121.232 | 45.77.121.232.vultr.com | Medium
+5 | 66.42.98.156 | 66.42.98.156.vultr.com | Medium
+6 | ... | ... | ...
+
+There are 9 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by DEV-0322. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1068 | Execution with Unnecessary Privileges | High
+3 | T1499 | Resource Consumption | High
 4 | ... | ... | ...
 
-There are 2 more IOC items available. Please use our online service to access the data.
+There are 2 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -35,23 +52,34 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `flow.php` | Medium
-2 | Argument | `--config/--debugger` | High
-3 | Argument | `goods_number` | Medium
+1 | File | `admin/conf_users_edit.php` | High
+2 | File | `data/gbconfiguration.dat` | High
+3 | File | `flow.php` | Medium
+4 | File | `goform/setUsbUnload` | High
+5 | File | `HTTPServerILServlet.java` | High
+6 | File | `login_meeting.cgi` | High
+7 | File | `manager.c` | Medium
+8 | File | `options.cpp` | Medium
+9 | File | `redir.php` | Medium
+10 | File | `register.php` | Medium
+11 | ... | ... | ...
+
+There are 21 more IOA items available. Please use our online service to access the data.
 
 ## References
 
 The following list contains external sources which discuss the actor and the associated activities:
 
+* https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
 * https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Darkkomet/README.md

@@ -0,0 +1,30 @@
+# Darkkomet - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Darkkomet](https://vuldb.com/?actor.darkkomet). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.darkkomet](https://vuldb.com/?actor.darkkomet)
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Darkkomet.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 209.99.40.222 | 209-99-40-222.fwd.datafoundry.com | High
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Darkode/README.md

@@ -0,0 +1,54 @@
+# Darkode - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Darkode](https://vuldb.com/?actor.darkode). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.darkode](https://vuldb.com/?actor.darkode)
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Darkode:
+
+* DE
+* US
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Darkode.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 80.82.66.204 | no-reverse-dns-configured.com | High
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Darkode. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1068 | Execution with Unnecessary Privileges | High
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Darkode. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `data/gbconfiguration.dat` | High
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://ddanchev.blogspot.com/2021/10/exposing-darkode-forum-bust-and.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Dridex/README.md

@@ -1,6 +1,6 @@
 # Dridex - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dridex](https://vuldb.com/?actor.dridex). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dridex](https://vuldb.com/?actor.dridex). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dridex](https://vuldb.com/?actor.dridex)
 
@@ -78,7 +78,7 @@ ID | Type | Indicator | Confidence
 10 | File | `/admin/index.php?c=database` | High
 11 | ... | ... | ...
 
-There are 1351 more IOA items available. Please use our online service to access the data.
+There are 1365 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -113,9 +113,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Emotet/README.md

@@ -1,6 +1,6 @@
 # Emotet - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Emotet](https://vuldb.com/?actor.emotet). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Emotet](https://vuldb.com/?actor.emotet). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.emotet](https://vuldb.com/?actor.emotet)
 
@@ -10,10 +10,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 
 * US
 * CN
-* VN
+* ES
 * ...
 
-There are 33 more country items available. Please use our online service to access the data.
+There are 40 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -35,15 +35,15 @@ ID | IP address | Hostname | Confidence
 12 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | High
 13 | 5.196.35.138 | vps10.open-techno.net | High
 14 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | High
-15 | 8.4.9.137 | host-8-4-9-137.onlinehorizons.net | High
+15 | 8.4.9.137 | onlinehorizons.net | High
 16 | 12.162.84.2 | - | High
 17 | 12.163.208.58 | - | High
 18 | 12.184.217.101 | - | High
-19 | 24.43.99.75 | rrcs-24-43-99-75.west.biz.rr.com | High
-20 | 24.101.229.82 | dynamic-acs-24-101-229-82.zoominternet.net | High
+19 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
+20 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | High
 21 | ... | ... | ...
 
-There are 379 more IOC items available. Please use our online service to access the data.
+There are 425 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -55,9 +55,10 @@ ID | Technique | Description | Confidence
 2 | T1068 | Execution with Unnecessary Privileges | High
 3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
 4 | T1211 | 7PK Security Features | High
-5 | ... | ... | ...
+5 | T1222 | Permission Issues | High
+6 | ... | ... | ...
 
-There are 7 more TTP items available. Please use our online service to access the data.
+There are 9 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -65,19 +66,19 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/.ssh/authorized_keys` | High
-2 | File | `/accounts/password_change/` | High
-3 | File | `/anony/mjpg.cgi` | High
-4 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
-5 | File | `/core/kernels/ctc_decoder_ops.cc` | High
-6 | File | `/HNAP1` | Low
-7 | File | `/out.php` | Medium
-8 | File | `/PreviewHandler.ashx` | High
-9 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High
-10 | File | `/shared/view_source.php` | High
+1 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
+2 | File | `/.env` | Low
+3 | File | `/.ssh/authorized_keys` | High
+4 | File | `/accounts/password_change/` | High
+5 | File | `/admin/` | Low
+6 | File | `/admin/account/changepassword` | High
+7 | File | `/admin/account/changeprofileimage` | High
+8 | File | `/admin/account/clearcache` | High
+9 | File | `/admin/cms.php` | High
+10 | File | `/admin/communitymanagement.php` | High
 11 | ... | ... | ...
 
-There are 275 more IOA items available. Please use our online service to access the data.
+There are 736 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -89,6 +90,9 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/06/threat-roundup-0617-0624.html
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0723-0730.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
 * https://community.blueliv.com/#!/s/5fb2ee2482df413eaf344b29
 * https://unit42.paloaltonetworks.com/emotet-command-and-control/
 
@@ -96,9 +100,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

FIN12/README.md

@@ -1,6 +1,6 @@
 # FIN12 - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FIN12](https://vuldb.com/?actor.fin12). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN12](https://vuldb.com/?actor.fin12). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin12](https://vuldb.com/?actor.fin12)
 
@@ -33,10 +33,10 @@ ID | Technique | Description | Confidence
 -- | --------- | ----------- | ----------
 1 | T1059.007 | Cross Site Scripting | High
 2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1499 | Resource Consumption | High
+3 | T1222 | Permission Issues | High
 4 | ... | ... | ...
 
-There are 1 more TTP items available. Please use our online service to access the data.
+There are 2 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -52,11 +52,11 @@ ID | Type | Indicator | Confidence
 6 | File | `/modules/projects/vw_files.php` | High
 7 | File | `/modules/public/calendar.php` | High
 8 | File | `/services/details.asp` | High
-9 | File | `/_core/profile/` | High
-10 | File | `adclick.php` | Medium
+9 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
+10 | File | `/_core/profile/` | High
 11 | ... | ... | ...
 
-There are 112 more IOA items available. Please use our online service to access the data.
+There are 122 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -68,9 +68,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

FamousSparrow/README.md

@@ -1,6 +1,6 @@
 # FamousSparrow - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FamousSparrow](https://vuldb.com/?actor.famoussparrow). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FamousSparrow](https://vuldb.com/?actor.famoussparrow). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.famoussparrow](https://vuldb.com/?actor.famoussparrow)
 
@@ -28,10 +28,10 @@ ID | Technique | Description | Confidence
 -- | --------- | ----------- | ----------
 1 | T1059.007 | Cross Site Scripting | High
 2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1211 | 7PK Security Features | High
+3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ...
 
-There are 1 more TTP items available. Please use our online service to access the data.
+There are 2 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -63,9 +63,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Fareit/README.md

@@ -1,6 +1,6 @@
 # Fareit - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Fareit](https://vuldb.com/?actor.fareit). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Fareit](https://vuldb.com/?actor.fareit). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fareit](https://vuldb.com/?actor.fareit)
 
@@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Fareit:
 
-* US
 * GB
-* FR
+* US
+* CA
 * ...
 
-There are 1 more country items available. Please use our online service to access the data.
+There are 4 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -23,11 +23,24 @@ ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
 1 | 23.21.126.66 | ec2-23-21-126-66.compute-1.amazonaws.com | Medium
 2 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
-3 | 79.134.225.53 | - | High
-4 | 91.195.240.117 | - | High
-5 | ... | ... | ...
+3 | 34.117.168.233 | 233.168.117.34.bc.googleusercontent.com | Medium
+4 | 50.87.236.238 | 50-87-236-238.unifiedlayer.com | High
+5 | 63.141.242.46 | - | High
+6 | 64.219.114.114 | adsl-64-219-114-114.dsl.bumttx.swbell.net | High
+7 | 66.228.61.192 | li318-192.members.linode.com | High
+8 | 68.171.208.119 | penandpixel.com | High
+9 | 71.42.56.253 | rrcs-71-42-56-253.se.biz.rr.com | High
+10 | 74.125.192.138 | qn-in-f138.1e100.net | High
+11 | 75.98.175.114 | a2ss23.a2hosting.com | High
+12 | 79.134.225.53 | - | High
+13 | 81.17.18.194 | - | High
+14 | 81.17.29.146 | - | High
+15 | 81.169.145.70 | w06.rzone.de | High
+16 | 81.169.145.164 | wa4.rzone.de | High
+17 | 82.145.53.14 | table1555.cfd | High
+18 | ... | ... | ...
 
-There are 7 more IOC items available. Please use our online service to access the data.
+There are 32 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -37,10 +50,11 @@ ID | Technique | Description | Confidence
 -- | --------- | ----------- | ----------
 1 | T1059.007 | Cross Site Scripting | High
 2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1211 | 7PK Security Features | High
-4 | ... | ... | ...
+3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
+4 | T1211 | 7PK Security Features | High
+5 | ... | ... | ...
 
-There are 1 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -48,33 +62,36 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/uncpath/` | Medium
-2 | File | `cat.php` | Low
-3 | File | `detail.php` | Medium
-4 | File | `filemanager/model.php` | High
-5 | File | `gallery.php` | Medium
-6 | File | `libbb/lineedit.c` | High
-7 | File | `PDF.js` | Low
-8 | File | `reports_mta_queue_status.html` | High
-9 | File | `send_reminders.php` | High
-10 | File | `shop_display_products.php` | High
+1 | File | `/admin/download_frame.php` | High
+2 | File | `/backups/` | Medium
+3 | File | `/etc/sudoers` | Medium
+4 | File | `/index.php?controller=system&action=admin_edit_act` | High
+5 | File | `/uncpath/` | Medium
+6 | File | `bits.c` | Low
+7 | File | `cat.php` | Low
+8 | File | `Cgi/admindb.py` | High
+9 | File | `core/kernels/count_ops.cc` | High
+10 | File | `data/gbconfiguration.dat` | High
 11 | ... | ... | ...
 
-There are 12 more IOA items available. Please use our online service to access the data.
+There are 53 more IOA items available. Please use our online service to access the data.
 
 ## References
 
 The following list contains external sources which discuss the actor and the associated activities:
 
 * https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1008-1015.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

FontOnLake/README.md

@@ -1,6 +1,6 @@
 # FontOnLake - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FontOnLake](https://vuldb.com/?actor.fontonlake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FontOnLake](https://vuldb.com/?actor.fontonlake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fontonlake](https://vuldb.com/?actor.fontonlake)
 
@@ -62,9 +62,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Formbook/README.md

@@ -1,6 +1,6 @@
 # Formbook - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Formbook](https://vuldb.com/?actor.formbook). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Formbook](https://vuldb.com/?actor.formbook). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.formbook](https://vuldb.com/?actor.formbook)
 
@@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Formbook:
 
+* GB
 * US
 * CN
-* DE
 * ...
 
-There are 5 more country items available. Please use our online service to access the data.
+There are 8 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -26,24 +26,24 @@ ID | IP address | Hostname | Confidence
 3 | 5.134.13.72 | i51.gds.guru.net.uk | High
 4 | 13.59.53.244 | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | Medium
 5 | 13.107.42.12 | 1drv.ms | High
-6 | 20.36.253.92 | - | High
-7 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
-8 | 23.227.38.74 | - | High
-9 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
-10 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | Medium
-11 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | Medium
-12 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | Medium
-13 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | Medium
-14 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | Medium
-15 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | Medium
-16 | 40.77.18.167 | - | High
-17 | 40.126.26.134 | - | High
-18 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | Medium
-19 | 45.135.229.212 | iad.scarletshark.net | High
-20 | 47.75.37.155 | - | High
+6 | 13.248.216.40 | afdda383cf24ec8c3.awsglobalaccelerator.com | High
+7 | 20.36.253.92 | - | High
+8 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
+9 | 23.227.38.74 | - | High
+10 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | Medium
+11 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
+12 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | Medium
+13 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | Medium
+14 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | Medium
+15 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | Medium
+16 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | Medium
+17 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | Medium
+18 | 40.77.18.167 | - | High
+19 | 40.126.26.134 | - | High
+20 | 44.227.65.245 | ec2-44-227-65-245.us-west-2.compute.amazonaws.com | Medium
 21 | ... | ... | ...
 
-There are 73 more IOC items available. Please use our online service to access the data.
+There are 87 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -78,7 +78,7 @@ ID | Type | Indicator | Confidence
 10 | File | `/admin/admintools/tool.php` | High
 11 | ... | ... | ...
 
-There are 2013 more IOA items available. Please use our online service to access the data.
+There are 2064 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -89,14 +89,15 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0723-0730.html
 * https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Fqnx/README.md

@@ -0,0 +1,31 @@
+# Fqnx - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Fqnx](https://vuldb.com/?actor.fqnx). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fqnx](https://vuldb.com/?actor.fqnx)
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Fqnx.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 192.168.0.41 | - | High
+2 | 192.168.1.255 | - | High
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

GandCrab/README.md

@@ -1,6 +1,6 @@
 # Gandcrab - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Gandcrab](https://vuldb.com/?actor.gandcrab). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gandcrab](https://vuldb.com/?actor.gandcrab). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gandcrab](https://vuldb.com/?actor.gandcrab)
 
@@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gandcrab:
 
 * US
+* ES
 * CA
-* CN
 * ...
 
-There are 3 more country items available. Please use our online service to access the data.
+There are 15 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -21,20 +21,26 @@ These indicators of compromise indicate associated network ressources which are
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 5.39.221.60 | - | High
-2 | 13.76.158.123 | - | High
-3 | 20.50.64.11 | - | High
-4 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
-5 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
-6 | 39.107.34.197 | - | High
-7 | 45.118.145.96 | - | High
-8 | 52.116.175.70 | hs20.name.tools | High
-9 | 54.36.194.90 | ip90.ip-54-36-194.eu | High
-10 | 66.96.147.103 | 103.147.96.66.static.eigbox.net | High
-11 | 66.171.248.178 | api1.whatismyipaddress.com | High
-12 | ... | ... | ...
+1 | 3.64.163.50 | ec2-3-64-163-50.eu-central-1.compute.amazonaws.com | Medium
+2 | 5.39.221.60 | - | High
+3 | 5.135.183.146 | freya.stelas.de | High
+4 | 13.76.158.123 | - | High
+5 | 20.50.64.11 | - | High
+6 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
+7 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
+8 | 39.107.34.197 | - | High
+9 | 45.118.145.96 | - | High
+10 | 51.254.25.115 | ip115.ip-51-254-25.eu | High
+11 | 51.255.48.78 | vps-ede152ed.vps.ovh.net | High
+12 | 52.116.175.70 | hs20.name.tools | High
+13 | 54.36.194.90 | ip90.ip-54-36-194.eu | High
+14 | 66.96.147.103 | 103.147.96.66.static.eigbox.net | High
+15 | 66.171.248.178 | api1.whatismyipaddress.com | High
+16 | 69.163.193.127 | ps608110.dreamhostps.com | High
+17 | 87.236.16.107 | ssl.spectre.beget.com | High
+18 | ... | ... | ...
 
-There are 22 more IOC items available. Please use our online service to access the data.
+There are 33 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -42,9 +48,14 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
 
 ID | Technique | Description | Confidence
 -- | --------- | ----------- | ----------
-1 | T1068 | Execution with Unnecessary Privileges | High
-2 | T1587.003 | Improper Certificate Validation | High
-3 | T1600 | Cryptographic Issues | High
+1 | T1008 | Algorithm Downgrade | High
+2 | T1040 | Authentication Bypass by Capture-replay | High
+3 | T1059.007 | Cross Site Scripting | High
+4 | T1068 | Execution with Unnecessary Privileges | High
+5 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
+6 | ... | ... | ...
+
+There are 11 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -52,19 +63,19 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/cgi-bin/editBookmark` | High
-2 | File | `/getcfg.php` | Medium
-3 | File | `AccessPoint.aspx` | High
-4 | File | `announcement.php` | High
-5 | File | `archive.php` | Medium
-6 | File | `cgi-bin/mainfunction.cgi` | High
-7 | File | `data/gbconfiguration.dat` | High
-8 | File | `fciv.exe` | Medium
-9 | File | `fs/inode.c` | Medium
-10 | File | `my.activation.php3` | High
+1 | File | `%PROGRAMDATA%\checkmk\agent\local` | High
+2 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
+3 | File | `.htaccess` | Medium
+4 | File | `/+CSCOE+/logon.html` | High
+5 | File | `/admin-ajax.php?action=eps_redirect_save` | High
+6 | File | `/admin.php` | Medium
+7 | File | `/admin/` | Low
+8 | File | `/admin/admin_login.php` | High
+9 | File | `/admin/comment.php` | High
+10 | File | `/AdminDir` | Medium
 11 | ... | ... | ...
 
-There are 17 more IOA items available. Please use our online service to access the data.
+There are 1147 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -72,6 +83,7 @@ The following list contains external sources which discuss the actor and the ass
 
 * https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
 * https://community.blueliv.com/#!/s/5afd59bd82df413e376682f2
 * https://precisionsec.com/threat-intelligence-feeds/gandcrab/
 
@@ -79,9 +91,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Gh0stRAT/README.md

@@ -1,6 +1,6 @@
 # Gh0stRAT - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Gh0stRAT](https://vuldb.com/?actor.gh0strat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gh0stRAT](https://vuldb.com/?actor.gh0strat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gh0strat](https://vuldb.com/?actor.gh0strat)
 
@@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 * FR
 * ...
 
-There are 3 more country items available. Please use our online service to access the data.
+There are 5 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -68,16 +68,16 @@ ID | Type | Indicator | Confidence
 1 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
 2 | File | `/router_info.xml` | High
 3 | File | `add_comment.php` | High
-4 | File | `ajax_crons.php` | High
-5 | File | `ajax_migration_cpanel.php` | High
-6 | File | `banner_add_edit.asp` | High
-7 | File | `cng.sys` | Low
-8 | File | `comment_add.asp` | High
-9 | File | `config-variables.jelly` | High
-10 | File | `config.xml` | Medium
+4 | File | `admin/viewtheatre.php` | High
+5 | File | `ajax_crons.php` | High
+6 | File | `ajax_migration_cpanel.php` | High
+7 | File | `banner_add_edit.asp` | High
+8 | File | `cff/cffparse.c` | High
+9 | File | `cfgexpand.c` | Medium
+10 | File | `cng.sys` | Low
 11 | ... | ... | ...
 
-There are 64 more IOA items available. Please use our online service to access the data.
+There are 75 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -100,9 +100,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Iran Unknown/README.md

@@ -0,0 +1,76 @@
+# Iran Unknown - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Iran Unknown](https://vuldb.com/?actor.iran_unknown). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.iran_unknown](https://vuldb.com/?actor.iran_unknown)
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Iran Unknown:
+
+* US
+* RU
+* CH
+* ...
+
+There are 1 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Iran Unknown.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 91.214.124.143 | - | High
+2 | 154.16.192.70 | - | High
+3 | 162.55.137.20 | static.20.137.55.162.clients.your-server.de | High
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Iran Unknown. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1211 | 7PK Security Features | High
+3 | T1499 | Resource Consumption | High
+4 | ... | ... | ...
+
+There are 1 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Iran Unknown. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/administration/theme.php` | High
+2 | File | `/cgi-bin/webproc` | High
+3 | File | `basic/unit-name.c` | High
+4 | File | `fileman.php` | Medium
+5 | File | `login_up.php3` | High
+6 | File | `wp-admin/options-general.php` | High
+7 | Argument | `babInstallPath` | High
+8 | Argument | `edit` | Low
+9 | Argument | `getpage` | Low
+10 | Argument | `Manage Theme` | Medium
+11 | ... | ... | ...
+
+There are 1 more IOA items available. Please use our online service to access the data.
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://us-cert.cisa.gov/ncas/alerts/aa21-321a
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Kuluoz/README.md

@@ -1,6 +1,6 @@
 # Kuluoz - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Kuluoz](https://vuldb.com/?actor.kuluoz). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kuluoz](https://vuldb.com/?actor.kuluoz). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.kuluoz](https://vuldb.com/?actor.kuluoz)
 
@@ -56,9 +56,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

LightBasin/README.md

@@ -0,0 +1,75 @@
+# LightBasin - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LightBasin](https://vuldb.com/?actor.lightbasin). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.lightbasin](https://vuldb.com/?actor.lightbasin)
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LightBasin:
+
+* CN
+* US
+* IR
+* ...
+
+There are 1 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of LightBasin.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 45.32.116.0 | - | High
+2 | 45.33.77.0 | - | High
+3 | 45.76.215.0 | 45.76.215.0.vultr.com | Medium
+4 | ... | ... | ...
+
+There are 6 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by LightBasin. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1068 | Execution with Unnecessary Privileges | High
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LightBasin. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/DbXmlInfo.xml` | High
+2 | File | `/deviceIP` | Medium
+3 | File | `/inc/HTTPClient.php` | High
+4 | File | `BACnOPCServer.exe` | High
+5 | File | `base/ErrorHandler.php` | High
+6 | File | `bvlc.c` | Low
+7 | File | `csv` | Low
+8 | File | `data/gbconfiguration.dat` | High
+9 | File | `get/vcs.go` | Medium
+10 | File | `Illuminate/Encryption/Encrypter.php` | High
+11 | ... | ... | ...
+
+There are 8 more IOA items available. Please use our online service to access the data.
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Lokibot/README.md

@@ -1,53 +1,53 @@
-# Lokibot - Cyber Threat Intelligence
+# LokiBot - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Lokibot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiBot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.lokibot](https://vuldb.com/?actor.lokibot)
 
 ## Countries
 
-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lokibot:
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:
 
 * ES
 * US
 * CN
 * ...
 
-There are 10 more country items available. Please use our online service to access the data.
+There are 12 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Lokibot.
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of LokiBot.
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 23.21.173.155 | ec2-23-21-173-155.compute-1.amazonaws.com | Medium
-2 | 23.21.211.162 | ec2-23-21-211-162.compute-1.amazonaws.com | Medium
-3 | 23.95.132.48 | 23-95-132-48-host.colocrossing.com | High
-4 | 35.247.234.230 | 230.234.247.35.bc.googleusercontent.com | Medium
-5 | 37.235.1.174 | resolver1.freedns.zone.powered.by.virtexxa.com | High
-6 | 37.235.1.177 | resolver2.freedns.zone.powered.by.virtexxa.com | High
-7 | 45.33.83.75 | li1029-75.members.linode.com | High
-8 | 45.147.229.85 | - | High
-9 | 50.16.216.118 | ec2-50-16-216-118.compute-1.amazonaws.com | Medium
-10 | 50.19.92.227 | ec2-50-19-92-227.compute-1.amazonaws.com | Medium
-11 | 54.225.78.40 | ec2-54-225-78-40.compute-1.amazonaws.com | Medium
-12 | 54.225.165.85 | ec2-54-225-165-85.compute-1.amazonaws.com | Medium
-13 | 54.225.245.108 | ec2-54-225-245-108.compute-1.amazonaws.com | Medium
-14 | 54.235.88.121 | ec2-54-235-88-121.compute-1.amazonaws.com | Medium
-15 | 63.251.106.25 | - | High
-16 | 65.254.254.55 | mail.yourhostingaccount.com | High
-17 | 70.32.1.32 | ip-70.32.1.32.hosted.by.gigenet.com | High
-18 | 78.128.92.142 | venom8.steeldns.com | High
-19 | 79.134.225.70 | - | High
-20 | 91.195.240.46 | - | High
+1 | 15.197.142.173 | a4ec4c6ea1c92e2e6.awsglobalaccelerator.com | High
+2 | 23.21.173.155 | ec2-23-21-173-155.compute-1.amazonaws.com | Medium
+3 | 23.21.211.162 | ec2-23-21-211-162.compute-1.amazonaws.com | Medium
+4 | 23.95.132.48 | 23-95-132-48-host.colocrossing.com | High
+5 | 31.220.52.219 | workshop.piguno.com | High
+6 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
+7 | 35.247.234.230 | 230.234.247.35.bc.googleusercontent.com | Medium
+8 | 37.235.1.174 | resolver1.freedns.zone.powered.by.virtexxa.com | High
+9 | 37.235.1.177 | resolver2.freedns.zone.powered.by.virtexxa.com | High
+10 | 45.33.83.75 | li1029-75.members.linode.com | High
+11 | 45.147.229.85 | - | High
+12 | 50.16.216.118 | ec2-50-16-216-118.compute-1.amazonaws.com | Medium
+13 | 50.19.92.227 | ec2-50-19-92-227.compute-1.amazonaws.com | Medium
+14 | 52.60.87.163 | ec2-52-60-87-163.ca-central-1.compute.amazonaws.com | Medium
+15 | 54.225.78.40 | ec2-54-225-78-40.compute-1.amazonaws.com | Medium
+16 | 54.225.165.85 | ec2-54-225-165-85.compute-1.amazonaws.com | Medium
+17 | 54.225.245.108 | ec2-54-225-245-108.compute-1.amazonaws.com | Medium
+18 | 54.235.88.121 | ec2-54-235-88-121.compute-1.amazonaws.com | Medium
+19 | 63.141.228.141 | mxrotation8.rotationmarketingssl.com.br | High
+20 | 63.250.40.204 | house-including.quarantine-pnap-vlan51.web-hosting.com | High
 21 | ... | ... | ...
 
-There are 40 more IOC items available. Please use our online service to access the data.
+There are 65 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Lokibot. This data is unique as it uses our predictive model for actor profiling.
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by LokiBot. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Technique | Description | Confidence
 -- | --------- | ----------- | ----------
@@ -61,7 +61,7 @@ There are 8 more TTP items available. Please use our online service to access th
 
 ## IOA - Indicator of Attack
 
-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lokibot. This data is unique as it uses our predictive model for actor profiling.
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiBot. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@@ -77,7 +77,7 @@ ID | Type | Indicator | Confidence
 10 | File | `/admin/loginc.php` | High
 11 | ... | ... | ...
 
-There are 1121 more IOA items available. Please use our online service to access the data.
+There are 1133 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -90,15 +90,17 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
 * https://vxug.fakedoma.in/archive/APTs/2021/2021.01.06(1)/LokiBot%20Infection%20Chain.pdf
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

MalKamak/README.md

@@ -1,6 +1,6 @@
 # MalKamak - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [MalKamak](https://vuldb.com/?actor.malkamak). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MalKamak](https://vuldb.com/?actor.malkamak). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.malkamak](https://vuldb.com/?actor.malkamak)
 
@@ -64,9 +64,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Moses Staff/README.md

@@ -0,0 +1,31 @@
+# Moses Staff - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Moses Staff](https://vuldb.com/?actor.moses_staff). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.moses_staff](https://vuldb.com/?actor.moses_staff)
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Moses Staff.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 95.169.196.52 | - | High
+2 | 185.206.180.138 | 25.http-proxy2.cloudns.net | High
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://ddanchev.blogspot.com/2021/10/exposing-moses-staff-data-leaks-gang.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

NSA/README.md

@@ -1,6 +1,6 @@
 # NSA - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [NSA](https://vuldb.com/?actor.nsa). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NSA](https://vuldb.com/?actor.nsa). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nsa](https://vuldb.com/?actor.nsa)
 
@@ -19,7 +19,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 * IR
 * ...
 
-There are 10 more country items available. Please use our online service to access the data.
+There are 11 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -73,7 +73,7 @@ ID | Type | Indicator | Confidence
 10 | File | `administrator/components/com_media/helpers/media.php` | High
 11 | ... | ... | ...
 
-There are 117 more IOA items available. Please use our online service to access the data.
+There are 118 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -85,9 +85,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Nanocore/README.md

@@ -1,6 +1,6 @@
 # Nanocore - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Nanocore](https://vuldb.com/?actor.nanocore). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nanocore](https://vuldb.com/?actor.nanocore). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nanocore](https://vuldb.com/?actor.nanocore)
 
@@ -19,7 +19,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 * GB
 * ...
 
-There are 5 more country items available. Please use our online service to access the data.
+There are 6 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -27,12 +27,15 @@ These indicators of compromise indicate associated network ressources which are
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 23.235.221.158 | vps53141.inmotionhosting.com | High
-2 | 79.134.225.101 | - | High
-3 | 87.120.37.96 | server8.leanitpm.com | High
-4 | ... | ... | ...
+1 | 8.8.8.8 | dns.google | High
+2 | 20.42.65.92 | - | High
+3 | 23.235.221.158 | vps53141.inmotionhosting.com | High
+4 | 79.134.225.101 | - | High
+5 | 87.120.37.96 | - | High
+6 | 104.208.16.94 | - | High
+7 | ... | ... | ...
 
-There are 6 more IOC items available. Please use our online service to access the data.
+There are 11 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -72,15 +75,16 @@ There are 37 more IOA items available. Please use our online service to access t
 The following list contains external sources which discuss the actor and the associated activities:
 
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
 * https://unit42.paloaltonetworks.com/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

NetWire/README.md

@@ -1,6 +1,6 @@
 # NetWire - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [NetWire](https://vuldb.com/?actor.netwire). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NetWire](https://vuldb.com/?actor.netwire). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.netwire](https://vuldb.com/?actor.netwire)
 
@@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 * CN
 * ...
 
-There are 9 more country items available. Please use our online service to access the data.
+There are 12 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -22,18 +22,19 @@ These indicators of compromise indicate associated network ressources which are
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
 1 | 23.254.202.192 | hwsrv-738718.hostwindsdns.com | High
-2 | 37.139.64.106 | - | High
-3 | 89.249.74.213 | - | High
-4 | 94.103.80.254 | v702647.hosted-by-vdsina.ru | High
-5 | 103.150.8.54 | - | High
-6 | 104.21.70.22 | - | High
-7 | 142.44.252.19 | ip19.ip-142-44-252.net | High
-8 | 155.94.198.169 | 155.94.198.169.static.quadranet.com | High
-9 | 162.159.129.233 | - | High
-10 | 162.159.130.233 | - | High
-11 | ... | ... | ...
+2 | 37.0.11.206 | - | High
+3 | 37.139.64.106 | - | High
+4 | 45.144.225.219 | - | High
+5 | 89.249.74.213 | - | High
+6 | 94.103.80.254 | v702647.hosted-by-vdsina.ru | High
+7 | 103.150.8.54 | - | High
+8 | 104.21.70.22 | - | High
+9 | 142.44.252.19 | ip19.ip-142-44-252.net | High
+10 | 155.94.198.169 | 155.94.198.169.static.quadranet.com | High
+11 | 162.159.129.233 | - | High
+12 | ... | ... | ...
 
-There are 18 more IOC items available. Please use our online service to access the data.
+There are 20 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -46,7 +47,7 @@ ID | Technique | Description | Confidence
 3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ...
 
-There are 5 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -56,17 +57,17 @@ ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
 1 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
 2 | File | `.htaccess` | Medium
-3 | File | `/cgi/loginDefaultUser` | High
-4 | File | `/cms/print.php` | High
-5 | File | `/netflow/jspui/linkdownalertConfig.jsp` | High
-6 | File | `/products/details.asp` | High
-7 | File | `/uncpath/` | Medium
-8 | File | `123flashchat.php` | High
-9 | File | `ActionsAndOperations` | High
-10 | File | `adclick.php` | Medium
+3 | File | `/admin/web_config.php` | High
+4 | File | `/cgi/loginDefaultUser` | High
+5 | File | `/cms/print.php` | High
+6 | File | `/DataHandler/AM/AM_Handler.ashx` | High
+7 | File | `/export` | Low
+8 | File | `/netflow/jspui/linkdownalertConfig.jsp` | High
+9 | File | `/product.php` | Medium
+10 | File | `/products/details.asp` | High
 11 | ... | ... | ...
 
-There are 151 more IOA items available. Please use our online service to access the data.
+There are 183 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -79,14 +80,15 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Noon/README.md

@@ -0,0 +1,72 @@
+# Noon - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Noon](https://vuldb.com/?actor.noon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.noon](https://vuldb.com/?actor.noon)
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Noon:
+
+* IT
+* JP
+* SV
+* ...
+
+There are 1 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Noon.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 5.45.84.69 | - | High
+2 | 192.0.78.25 | - | High
+3 | 198.54.117.210 | parkingpage.namecheap.com | High
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Noon. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1068 | Execution with Unnecessary Privileges | High
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Noon. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `add_comment.php` | High
+2 | File | `add_quiz.php` | Medium
+3 | File | `admin.jcomments.php` | High
+4 | File | `admin.php` | Medium
+5 | File | `ajax/render/widget_tabbedcontainer_tab_panel` | High
+6 | File | `bbs/move_update.php` | High
+7 | File | `calendar/submit/` | High
+8 | File | `guestbook.php` | High
+9 | File | `index.php` | Medium
+10 | File | `show_archives.php` | High
+11 | ... | ... | ...
+
+There are 15 more IOA items available. Please use our online service to access the data.
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

OMIGOD/README.md

@@ -1,6 +1,6 @@
 # OMIGOD - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [OMIGOD](https://vuldb.com/?actor.omigod). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [OMIGOD](https://vuldb.com/?actor.omigod). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.omigod](https://vuldb.com/?actor.omigod)
 
@@ -22,9 +22,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Passwordstealera/README.md

@@ -0,0 +1,83 @@
+# Passwordstealera - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Passwordstealera](https://vuldb.com/?actor.passwordstealera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.passwordstealera](https://vuldb.com/?actor.passwordstealera)
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Passwordstealera:
+
+* US
+* DE
+* ES
+* ...
+
+There are 1 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Passwordstealera.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 80.253.246.41 | tesla.isimkaydet.com | High
+2 | 89.252.182.52 | 52skem7x.guzel.net.tr | High
+3 | 104.21.19.200 | - | High
+4 | 107.180.56.180 | ip-107-180-56-180.ip.secureserver.net | High
+5 | 131.186.113.70 | checkip.dyndns.com | High
+6 | 132.226.8.169 | - | High
+7 | 132.226.247.73 | - | High
+8 | ... | ... | ...
+
+There are 13 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Passwordstealera. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1068 | Execution with Unnecessary Privileges | High
+3 | T1211 | 7PK Security Features | High
+4 | ... | ... | ...
+
+There are 4 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Passwordstealera. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/cgi-bin/kerbynet` | High
+2 | File | `/cgi-bin/supervisor/CloudSetup.cgi` | High
+3 | File | `/domain/add` | Medium
+4 | File | `/etc/sudoers` | Medium
+5 | File | `/index.php/weblinks-categories` | High
+6 | File | `/plain` | Low
+7 | File | `/show_group_members.php` | High
+8 | File | `/web/google_analytics.php` | High
+9 | File | `archive_endian.h` | High
+10 | File | `bmp.c` | Low
+11 | ... | ... | ...
+
+There are 122 more IOA items available. Please use our online service to access the data.
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1008-1015.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Ponystealer/README.md

@@ -0,0 +1,31 @@
+# Ponystealer - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ponystealer](https://vuldb.com/?actor.ponystealer). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ponystealer](https://vuldb.com/?actor.ponystealer)
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Ponystealer.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 20.42.73.29 | - | High
+2 | 52.182.143.212 | - | High
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Raccoon/README.md

@@ -1,6 +1,6 @@
 # Raccoon - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Raccoon](https://vuldb.com/?actor.raccoon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Raccoon](https://vuldb.com/?actor.raccoon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.raccoon](https://vuldb.com/?actor.raccoon)
 
@@ -9,6 +9,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Raccoon:
 
 * US
+* RU
+* DE
 
 ## IOC - Indicator of Compromise
 
@@ -16,14 +18,21 @@ These indicators of compromise indicate associated network ressources which are
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 8.248.161.254 | - | High
-2 | 8.249.225.254 | - | High
-3 | 8.249.245.254 | - | High
-4 | 8.253.132.120 | - | High
-5 | 8.253.156.120 | - | High
-6 | ... | ... | ...
+1 | 3.232.242.170 | ec2-3-232-242-170.compute-1.amazonaws.com | Medium
+2 | 8.248.161.254 | - | High
+3 | 8.249.225.254 | - | High
+4 | 8.249.241.254 | - | High
+5 | 8.249.245.254 | - | High
+6 | 8.253.132.120 | - | High
+7 | 8.253.156.120 | - | High
+8 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
+9 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | High
+10 | 23.46.238.194 | a23-46-238-194.deploy.static.akamaitechnologies.com | High
+11 | 34.76.8.115 | 115.8.76.34.bc.googleusercontent.com | Medium
+12 | 34.88.52.57 | 57.52.88.34.bc.googleusercontent.com | Medium
+13 | ... | ... | ...
 
-There are 9 more IOC items available. Please use our online service to access the data.
+There are 22 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -56,21 +65,22 @@ ID | Type | Indicator | Confidence
 10 | File | `/plain` | Low
 11 | ... | ... | ...
 
-There are 189 more IOA items available. Please use our online service to access the data.
+There are 192 more IOA items available. Please use our online service to access the data.
 
 ## References
 
 The following list contains external sources which discuss the actor and the associated activities:
 
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Ramnit/README.md

@@ -1,6 +1,6 @@
 # Ramnit - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Ramnit](https://vuldb.com/?actor.ramnit). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ramnit](https://vuldb.com/?actor.ramnit). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ramnit](https://vuldb.com/?actor.ramnit)
 
@@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 * US
 * ...
 
-There are 13 more country items available. Please use our online service to access the data.
+There are 16 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -21,29 +21,29 @@ These indicators of compromise indicate associated network ressources which are
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 5.101.159.26 | - | High
-2 | 5.180.102.147 | 377961.msk-kvm.ru | High
-3 | 13.90.196.81 | - | High
-4 | 13.107.21.200 | - | High
-5 | 18.213.250.117 | ec2-18-213-250-117.compute-1.amazonaws.com | Medium
-6 | 18.215.128.143 | ec2-18-215-128-143.compute-1.amazonaws.com | Medium
-7 | 23.5.233.23 | a23-5-233-23.deploy.static.akamaitechnologies.com | High
-8 | 23.46.56.194 | a23-46-56-194.deploy.static.akamaitechnologies.com | High
-9 | 23.46.57.84 | a23-46-57-84.deploy.static.akamaitechnologies.com | High
-10 | 23.46.57.232 | a23-46-57-232.deploy.static.akamaitechnologies.com | High
-11 | 23.46.57.251 | a23-46-57-251.deploy.static.akamaitechnologies.com | High
-12 | 23.64.109.30 | a23-64-109-30.deploy.static.akamaitechnologies.com | High
-13 | 23.196.65.196 | a23-196-65-196.deploy.static.akamaitechnologies.com | High
-14 | 23.218.130.41 | a23-218-130-41.deploy.static.akamaitechnologies.com | High
-15 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | Medium
-16 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
-17 | 34.197.76.50 | ec2-34-197-76-50.compute-1.amazonaws.com | Medium
-18 | 34.225.182.233 | ec2-34-225-182-233.compute-1.amazonaws.com | Medium
-19 | 35.188.161.42 | 42.161.188.35.bc.googleusercontent.com | Medium
-20 | 35.224.11.86 | 86.11.224.35.bc.googleusercontent.com | Medium
+1 | 3.64.163.50 | ec2-3-64-163-50.eu-central-1.compute.amazonaws.com | Medium
+2 | 5.45.82.108 | - | High
+3 | 5.45.118.216 | - | High
+4 | 5.45.120.46 | s052d782e.fastvps-server.com | High
+5 | 5.45.124.183 | sfc6c0e42.fastvps-server.com | High
+6 | 5.45.147.152 | - | High
+7 | 5.101.159.26 | - | High
+8 | 5.180.102.147 | 377961.msk-kvm.ru | High
+9 | 13.90.196.81 | - | High
+10 | 13.107.21.200 | - | High
+11 | 18.213.250.117 | ec2-18-213-250-117.compute-1.amazonaws.com | Medium
+12 | 18.215.128.143 | ec2-18-215-128-143.compute-1.amazonaws.com | Medium
+13 | 23.5.233.23 | a23-5-233-23.deploy.static.akamaitechnologies.com | High
+14 | 23.46.56.194 | a23-46-56-194.deploy.static.akamaitechnologies.com | High
+15 | 23.46.57.84 | a23-46-57-84.deploy.static.akamaitechnologies.com | High
+16 | 23.46.57.232 | a23-46-57-232.deploy.static.akamaitechnologies.com | High
+17 | 23.46.57.251 | a23-46-57-251.deploy.static.akamaitechnologies.com | High
+18 | 23.64.109.30 | a23-64-109-30.deploy.static.akamaitechnologies.com | High
+19 | 23.196.65.196 | a23-196-65-196.deploy.static.akamaitechnologies.com | High
+20 | 23.218.130.41 | a23-218-130-41.deploy.static.akamaitechnologies.com | High
 21 | ... | ... | ...
 
-There are 134 more IOC items available. Please use our online service to access the data.
+There are 158 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -78,7 +78,7 @@ ID | Type | Indicator | Confidence
 10 | File | `/about-us/locations/index` | High
 11 | ... | ... | ...
 
-There are 3550 more IOA items available. Please use our online service to access the data.
+There are 3581 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -89,15 +89,17 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
 * https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_ramnit.ipset
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Remcos/README.md

@@ -1,6 +1,6 @@
 # Remcos - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Remcos](https://vuldb.com/?actor.remcos). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Remcos](https://vuldb.com/?actor.remcos). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.remcos](https://vuldb.com/?actor.remcos)
 
@@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Remcos:
 
 * US
-* TK
+* KE
 * SE
 * ...
 
-There are 12 more country items available. Please use our online service to access the data.
+There are 19 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -22,28 +22,28 @@ These indicators of compromise indicate associated network ressources which are
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
 1 | 5.61.37.41 | - | High
-2 | 8.253.139.120 | - | High
-3 | 13.107.42.12 | 1drv.ms | High
-4 | 20.36.253.92 | - | High
-5 | 20.42.73.27 | - | High
-6 | 20.190.151.7 | - | High
-7 | 20.190.151.8 | - | High
-8 | 20.190.151.70 | - | High
-9 | 20.190.151.131 | - | High
-10 | 20.190.151.132 | - | High
-11 | 20.190.151.133 | - | High
-12 | 20.190.152.21 | - | High
-13 | 23.38.131.139 | a23-38-131-139.deploy.static.akamaitechnologies.com | High
-14 | 23.78.173.83 | a23-78-173-83.deploy.static.akamaitechnologies.com | High
-15 | 23.227.38.74 | - | High
-16 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
-17 | 35.214.144.124 | 124.144.214.35.bc.googleusercontent.com | Medium
-18 | 37.1.206.16 | free.ispiria.net | High
-19 | 37.139.64.106 | - | High
-20 | 37.230.130.153 | - | High
+2 | 5.181.234.139 | - | High
+3 | 5.181.234.145 | - | High
+4 | 8.253.139.120 | - | High
+5 | 13.107.42.12 | 1drv.ms | High
+6 | 13.250.255.10 | ec2-13-250-255-10.ap-southeast-1.compute.amazonaws.com | Medium
+7 | 20.36.253.92 | - | High
+8 | 20.42.73.27 | - | High
+9 | 20.190.151.7 | - | High
+10 | 20.190.151.8 | - | High
+11 | 20.190.151.70 | - | High
+12 | 20.190.151.131 | - | High
+13 | 20.190.151.132 | - | High
+14 | 20.190.151.133 | - | High
+15 | 20.190.152.21 | - | High
+16 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
+17 | 23.21.27.29 | ec2-23-21-27-29.compute-1.amazonaws.com | Medium
+18 | 23.21.205.229 | ec2-23-21-205-229.compute-1.amazonaws.com | Medium
+19 | 23.38.131.139 | a23-38-131-139.deploy.static.akamaitechnologies.com | High
+20 | 23.78.173.83 | a23-78-173-83.deploy.static.akamaitechnologies.com | High
 21 | ... | ... | ...
 
-There are 64 more IOC items available. Please use our online service to access the data.
+There are 103 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -54,7 +54,8 @@ ID | Technique | Description | Confidence
 1 | T1059.007 | Cross Site Scripting | High
 2 | T1068 | Execution with Unnecessary Privileges | High
 3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
-4 | ... | ... | ...
+4 | T1211 | 7PK Security Features | High
+5 | ... | ... | ...
 
 There are 6 more TTP items available. Please use our online service to access the data.
 
@@ -64,19 +65,19 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/admin/submit-articles` | High
-2 | File | `/admin/syslog` | High
-3 | File | `/category_view.php` | High
-4 | File | `/cgi-bin/wapopen` | High
-5 | File | `/etc/passwd` | Medium
-6 | File | `/out.php` | Medium
-7 | File | `/product_list.php` | High
-8 | File | `/rom-0` | Low
-9 | File | `/see_more_details.php` | High
-10 | File | `/tmp` | Low
+1 | File | `.htaccess` | Medium
+2 | File | `/accounts/password_change/` | High
+3 | File | `/admin/submit-articles` | High
+4 | File | `/admin/syslog` | High
+5 | File | `/category_view.php` | High
+6 | File | `/cgi-bin/hi3510/param.cgi` | High
+7 | File | `/cgi-bin/wapopen` | High
+8 | File | `/config/getuser` | High
+9 | File | `/etc/gsissh/sshd_config` | High
+10 | File | `/etc/passwd` | Medium
 11 | ... | ... | ...
 
-There are 170 more IOA items available. Please use our online service to access the data.
+There are 304 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -91,14 +92,18 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1008-1015.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Retefe/README.md

@@ -0,0 +1,77 @@
+# Retefe - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Retefe](https://vuldb.com/?actor.retefe). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.retefe](https://vuldb.com/?actor.retefe)
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Retefe:
+
+* RU
+* US
+* CA
+* ...
+
+There are 3 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Retefe.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 5.45.68.98 | - | High
+2 | 5.45.70.63 | - | High
+3 | 5.196.200.228 | a228.porelune.com | High
+4 | 5.196.200.238 | e238.ducorali.com | High
+5 | 50.7.143.68 | desk68.sibtown.com | High
+6 | ... | ... | ...
+
+There are 10 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Retefe. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1068 | Execution with Unnecessary Privileges | High
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Retefe. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/admin/config.php?display=disa&view=form` | High
+2 | File | `/uncpath/` | Medium
+3 | File | `adclick.php` | Medium
+4 | File | `admin/modules/master_file/rda_cmc.php?keywords` | High
+5 | File | `clsowa.cls` | Medium
+6 | File | `data/gbconfiguration.dat` | High
+7 | File | `db.php` | Low
+8 | File | `drivers/media/platform/vivid` | High
+9 | File | `emumail.cgi` | Medium
+10 | File | `goto.php` | Medium
+11 | ... | ... | ...
+
+There are 24 more IOA items available. Please use our online service to access the data.
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://www.govcert.ch/blog/the-retefe-saga/
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Sarwent/README.md

@@ -1,6 +1,6 @@
 # Sarwent - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Sarwent](https://vuldb.com/?actor.sarwent). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sarwent](https://vuldb.com/?actor.sarwent). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.sarwent](https://vuldb.com/?actor.sarwent)
 
@@ -16,7 +16,7 @@ These indicators of compromise indicate associated network ressources which are
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 87.249.53.124 | 677515-co39933.tmweb.ru | High
+1 | 87.249.53.124 | 713697-cj66716.tmweb.ru | High
 2 | 185.215.113.67 | - | High
 3 | 194.9.71.129 | free.gmhost.hosting | High
 
@@ -30,9 +30,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Shiz/README.md

@@ -0,0 +1,84 @@
+# Shiz - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Shiz](https://vuldb.com/?actor.shiz). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.shiz](https://vuldb.com/?actor.shiz)
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Shiz:
+
+* DE
+* US
+* CN
+* ...
+
+There are 4 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Shiz.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 13.107.21.200 | - | High
+2 | 13.107.22.200 | - | High
+3 | 23.56.9.181 | a23-56-9-181.deploy.static.akamaitechnologies.com | High
+4 | 23.253.126.58 | - | High
+5 | 35.231.151.7 | 7.151.231.35.bc.googleusercontent.com | Medium
+6 | 45.33.2.79 | li956-79.members.linode.com | High
+7 | 45.33.18.44 | li972-44.members.linode.com | High
+8 | 45.33.20.235 | li974-235.members.linode.com | High
+9 | ... | ... | ...
+
+There are 15 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Shiz. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1068 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ...
+
+There are 6 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Shiz. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/.htpasswd` | Medium
+2 | File | `/cgi-bin/nasset.cgi` | High
+3 | File | `/index.php/weblinks-categories` | High
+4 | File | `/MIME/INBOX-MM-1/` | High
+5 | File | `c:\infected.exe` | High
+6 | File | `index.php?m=activity` | High
+7 | File | `mnt_ping.cgi` | Medium
+8 | File | `rfc1035.c` | Medium
+9 | File | `signup_page.php` | High
+10 | File | `users.php` | Medium
+11 | ... | ... | ...
+
+There are 15 more IOA items available. Please use our online service to access the data.
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

SideCopy/README.md

@@ -1,6 +1,6 @@
 # SideCopy - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [SideCopy](https://vuldb.com/?actor.sidecopy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SideCopy](https://vuldb.com/?actor.sidecopy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.sidecopy](https://vuldb.com/?actor.sidecopy)
 
@@ -24,11 +24,11 @@ ID | IP address | Hostname | Confidence
 1 | 109.236.85.152 | customer.worldstream.nl | High
 2 | 144.91.65.100 | vmi652772.contaboserver.net | High
 3 | 144.91.91.236 | vmi512038.contaboserver.net | High
-4 | 149.248.52.61 | 149.248.52.61.vultr.com | Medium
-5 | 161.97.90.175 | vmi669652.contaboserver.net | High
+4 | 144.126.141.41 | vmi627176.contaboserver.net | High
+5 | 149.248.52.61 | 149.248.52.61.vultr.com | Medium
 6 | ... | ... | ...
 
-There are 8 more IOC items available. Please use our online service to access the data.
+There are 9 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -67,15 +67,16 @@ There are 39 more IOA items available. Please use our online service to access t
 
 The following list contains external sources which discuss the actor and the associated activities:
 
+* https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/
 * https://blog.talosintelligence.com/2021/07/sidecopy.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Swisyn/README.md

@@ -1,6 +1,6 @@
 # Swisyn - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Swisyn](https://vuldb.com/?actor.swisyn). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Swisyn](https://vuldb.com/?actor.swisyn). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.swisyn](https://vuldb.com/?actor.swisyn)
 
@@ -22,23 +22,24 @@ These indicators of compromise indicate associated network ressources which are
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
 1 | 5.39.72.2 | ns3065363.ip-5-39-72.eu | High
-2 | 51.91.73.194 | ns3164589.ip-51-91-73.eu | High
-3 | 51.254.45.43 | ip-51-254-45-43.ddhosts.net | High
-4 | 58.221.32.3 | - | High
-5 | 58.221.33.111 | - | High
-6 | 58.221.35.121 | - | High
-7 | 59.42.71.178 | - | High
-8 | 59.188.239.165 | - | High
-9 | 64.32.28.254 | curtir.gicscorple.com | High
-10 | 82.149.227.236 | - | High
-11 | 85.25.185.17 | tor-exit-1.kerneloops.de | High
-12 | 85.208.144.164 | - | High
-13 | 89.163.128.26 | srv31933.dus6.fastwebserver.de | High
-14 | 89.163.128.28 | srv31933.dus6.fastwebserver.de | High
-15 | 95.214.54.163 | - | High
-16 | ... | ... | ...
+2 | 20.42.65.92 | - | High
+3 | 51.91.73.194 | ns3164589.ip-51-91-73.eu | High
+4 | 51.254.45.43 | ip-51-254-45-43.ddhosts.net | High
+5 | 58.221.32.3 | - | High
+6 | 58.221.33.111 | - | High
+7 | 58.221.35.121 | - | High
+8 | 59.42.71.178 | - | High
+9 | 59.188.239.165 | - | High
+10 | 64.32.28.254 | curtir.gicscorple.com | High
+11 | 82.149.227.236 | - | High
+12 | 85.25.185.17 | tor-exit-1.kerneloops.de | High
+13 | 85.208.144.164 | - | High
+14 | 89.163.128.26 | srv31933.dus6.fastwebserver.de | High
+15 | 89.163.128.28 | srv31933.dus6.fastwebserver.de | High
+16 | 95.214.54.163 | - | High
+17 | ... | ... | ...
 
-There are 29 more IOC items available. Please use our online service to access the data.
+There are 31 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -63,12 +64,12 @@ ID | Type | Indicator | Confidence
 5 | File | `/sitecore/client/Applications/List Manager/Taskpages/Contact list` | High
 6 | File | `admin.php` | Medium
 7 | File | `admin/plugin.php` | High
-8 | File | `data/gbconfiguration.dat` | High
-9 | File | `day.php` | Low
-10 | File | `Default.aspx` | Medium
+8 | File | `btu_hcif.cc` | Medium
+9 | File | `data/gbconfiguration.dat` | High
+10 | File | `day.php` | Low
 11 | ... | ... | ...
 
-There are 28 more IOA items available. Please use our online service to access the data.
+There are 31 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -76,14 +77,15 @@ The following list contains external sources which discuss the actor and the ass
 
 * https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
 * https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

TA406/README.md

@@ -0,0 +1,67 @@
+# TA406 - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TA406](https://vuldb.com/?actor.ta406). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ta406](https://vuldb.com/?actor.ta406)
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TA406:
+
+* US
+* GB
+* RU
+* ...
+
+There are 2 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of TA406.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 108.62.12.11 | - | High
+2 | 108.177.235.226 | - | High
+3 | 192.109.119.6 | hosted-by.microglollc.net | High
+4 | ... | ... | ...
+
+There are 2 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by TA406. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1068 | Execution with Unnecessary Privileges | High
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TA406. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/s/` | Low
+2 | File | `inc/config.php` | High
+3 | File | `read.php` | Medium
+4 | Argument | `basePath` | Medium
+5 | Argument | `TID` | Low
+6 | Network Port | `tcp/32764` | Medium
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

TA551/README.md

@@ -1,6 +1,6 @@
 # TA551 - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [TA551](https://vuldb.com/?actor.ta551). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TA551](https://vuldb.com/?actor.ta551). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ta551](https://vuldb.com/?actor.ta551)
 
@@ -14,12 +14,12 @@ The following campaigns are known and can be associated with TA551:
 
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TA551:
 
+* CF
 * US
 * FR
-* CN
 * ...
 
-There are 2 more country items available. Please use our online service to access the data.
+There are 6 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -35,12 +35,13 @@ ID | IP address | Hostname | Confidence
 6 | 43.129.239.78 | - | High
 7 | 43.133.160.144 | - | High
 8 | 45.95.11.151 | vm220095.pq.hosting | High
-9 | 45.95.11.153 | vm222417.pq.hosting | High
-10 | 45.95.11.154 | pqhost.slovak.com | High
-11 | 45.95.11.155 | vm224541.pq.hosting | High
-12 | ... | ... | ...
+9 | 45.95.11.153 | vm284420.pq.hosting | High
+10 | 45.95.11.154 | l-universe.com | High
+11 | 45.95.11.155 | kuhtin.com | High
+12 | 45.95.11.157 | mail.hottiesforums.com | High
+13 | ... | ... | ...
 
-There are 21 more IOC items available. Please use our online service to access the data.
+There are 24 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -48,9 +49,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
 
 ID | Technique | Description | Confidence
 -- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
-2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1499 | Resource Consumption | High
+1 | T1040 | Authentication Bypass by Capture-replay | High
+2 | T1059.007 | Cross Site Scripting | High
+3 | T1068 | Execution with Unnecessary Privileges | High
+4 | ... | ... | ...
+
+There are 6 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -58,24 +62,25 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/find_v2/_click` | High
-2 | File | `/forum/away.php` | High
-3 | File | `adclick.php` | Medium
-4 | File | `coders/bmp.c` | Medium
-5 | File | `data/gbconfiguration.dat` | High
-6 | File | `edit-post.php` | High
-7 | File | `Editor.java` | Medium
-8 | File | `imgbmp.cxx` | Medium
-9 | File | `inc/config.php` | High
-10 | File | `register/check/username?username` | High
+1 | File | `/etc/postfix/sender_login` | High
+2 | File | `/find_v2/_click` | High
+3 | File | `/forum/away.php` | High
+4 | File | `/goform/openSchedWifi` | High
+5 | File | `/includes/lib/tree.php` | High
+6 | File | `/objects/getImage.php` | High
+7 | File | `/uncpath/` | Medium
+8 | File | `adclick.php` | Medium
+9 | File | `admin/getparam.cgi` | High
+10 | File | `admin/infoclass_update.php` | High
 11 | ... | ... | ...
 
-There are 8 more IOA items available. Please use our online service to access the data.
+There are 71 more IOA items available. Please use our online service to access the data.
 
 ## References
 
 The following list contains external sources which discuss the actor and the associated activities:
 
+* https://isc.sans.edu/diary/28092
 * https://isc.sans.edu/diary/rss/27738
 * https://www.malware-traffic-analysis.net/2021/09/14/index.html
 
@@ -83,9 +88,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

TeslaCrypt/README.md

@@ -1,6 +1,6 @@
 # TeslaCrypt - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [TeslaCrypt](https://vuldb.com/?actor.teslacrypt). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TeslaCrypt](https://vuldb.com/?actor.teslacrypt). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.teslacrypt](https://vuldb.com/?actor.teslacrypt)
 
@@ -27,14 +27,17 @@ ID | IP address | Hostname | Confidence
 4 | 23.63.245.19 | a23-63-245-19.deploy.static.akamaitechnologies.com | High
 5 | 23.63.245.50 | a23-63-245-50.deploy.static.akamaitechnologies.com | High
 6 | 23.196.73.160 | a23-196-73-160.deploy.static.akamaitechnologies.com | High
-7 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
-8 | 35.209.43.160 | 160.43.209.35.bc.googleusercontent.com | Medium
-9 | 52.216.22.34 | s3-website-us-east-1.amazonaws.com | Medium
-10 | 52.216.128.178 | s3-website-us-east-1.amazonaws.com | Medium
-11 | 52.216.142.11 | s3-website-us-east-1.amazonaws.com | Medium
-12 | ... | ... | ...
+7 | 23.199.63.11 | a23-199-63-11.deploy.static.akamaitechnologies.com | High
+8 | 23.199.63.83 | a23-199-63-83.deploy.static.akamaitechnologies.com | High
+9 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
+10 | 35.209.43.160 | 160.43.209.35.bc.googleusercontent.com | Medium
+11 | 52.216.22.34 | s3-website-us-east-1.amazonaws.com | Medium
+12 | 52.216.128.178 | s3-website-us-east-1.amazonaws.com | Medium
+13 | 52.216.142.11 | s3-website-us-east-1.amazonaws.com | Medium
+14 | 52.216.166.34 | s3-website-us-east-1.amazonaws.com | Medium
+15 | ... | ... | ...
 
-There are 22 more IOC items available. Please use our online service to access the data.
+There are 27 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -75,14 +78,15 @@ The following list contains external sources which discuss the actor and the ass
 
 * https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1008-1015.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Tofsee/README.md

@@ -1,6 +1,6 @@
 # Tofsee - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Tofsee](https://vuldb.com/?actor.tofsee). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tofsee](https://vuldb.com/?actor.tofsee). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tofsee](https://vuldb.com/?actor.tofsee)
 
@@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Tofsee:
 
-* JP
 * US
+* JP
 * RU
 * ...
 
-There are 14 more country items available. Please use our online service to access the data.
+There are 20 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -26,24 +26,24 @@ ID | IP address | Hostname | Confidence
 3 | 5.61.37.41 | - | High
 4 | 12.167.151.116 | - | High
 5 | 13.107.21.200 | - | High
-6 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
-7 | 23.3.112.125 | a23-3-112-125.deploy.static.akamaitechnologies.com | High
-8 | 23.5.227.69 | a23-5-227-69.deploy.static.akamaitechnologies.com | High
-9 | 23.5.238.94 | a23-5-238-94.deploy.static.akamaitechnologies.com | High
-10 | 23.10.92.253 | a23-10-92-253.deploy.static.akamaitechnologies.com | High
-11 | 23.10.134.216 | a23-10-134-216.deploy.static.akamaitechnologies.com | High
-12 | 23.64.99.87 | a23-64-99-87.deploy.static.akamaitechnologies.com | High
-13 | 23.64.110.75 | a23-64-110-75.deploy.static.akamaitechnologies.com | High
-14 | 23.78.210.51 | a23-78-210-51.deploy.static.akamaitechnologies.com | High
-15 | 23.90.4.6 | dementia.virtual-dope.com | High
-16 | 23.216.244.163 | a23-216-244-163.deploy.static.akamaitechnologies.com | High
-17 | 31.13.65.52 | instagram-p3-shv-01-atl3.fbcdn.net | High
-18 | 31.13.65.174 | instagram-p42-shv-01-atl3.fbcdn.net | High
-19 | 37.1.217.172 | - | High
-20 | 40.76.4.15 | - | High
+6 | 18.237.235.220 | ec2-18-237-235-220.us-west-2.compute.amazonaws.com | Medium
+7 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
+8 | 23.3.112.125 | a23-3-112-125.deploy.static.akamaitechnologies.com | High
+9 | 23.5.227.69 | a23-5-227-69.deploy.static.akamaitechnologies.com | High
+10 | 23.5.238.94 | a23-5-238-94.deploy.static.akamaitechnologies.com | High
+11 | 23.10.92.253 | a23-10-92-253.deploy.static.akamaitechnologies.com | High
+12 | 23.10.134.216 | a23-10-134-216.deploy.static.akamaitechnologies.com | High
+13 | 23.64.99.87 | a23-64-99-87.deploy.static.akamaitechnologies.com | High
+14 | 23.64.110.75 | a23-64-110-75.deploy.static.akamaitechnologies.com | High
+15 | 23.78.210.51 | a23-78-210-51.deploy.static.akamaitechnologies.com | High
+16 | 23.90.4.6 | dementia.virtual-dope.com | High
+17 | 23.216.244.163 | a23-216-244-163.deploy.static.akamaitechnologies.com | High
+18 | 31.13.65.52 | instagram-p3-shv-01-atl3.fbcdn.net | High
+19 | 31.13.65.174 | instagram-p42-shv-01-atl3.fbcdn.net | High
+20 | 34.223.6.127 | ec2-34-223-6-127.us-west-2.compute.amazonaws.com | Medium
 21 | ... | ... | ...
 
-There are 187 more IOC items available. Please use our online service to access the data.
+There are 214 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -53,11 +53,12 @@ ID | Technique | Description | Confidence
 -- | --------- | ----------- | ----------
 1 | T1059.007 | Cross Site Scripting | High
 2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1211 | 7PK Security Features | High
-4 | T1222 | Permission Issues | High
-5 | ... | ... | ...
+3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
+4 | T1211 | 7PK Security Features | High
+5 | T1222 | Permission Issues | High
+6 | ... | ... | ...
 
-There are 6 more TTP items available. Please use our online service to access the data.
+There are 8 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -65,19 +66,19 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/+CSCOE+/logon.html` | High
-2 | File | `/admin/blocks/blocks/edit/8` | High
-3 | File | `/admin/login/login_check.php` | High
-4 | File | `/admin/menus/menus/edit/3` | High
-5 | File | `/admin/nodes/nodes/add/blog` | High
-6 | File | `/admin/taxonomy/vocabularies` | High
-7 | File | `/bin/goahead` | Medium
-8 | File | `/cgi/networkDiag.cgi` | High
-9 | File | `/exponent_constants.php` | High
-10 | File | `/forum/away.php` | High
+1 | File | `.nautilus-metafile.xml` | High
+2 | File | `/+CSCOE+/logon.html` | High
+3 | File | `/admin/blocks/blocks/edit/8` | High
+4 | File | `/admin/conferences/get-all-status/` | High
+5 | File | `/admin/login/login_check.php` | High
+6 | File | `/admin/menus/menus/edit/3` | High
+7 | File | `/admin/nodes/nodes/add/blog` | High
+8 | File | `/admin/taxonomy/vocabularies` | High
+9 | File | `/bin/goahead` | Medium
+10 | File | `/cgi/networkDiag.cgi` | High
 11 | ... | ... | ...
 
-There are 189 more IOA items available. Please use our online service to access the data.
+There are 270 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -108,14 +109,20 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1008-1015.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Tomiris/README.md

@@ -1,6 +1,6 @@
 # Tomiris - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Tomiris](https://vuldb.com/?actor.tomiris). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tomiris](https://vuldb.com/?actor.tomiris). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tomiris](https://vuldb.com/?actor.tomiris)
 
@@ -45,8 +45,11 @@ ID | Type | Indicator | Confidence
 6 | File | `owa/redir.aspx` | High
 7 | File | `phpinfo.php` | Medium
 8 | File | `string.c` | Medium
-9 | Argument | `include_dir` | Medium
-10 | Argument | `URL` | Low
+9 | File | `ui/artifact/upload` | High
+10 | Argument | `include_dir` | Medium
+11 | ... | ... | ...
+
+There are 1 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -58,9 +61,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Tortilla/README.md

@@ -0,0 +1,44 @@
+# Tortilla - Cyber Threat Intelligence
+
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tortilla](https://vuldb.com/?actor.tortilla). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+
+Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tortilla](https://vuldb.com/?actor.tortilla)
+
+## Campaigns
+
+The following campaigns are known and can be associated with Tortilla:
+
+* Microsoft Exchange
+
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Tortilla:
+
+* IT
+
+## IOC - Indicator of Compromise
+
+These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Tortilla.
+
+ID | IP address | Hostname | Confidence
+-- | ---------- | -------- | ----------
+1 | 54.221.65.242 | ec2-54-221-65-242.compute-1.amazonaws.com | Medium
+2 | 168.119.93.163 | dupa.tk | High
+3 | 185.219.52.229 | - | High
+
+## References
+
+The following list contains external sources which discuss the actor and the associated activities:
+
+* https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html
+
+## Literature
+
+The following articles explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

TrickBot/README.md

@@ -1,6 +1,6 @@
 # TrickBot - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [TrickBot](https://vuldb.com/?actor.trickbot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TrickBot](https://vuldb.com/?actor.trickbot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.trickbot](https://vuldb.com/?actor.trickbot)
 
@@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 * ES
 * ...
 
-There are 35 more country items available. Please use our online service to access the data.
+There are 38 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -40,10 +40,10 @@ ID | IP address | Hostname | Confidence
 17 | 23.21.27.29 | ec2-23-21-27-29.compute-1.amazonaws.com | Medium
 18 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | Medium
 19 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
-20 | 23.96.30.229 | - | High
+20 | 23.94.233.210 | 23-94-233-210-host.colocrossing.com | High
 21 | ... | ... | ...
 
-There are 257 more IOC items available. Please use our online service to access the data.
+There are 286 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -78,7 +78,7 @@ ID | Type | Indicator | Confidence
 10 | File | `/admin/config.php?display=backup` | High
 11 | ... | ... | ...
 
-There are 987 more IOA items available. Please use our online service to access the data.
+There are 1043 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -93,15 +93,18 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
 * https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
 * https://feodotracker.abuse.ch/downloads/ipblocklist.csv
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Unknown/README.md

@@ -1,6 +1,6 @@
 # Unknown - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Unknown](https://vuldb.com/?actor.unknown). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Unknown](https://vuldb.com/?actor.unknown). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.unknown](https://vuldb.com/?actor.unknown)
 
@@ -13,18 +13,18 @@ The following campaigns are known and can be associated with Unknown:
 * Cybersquatting
 * ...
 
-There are 4 more campaign items available. Please use our online service to access the data.
+There are 6 more campaign items available. Please use our online service to access the data.
 
 ## Countries
 
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Unknown:
 
 * US
-* DE
 * CN
+* DE
 * ...
 
-There are 23 more country items available. Please use our online service to access the data.
+There are 26 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -34,27 +34,27 @@ ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
 1 | 5.23.48.207 | vds-cf95067.timeweb.ru | High
 2 | 5.101.122.228 | - | High
-3 | 27.254.41.7 | - | High
-4 | 41.237.156.15 | host-41.237.156.15.tedata.net | High
-5 | 45.77.140.214 | 45.77.140.214.vultr.com | Medium
-6 | 45.135.229.179 | ipcore3.example.com | High
-7 | 54.68.121.73 | ec2-54-68-121-73.us-west-2.compute.amazonaws.com | Medium
-8 | 54.68.194.154 | ec2-54-68-194-154.us-west-2.compute.amazonaws.com | Medium
-9 | 54.69.90.62 | ec2-54-69-90-62.us-west-2.compute.amazonaws.com | Medium
-10 | 54.191.142.124 | ec2-54-191-142-124.us-west-2.compute.amazonaws.com | Medium
-11 | 58.64.129.149 | - | High
-12 | 58.64.172.177 | - | High
-13 | 58.64.193.228 | - | High
-14 | 59.188.5.19 | - | High
-15 | 60.170.255.85 | - | High
-16 | 61.128.110.37 | - | High
-17 | 61.128.122.147 | - | High
-18 | 61.132.74.68 | - | High
-19 | 61.132.74.113 | - | High
-20 | 61.178.77.96 | - | High
+3 | 18.228.7.109 | ec2-18-228-7-109.sa-east-1.compute.amazonaws.com | Medium
+4 | 23.251.102.74 | zl-dal-us-gp3-wk109.internet-census.org | High
+5 | 27.254.41.7 | - | High
+6 | 31.220.58.29 | - | High
+7 | 41.237.156.15 | host-41.237.156.15.tedata.net | High
+8 | 45.77.140.214 | 45.77.140.214.vultr.com | Medium
+9 | 45.83.193.150 | - | High
+10 | 45.135.229.179 | ipcore3.example.com | High
+11 | 45.146.164.110 | - | High
+12 | 46.101.59.235 | - | High
+13 | 52.220.244.242 | ec2-52-220-244-242.ap-southeast-1.compute.amazonaws.com | Medium
+14 | 54.68.121.73 | ec2-54-68-121-73.us-west-2.compute.amazonaws.com | Medium
+15 | 54.68.194.154 | ec2-54-68-194-154.us-west-2.compute.amazonaws.com | Medium
+16 | 54.69.90.62 | ec2-54-69-90-62.us-west-2.compute.amazonaws.com | Medium
+17 | 54.191.142.124 | ec2-54-191-142-124.us-west-2.compute.amazonaws.com | Medium
+18 | 58.64.129.149 | - | High
+19 | 58.64.172.177 | - | High
+20 | 58.64.193.228 | - | High
 21 | ... | ... | ...
 
-There are 69 more IOC items available. Please use our online service to access the data.
+There are 87 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -79,21 +79,23 @@ ID | Type | Indicator | Confidence
 1 | File | `.FBCIndex` | Medium
 2 | File | `.htaccess` | Medium
 3 | File | `/+CSCOE+/logon.html` | High
-4 | File | `/anony/mjpg.cgi` | High
-5 | File | `/appLms/ajax.server.php` | High
-6 | File | `/authenticate.php` | High
-7 | File | `/cameras/XXXX/clips` | High
-8 | File | `/category.php` | High
-9 | File | `/cgi-bin` | Medium
-10 | File | `/cgi-bin/wapopen` | High
+4 | File | `/adminlogin.asp` | High
+5 | File | `/anony/mjpg.cgi` | High
+6 | File | `/appLms/ajax.server.php` | High
+7 | File | `/authenticate.php` | High
+8 | File | `/cameras/XXXX/clips` | High
+9 | File | `/category.php` | High
+10 | File | `/cgi-bin` | Medium
 11 | ... | ... | ...
 
-There are 336 more IOA items available. Please use our online service to access the data.
+There are 416 more IOA items available. Please use our online service to access the data.
 
 ## References
 
 The following list contains external sources which discuss the actor and the associated activities:
 
+* https://isc.sans.edu/forums/diary/Apache+is+Actively+Scan+for+CVE202141773+CVE202142013/27940/
+* https://isc.sans.edu/forums/diary/Log4Shell+exploited+to+implant+coin+miners/28124/
 * https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
 * https://unit42.paloaltonetworks.com/cybersquatting/
 * https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/
@@ -110,9 +112,9 @@ The following list contains external sources which discuss the actor and the ass
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Upatre/README.md

@@ -1,6 +1,6 @@
 # Upatre - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Upatre](https://vuldb.com/?actor.upatre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Upatre](https://vuldb.com/?actor.upatre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.upatre](https://vuldb.com/?actor.upatre)
 
@@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 * DE
 * ...
 
-There are 13 more country items available. Please use our online service to access the data.
+There are 15 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -28,22 +28,22 @@ ID | IP address | Hostname | Confidence
 5 | 8.253.132.120 | - | High
 6 | 23.46.238.194 | a23-46-238-194.deploy.static.akamaitechnologies.com | High
 7 | 23.46.238.232 | a23-46-238-232.deploy.static.akamaitechnologies.com | High
-8 | 24.240.107.12 | 024-240-107-012.res.spectrum.com | High
-9 | 31.31.196.102 | server139.hosting.reg.ru | High
-10 | 34.97.69.225 | 225.69.97.34.bc.googleusercontent.com | Medium
-11 | 34.117.59.81 | 81.59.117.34.bc.googleusercontent.com | Medium
-12 | 37.0.8.235 | - | High
-13 | 37.0.10.214 | - | High
-14 | 37.0.10.236 | - | High
-15 | 37.0.11.8 | - | High
-16 | 37.57.144.177 | 177.144.57.37.triolan.net | High
-17 | 50.116.50.55 | li422-55.members.linode.com | High
-18 | 64.182.208.184 | - | High
-19 | 66.199.229.251 | 66-199-229-251.reverse.ezzi.net | High
-20 | 69.9.204.114 | 69-9-204-114-static.midco.net | High
+8 | 24.19.25.40 | c-24-19-25-40.hsd1.wa.comcast.net | High
+9 | 24.148.217.188 | - | High
+10 | 24.220.92.193 | 24-220-92-193-dynamic.midco.net | High
+11 | 24.240.107.12 | 024-240-107-012.res.spectrum.com | High
+12 | 31.31.196.102 | server139.hosting.reg.ru | High
+13 | 34.97.69.225 | 225.69.97.34.bc.googleusercontent.com | Medium
+14 | 34.117.59.81 | 81.59.117.34.bc.googleusercontent.com | Medium
+15 | 37.0.8.235 | - | High
+16 | 37.0.10.214 | - | High
+17 | 37.0.10.236 | - | High
+18 | 37.0.11.8 | - | High
+19 | 37.57.144.177 | 177.144.57.37.triolan.net | High
+20 | 50.116.50.55 | 50-116-50-55.ip.linodeusercontent.com | High
 21 | ... | ... | ...
 
-There are 46 more IOC items available. Please use our online service to access the data.
+There are 65 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -64,19 +64,19 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
-2 | File | `/Core/Ap4Stz2Atom.cpp` | High
-3 | File | `/etc/fstab` | Medium
-4 | File | `/getcfg.php` | Medium
-5 | File | `/goform/form2userconfig.cgi` | High
-6 | File | `/mc` | Low
-7 | File | `/menu.html` | Medium
-8 | File | `/product.php` | Medium
-9 | File | `admin.php` | Medium
-10 | File | `admin/backupstart.php` | High
+1 | File | `/bin/boa` | Medium
+2 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
+3 | File | `/Core/Ap4Stz2Atom.cpp` | High
+4 | File | `/etc/fstab` | Medium
+5 | File | `/getcfg.php` | Medium
+6 | File | `/goform/form2userconfig.cgi` | High
+7 | File | `/mc` | Low
+8 | File | `/menu.html` | Medium
+9 | File | `/product.php` | Medium
+10 | File | `admin.php` | Medium
 11 | ... | ... | ...
 
-There are 88 more IOA items available. Please use our online service to access the data.
+There are 91 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -88,14 +88,15 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
 * https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Ursu/README.md

@@ -1,6 +1,6 @@
 # Ursu - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Ursu](https://vuldb.com/?actor.ursu). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ursu](https://vuldb.com/?actor.ursu). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ursu](https://vuldb.com/?actor.ursu)
 
@@ -9,6 +9,7 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
 These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Ursu:
 
 * CN
+* US
 * JP
 
 ## IOC - Indicator of Compromise
@@ -23,9 +24,19 @@ ID | IP address | Hostname | Confidence
 4 | 15.11.35.18 | - | High
 5 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
 6 | 34.117.237.239 | 239.237.117.34.bc.googleusercontent.com | Medium
-7 | ... | ... | ...
+7 | 35.162.37.28 | ec2-35-162-37-28.us-west-2.compute.amazonaws.com | Medium
+8 | 44.230.33.128 | ec2-44-230-33-128.us-west-2.compute.amazonaws.com | Medium
+9 | ... | ... | ...
 
-There are 12 more IOC items available. Please use our online service to access the data.
+There are 14 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Ursu. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1068 | Execution with Unnecessary Privileges | High
 
 ## IOA - Indicator of Attack
 
@@ -33,7 +44,11 @@ These indicators of attack list the potential fragments used for technical activ
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | Argument | `adminUsername/adminPassword` | High
+1 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
+2 | File | `Layout.java` | Medium
+3 | Argument | `adminUsername/adminPassword` | High
+4 | Input Value | `xxx.php[space]` | High
+5 | Pattern | `|0a|If|3a|` | Medium
 
 ## References
 
@@ -43,14 +58,15 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/03/threat-roundup-0319-0326.html
 * https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
 * https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Xpiro/README.md

@@ -1,30 +1,72 @@
 # Xpiro - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Xpiro](https://vuldb.com/?actor.xpiro). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Xpiro](https://vuldb.com/?actor.xpiro). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.xpiro](https://vuldb.com/?actor.xpiro)
 
+## Countries
+
+These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Xpiro:
+
+* US
+* FR
+* KR
+
 ## IOC - Indicator of Compromise
 
 These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Xpiro.
 
 ID | IP address | Hostname | Confidence
 -- | ---------- | -------- | ----------
-1 | 13.107.42.23 | - | High
+1 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | Medium
+2 | 13.107.42.23 | - | High
+3 | 37.48.65.152 | - | High
+4 | ... | ... | ...
+
+There are 3 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Xpiro. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Description | Confidence
+-- | --------- | ----------- | ----------
+1 | T1059.007 | Cross Site Scripting | High
+2 | T1068 | Execution with Unnecessary Privileges | High
+3 | T1499 | Resource Consumption | High
+
+## IOA - Indicator of Attack
+
+These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Xpiro. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/LoginAdmin` | Medium
+2 | File | `drivers/spi/spi-gpio.c` | High
+3 | File | `owa/redir.aspx` | High
+4 | File | `search-exclude.php` | High
+5 | File | `startup.jsp` | Medium
+6 | File | `wolfcrypt/src/asn.c` | High
+7 | Argument | `NoJs` | Low
+8 | Argument | `URL` | Low
+9 | Input Value | `::$Index_Allocation` | High
+10 | Network Port | `Web Server Port` | High
 
 ## References
 
 The following list contains external sources which discuss the actor and the associated activities:
 
 * https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Zbot/README.md

@@ -1,6 +1,6 @@
 # Zbot - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Zbot](https://vuldb.com/?actor.zbot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Zbot](https://vuldb.com/?actor.zbot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.zbot](https://vuldb.com/?actor.zbot)
 
@@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
 * IT
 * ...
 
-There are 12 more country items available. Please use our online service to access the data.
+There are 15 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -29,21 +29,21 @@ ID | IP address | Hostname | Confidence
 6 | 23.96.30.229 | - | High
 7 | 23.193.42.12 | a23-193-42-12.deploy.static.akamaitechnologies.com | High
 8 | 23.227.38.32 | myshopify.com | High
-9 | 24.120.165.58 | wsip-24-120-165-58.lv.lv.cox.net | High
-10 | 32.178.143.61 | mobile-32-178-143-61.mycingular.net | High
-11 | 34.72.197.182 | 182.197.72.34.bc.googleusercontent.com | Medium
-12 | 35.177.71.77 | ns1.symbiant.net | High
-13 | 41.168.5.140 | - | High
-14 | 45.60.77.201 | - | High
-15 | 49.212.235.209 | www3469.sakura.ne.jp | High
-16 | 50.72.177.24 | S01069050ca30b943.wp.shawcable.net | High
-17 | 50.116.43.143 | li480-143.members.linode.com | High
-18 | 51.178.156.9 | ip9.ip-51-178-156.eu | High
-19 | 52.85.132.44 | server-52-85-132-44.iad50.r.cloudfront.net | High
-20 | 52.137.90.34 | - | High
+9 | 24.115.94.180 | 24.115.94.180.res-cmts.ovr.ptd.net | High
+10 | 24.120.165.58 | wsip-24-120-165-58.lv.lv.cox.net | High
+11 | 27.54.110.77 | 77.110.54.27.dhcp.mct.ne.jp | High
+12 | 32.178.143.61 | mobile-32-178-143-61.mycingular.net | High
+13 | 34.72.197.182 | 182.197.72.34.bc.googleusercontent.com | Medium
+14 | 35.177.71.77 | ns1.symbiant.net | High
+15 | 36.2.242.186 | 36-2-242-186.aichi.otk.vectant.ne.jp | High
+16 | 39.116.90.10 | - | High
+17 | 41.168.5.140 | - | High
+18 | 45.60.77.201 | - | High
+19 | 49.212.235.209 | www3469.sakura.ne.jp | High
+20 | 50.72.177.24 | S01069050ca30b943.wp.shawcable.net | High
 21 | ... | ... | ...
 
-There are 145 more IOC items available. Please use our online service to access the data.
+There are 186 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -71,12 +71,12 @@ ID | Type | Indicator | Confidence
 5 | File | `/principals` | Medium
 6 | File | `/uncpath/` | Medium
 7 | File | `/var/log/nginx` | High
-8 | File | `4.2.0.CP03` | Medium
-9 | File | `CGIProxy.fcgi?cmd=setTelnetSwitch` | High
-10 | File | `CMSPages/GetDocLink.ashx` | High
+8 | File | `/wp-admin/admin-ajax.php` | High
+9 | File | `4.2.0.CP03` | Medium
+10 | File | `CGIProxy.fcgi?cmd=setTelnetSwitch` | High
 11 | ... | ... | ...
 
-There are 67 more IOA items available. Please use our online service to access the data.
+There are 89 more IOA items available. Please use our online service to access the data.
 
 ## References
 
@@ -95,14 +95,17 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
 * https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1008-1015.html
+* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
+* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

Zegost/README.md

@@ -1,6 +1,6 @@
 # Zegost - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Zegost](https://vuldb.com/?actor.zegost). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Zegost](https://vuldb.com/?actor.zegost). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
 
 Live data and more analysis capabilities are available at [https://vuldb.com/?actor.zegost](https://vuldb.com/?actor.zegost)
 
@@ -40,7 +40,7 @@ ID | IP address | Hostname | Confidence
 20 | 59.42.71.178 | - | High
 21 | ... | ... | ...
 
-There are 64 more IOC items available. Please use our online service to access the data.
+There are 65 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
@@ -86,14 +86,15 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
 * https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html
+* https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
 
 ## Literature
 
 The following articles explain our unique predictive cyber threat intelligence:
 
-* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
 
 ## License
 
-(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
+(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!