Update

2022-03-10 08:43:14 +01:00 · 2022-03-10 08:43:14 +01:00 · 63ca436110
parent 00d973b85b
commit 63ca436110
124 changed files with 3585 additions and 2432 deletions
--- a/actors/APT-C-01/README.md
+++ b/actors/APT-C-01/README.md
@ -30,7 +30,7 @@ There are 4 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT-C-01. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT-C-01_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/APT-C-07/README.md
+++ b/actors/APT-C-07/README.md
@ -1,32 +1,32 @@
 # APT-C-07 - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-07](https://vuldb.com/?actor.apt-c-07). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-07](https://vuldb.com/?actor.apt-c-07). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt-c-07](https://vuldb.com/?actor.apt-c-07)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt-c-07](https://vuldb.com/?actor.apt-c-07)

 ## Campaigns

-The following campaigns are known and can be associated with APT-C-07:
+The following _campaigns_ are known and can be associated with APT-C-07:

 * Mermaid

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-07:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-07:

-* US
+* [US](https://vuldb.com/?country.us)

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT-C-07.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT-C-07.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 69.195.129.72 | - | High
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [69.195.129.72](https://vuldb.com/?ip.69.195.129.72) | - | Mermaid | High

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-07. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-07. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -34,13 +34,13 @@ ID | Type | Indicator | Confidence

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://www.threatminer.org/report.php?q=Operation_Mermaid_360cn.pdf&y=2016

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/APT-C-36/README.md
+++ b/actors/APT-C-36/README.md
@ -1,6 +1,6 @@
 # APT-C-36 - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-36](https://vuldb.com/?actor.apt-c-36). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-36](https://vuldb.com/?actor.apt-c-36). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt-c-36](https://vuldb.com/?actor.apt-c-36)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-36:

-* US
-* CN
-* DE
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+* [DE](https://vuldb.com/?country.de)
 * ...

 There are 20 more country items available. Please use our online service to access the data.
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 128.90.106.22 | undefined.hostname.localhost | - | High
-2 | 128.90.107.21 | undefined.hostname.localhost | - | High
-3 | 128.90.107.189 | undefined.hostname.localhost | - | High
+1 | [128.90.106.22](https://vuldb.com/?ip.128.90.106.22) | undefined.hostname.localhost | - | High
+2 | [128.90.107.21](https://vuldb.com/?ip.128.90.107.21) | undefined.hostname.localhost | - | High
+3 | [128.90.107.189](https://vuldb.com/?ip.128.90.107.189) | undefined.hostname.localhost | - | High
 4 | ... | ... | ... | ...

 There are 5 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT-C-36. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT-C-36_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 8 more TTP items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -53,29 +53,29 @@ ID | Type | Indicator | Confidence
 4 | File | `/assets/ctx` | Medium
 5 | File | `/concat?/%2557EB-INF/web.xml` | High
 6 | File | `/config/getuser` | High
-7 | File | `/ext/phar/phar_object.c` | High
-8 | File | `/filemanager/php/connector.php` | High
-9 | File | `/get_getnetworkconf.cgi` | High
-10 | File | `/HNAP1` | Low
-11 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
-12 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
-13 | File | `/modx/manager/index.php` | High
-14 | File | `/osm/REGISTER.cmd` | High
-15 | File | `/product_list.php` | High
-16 | File | `/replication` | Medium
-17 | File | `/see_more_details.php` | High
-18 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
-19 | File | `/supervisor/procesa_carga.php` | High
-20 | File | `/type.php` | Medium
-21 | File | `/uncpath/` | Medium
-22 | File | `/usr/bin/pkexec` | High
-23 | File | `/zm/index.php` | High
-24 | File | `4.2.0.CP09` | Medium
-25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
-26 | File | `802dot1xclientcert.cgi` | High
-27 | File | `add.exe` | Low
-28 | File | `addentry.php` | Medium
-29 | File | `add_edit_user.asp` | High
+7 | File | `/debug/pprof` | Medium
+8 | File | `/ext/phar/phar_object.c` | High
+9 | File | `/filemanager/php/connector.php` | High
+10 | File | `/get_getnetworkconf.cgi` | High
+11 | File | `/HNAP1` | Low
+12 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
+13 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
+14 | File | `/modx/manager/index.php` | High
+15 | File | `/osm/REGISTER.cmd` | High
+16 | File | `/product_list.php` | High
+17 | File | `/replication` | Medium
+18 | File | `/see_more_details.php` | High
+19 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
+20 | File | `/supervisor/procesa_carga.php` | High
+21 | File | `/type.php` | Medium
+22 | File | `/uncpath/` | Medium
+23 | File | `/usr/bin/pkexec` | High
+24 | File | `/zm/index.php` | High
+25 | File | `4.2.0.CP09` | Medium
+26 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
+27 | File | `802dot1xclientcert.cgi` | High
+28 | File | `add.exe` | Low
+29 | File | `addentry.php` | Medium
 30 | File | `admin-ajax.php` | High
 31 | File | `admin.color.php` | High
 32 | File | `admin.cropcanvas.php` | High
@ -107,10 +107,9 @@ ID | Type | Indicator | Confidence
 58 | File | `books.php` | Medium
 59 | File | `C:\Python27` | Medium
 60 | File | `C:\Windows\System32\config\SAM` | High
-61 | File | `categorie.php3` | High
-62 | ... | ... | ...
+61 | ... | ... | ...

-There are 541 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 530 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/APT10/README.md
+++ b/actors/APT10/README.md
@ -59,7 +59,7 @@ There are 98 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT10. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT10_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -68,7 +68,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 3 more TTP items available. Please use our online service to access the data.
+There are 4 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

--- a/actors/APT15/README.md
+++ b/actors/APT15/README.md
@ -1,6 +1,6 @@
 # APT15 - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT15](https://vuldb.com/?actor.apt15). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT15](https://vuldb.com/?actor.apt15). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt15](https://vuldb.com/?actor.apt15)

--- a/actors/APT17/README.md
+++ b/actors/APT17/README.md
@ -1,6 +1,6 @@
 # APT17 - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT17](https://vuldb.com/?actor.apt17). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT17](https://vuldb.com/?actor.apt17). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt17](https://vuldb.com/?actor.apt17)

@ -14,12 +14,12 @@ The following _campaigns_ are known and can be associated with APT17:

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT17:

-* DE
-* US
-* JP
+* [DE](https://vuldb.com/?country.de)
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
 * ...

-There are 2 more country items available. Please use our online service to access the data.
+There are 4 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -27,20 +27,21 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 1.234.52.111 | - | - | High
-2 | 69.80.72.165 | - | - | High
-3 | 103.250.72.39 | sv01growth.bulks.jp | - | High
-4 | ... | ... | ... | ...
+1 | [1.234.52.111](https://vuldb.com/?ip.1.234.52.111) | - | - | High
+2 | [8.9.11.130](https://vuldb.com/?ip.8.9.11.130) | 8.9.11.130.vultr.com | - | Medium
+3 | [45.76.6.149](https://vuldb.com/?ip.45.76.6.149) | 45.76.6.149.vultr.com | - | Medium
+4 | [45.76.31.159](https://vuldb.com/?ip.45.76.31.159) | 45.76.31.159.vultr.com | - | Medium
+5 | ... | ... | ... | ...

-There are 9 more IOC items available. Please use our online service to access the data.
+There are 17 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT17. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT17_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
-1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
 2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
 3 | T1211 | CWE-254 | 7PK Security Features | High
 4 | ... | ... | ... | ...
@ -54,16 +55,19 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
 1 | File | `.htaccess` | Medium
-2 | File | `/wbg/core/_includes/authorization.inc.php` | High
-3 | File | `data/gbconfiguration.dat` | High
-4 | ... | ... | ...
+2 | File | `/api/DownloadUrlResponse.ashx` | High
+3 | File | `/wbg/core/_includes/authorization.inc.php` | High
+4 | File | `addentry.php` | Medium
+5 | File | `data/gbconfiguration.dat` | High
+6 | ... | ... | ...

-There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

 The following list contains _external sources_ which discuss the actor and the associated activities:

+* https://github.com/eset/malware-ioc/tree/master/quarterly_reports/2020_Q2
 * https://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc
 * https://www.threatminer.org/report.php?q=EvidenceAuroraOperationStillActive_SupplyChainAttackThroughCCleaner-Intezer.pdf&y=2017

--- a/actors/APT28/README.md
+++ b/actors/APT28/README.md
@ -84,7 +84,7 @@ There are 184 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT28. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT28_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -93,7 +93,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 7 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -107,36 +107,36 @@ ID | Type | Indicator | Confidence
 4 | File | `/admin/config.php?display=disa&view=form` | High
 5 | File | `/category_view.php` | High
 6 | File | `/dev/kmem` | Medium
-7 | File | `/filemanager/upload.php` | High
-8 | File | `/medical/inventories.php` | High
-9 | File | `/monitoring` | Medium
-10 | File | `/NAGErrors` | Medium
-11 | File | `/plugins/servlet/audit/resource` | High
-12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
-13 | File | `/proc/ioports` | High
-14 | File | `/replication` | Medium
-15 | File | `/reports/rwservlet` | High
-16 | File | `/RestAPI` | Medium
-17 | File | `/tmp` | Low
-18 | File | `/tmp/speedtest_urls.xml` | High
-19 | File | `/uncpath/` | Medium
-20 | File | `/var/log/nginx` | High
-21 | File | `/wp-admin/admin.php` | High
-22 | File | `/wp-json/wc/v3/webhooks` | High
-23 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
-24 | File | `admin/app/mediamanager` | High
-25 | File | `admin/index.php` | High
-26 | File | `admin\model\catalog\download.php` | High
-27 | File | `afr.php` | Low
-28 | File | `apcupsd.pid` | Medium
-29 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
-30 | File | `api/sms/send-sms` | High
-31 | File | `api/v1/alarms` | High
-32 | File | `application/controller/InstallerController.php` | High
-33 | File | `arch/powerpc/kvm/book3s_rtas.c` | High
+7 | File | `/file?action=download&file` | High
+8 | File | `/filemanager/upload.php` | High
+9 | File | `/medical/inventories.php` | High
+10 | File | `/monitoring` | Medium
+11 | File | `/NAGErrors` | Medium
+12 | File | `/plugins/servlet/audit/resource` | High
+13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
+14 | File | `/proc/ioports` | High
+15 | File | `/replication` | Medium
+16 | File | `/reports/rwservlet` | High
+17 | File | `/RestAPI` | Medium
+18 | File | `/tmp` | Low
+19 | File | `/tmp/speedtest_urls.xml` | High
+20 | File | `/uncpath/` | Medium
+21 | File | `/var/log/nginx` | High
+22 | File | `/wp-admin/admin.php` | High
+23 | File | `/wp-json/wc/v3/webhooks` | High
+24 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
+25 | File | `admin/app/mediamanager` | High
+26 | File | `admin/index.php` | High
+27 | File | `admin\model\catalog\download.php` | High
+28 | File | `afr.php` | Low
+29 | File | `apcupsd.pid` | Medium
+30 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
+31 | File | `api/sms/send-sms` | High
+32 | File | `api/v1/alarms` | High
+33 | File | `application/controller/InstallerController.php` | High
 34 | ... | ... | ...

-There are 292 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 291 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/APT31/README.md
+++ b/actors/APT31/README.md
@ -26,7 +26,7 @@ There are 13 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT31. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT31_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/APT33/README.md
+++ b/actors/APT33/README.md
@ -50,7 +50,7 @@ There are 60 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT33. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT33_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -59,7 +59,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 9 more TTP items available. Please use our online service to access the data.
+There are 8 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -68,32 +68,31 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
 1 | File | `/admin.add` | Medium
-2 | File | `/admin/admin.php?module=admin_access_group_edit&aagID` | High
-3 | File | `/admin/customers.php?page=1&cID` | High
-4 | File | `/admin/edit_user.php` | High
-5 | File | `/administrator/components/menu/` | High
-6 | File | `/administrator/components/table_manager/` | High
-7 | File | `/api/ZRMesh/set_ZRMesh` | High
-8 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
-9 | File | `/Hospital-Management-System-master/contact.php` | High
-10 | File | `/Hospital-Management-System-master/func.php` | High
-11 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
-12 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
-13 | File | `/jerry-core/jmem/jmem-heap.c` | High
-14 | File | `/ms/cms/content/list.do` | High
-15 | File | `/orms/` | Low
-16 | File | `/parser/js/js-parser-expr.c` | High
-17 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
-18 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
-19 | File | `/transmission/web/` | High
-20 | File | `/uploads/exam_question/` | High
-21 | File | `/usr/bin/pkexec` | High
-22 | File | `/usr/local/bin/mjs` | High
-23 | File | `1.2.2.pl4` | Medium
-24 | File | `AccessPoint.java` | High
-25 | ... | ... | ...
+2 | File | `/admin/?page=user/manage_user` | High
+3 | File | `/admin/admin.php?module=admin_access_group_edit&aagID` | High
+4 | File | `/admin/customers.php?page=1&cID` | High
+5 | File | `/admin/edit_user.php` | High
+6 | File | `/admin/files` | Medium
+7 | File | `/administrator/components/menu/` | High
+8 | File | `/administrator/components/table_manager/` | High
+9 | File | `/api/ZRMesh/set_ZRMesh` | High
+10 | File | `/damicms-master/admin.php?s=/Article/doedit` | High
+11 | File | `/Hospital-Management-System-master/contact.php` | High
+12 | File | `/Hospital-Management-System-master/func.php` | High
+13 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
+14 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
+15 | File | `/jerry-core/jmem/jmem-heap.c` | High
+16 | File | `/ms/cms/content/list.do` | High
+17 | File | `/orms/` | Low
+18 | File | `/parser/js/js-parser-expr.c` | High
+19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
+20 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
+21 | File | `/transmission/web/` | High
+22 | File | `/uploads/exam_question/` | High
+23 | File | `/usr/bin/pkexec` | High
+24 | ... | ... | ...

-There are 206 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 200 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/APT34/README.md
+++ b/actors/APT34/README.md
@ -41,7 +41,7 @@ There are 58 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT34. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT34_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -63,35 +63,35 @@ ID | Type | Indicator | Confidence
 3 | File | `/admin.php` | Medium
 4 | File | `/bdswebui/assignusers/` | High
 5 | File | `/etc/fstab` | Medium
-6 | File | `/includes/rrdtool.inc.php` | High
-7 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
-8 | File | `/medical/inventories.php` | High
-9 | File | `/monitoring` | Medium
-10 | File | `/NAGErrors` | Medium
-11 | File | `/plugins/servlet/audit/resource` | High
-12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
-13 | File | `/replication` | Medium
-14 | File | `/RestAPI` | Medium
-15 | File | `/SASWebReportStudio/logonAndRender.do` | High
-16 | File | `/tmp` | Low
-17 | File | `/tmp/speedtest_urls.xml` | High
-18 | File | `/uncpath/` | Medium
-19 | File | `/var/log/nginx` | High
-20 | File | `/wp-content/plugins/updraftplus/admin.php` | High
-21 | File | `actions.hsp` | Medium
-22 | File | `addentry.php` | Medium
-23 | File | `add_edit_user.asp` | High
-24 | File | `add_to_cart.php` | High
-25 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
-26 | File | `admin/config/confmgr.php` | High
-27 | File | `admin/system_manage/save.html` | High
-28 | File | `admin\model\catalog\download.php` | High
-29 | File | `ajax.php` | Medium
-30 | File | `apcupsd.pid` | Medium
-31 | File | `api/sms/send-sms` | High
+6 | File | `/file?action=download&file` | High
+7 | File | `/includes/rrdtool.inc.php` | High
+8 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
+9 | File | `/medical/inventories.php` | High
+10 | File | `/monitoring` | Medium
+11 | File | `/NAGErrors` | Medium
+12 | File | `/plugins/servlet/audit/resource` | High
+13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
+14 | File | `/replication` | Medium
+15 | File | `/RestAPI` | Medium
+16 | File | `/SASWebReportStudio/logonAndRender.do` | High
+17 | File | `/tmp` | Low
+18 | File | `/tmp/speedtest_urls.xml` | High
+19 | File | `/uncpath/` | Medium
+20 | File | `/var/log/nginx` | High
+21 | File | `/wp-content/plugins/updraftplus/admin.php` | High
+22 | File | `actions.hsp` | Medium
+23 | File | `addentry.php` | Medium
+24 | File | `add_edit_user.asp` | High
+25 | File | `add_to_cart.php` | High
+26 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
+27 | File | `admin/config/confmgr.php` | High
+28 | File | `admin/system_manage/save.html` | High
+29 | File | `admin\model\catalog\download.php` | High
+30 | File | `ajax.php` | Medium
+31 | File | `apcupsd.pid` | Medium
 32 | ... | ... | ...

-There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 276 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/APT38/README.md
+++ b/actors/APT38/README.md
@ -1,44 +1,44 @@
 # APT38 - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT38](https://vuldb.com/?actor.apt38). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT38](https://vuldb.com/?actor.apt38). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt38](https://vuldb.com/?actor.apt38)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt38](https://vuldb.com/?actor.apt38)

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT38:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT38:

-* US
-* KR
-* CN
+* [US](https://vuldb.com/?country.us)
+* [KR](https://vuldb.com/?country.kr)
+* [CN](https://vuldb.com/?country.cn)
 * ...

 There are 1 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT38.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT38.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 175.45.176. | - | High
-2 | 175.45.177. | - | High
-3 | 175.45.178. | - | High
-4 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [175.45.176.](https://vuldb.com/?ip.175.45.176.) | - | - | High
+2 | [175.45.177.](https://vuldb.com/?ip.175.45.177.) | - | - | High
+3 | [175.45.178.](https://vuldb.com/?ip.175.45.178.) | - | - | High
+4 | ... | ... | ... | ...

 There are 2 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT38. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT38_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1068 | Execution with Unnecessary Privileges | High
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT38. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT38. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -47,17 +47,17 @@ ID | Type | Indicator | Confidence
 3 | File | `\\.\pipe\WPSCloudSvr\WpsCloudSvr` | High
 4 | ... | ... | ...

-There are 12 more IOA items available. Please use our online service to access the data.
+There are 12 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://content.fireeye.com/apt/rpt-apt38

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/APT39/README.md
+++ b/actors/APT39/README.md
@ -1,55 +1,55 @@
 # APT39 - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT39](https://vuldb.com/?actor.apt39). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT39](https://vuldb.com/?actor.apt39). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt39](https://vuldb.com/?actor.apt39)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.apt39](https://vuldb.com/?actor.apt39)

 ## Campaigns

-The following campaigns are known and can be associated with APT39:
+The following _campaigns_ are known and can be associated with APT39:

 * Chafer

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT39:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT39:

-* US
-* RU
-* GB
+* [US](https://vuldb.com/?country.us)
+* [RU](https://vuldb.com/?country.ru)
+* [GB](https://vuldb.com/?country.gb)
 * ...

 There are 18 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT39.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of APT39.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 83.142.230.113 | - | High
-2 | 86.105.227.224 | - | High
-3 | 87.117.204.113 | - | High
-4 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [83.142.230.113](https://vuldb.com/?ip.83.142.230.113) | - | - | High
+2 | [86.105.227.224](https://vuldb.com/?ip.86.105.227.224) | - | - | High
+3 | [87.117.204.113](https://vuldb.com/?ip.87.117.204.113) | - | - | High
+4 | ... | ... | ... | ...

 There are 14 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT39. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT39_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
-2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1211 | 7PK Security Features | High
-4 | ... | ... | ...
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1211 | CWE-254 | 7PK Security Features | High
+4 | ... | ... | ... | ...

-There are 3 more TTP items available. Please use our online service to access the data.
+There are 2 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT39. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT39. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -62,11 +62,11 @@ ID | Type | Indicator | Confidence
 7 | File | `/uncpath/` | Medium
 8 | ... | ... | ...

-There are 56 more IOA items available. Please use our online service to access the data.
+There are 56 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://securelist.com/chafer-used-remexi-malware/89538/
 * https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
@ -74,7 +74,7 @@ The following list contains external sources which discuss the actor and the ass

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/APT41/README.md
+++ b/actors/APT41/README.md
@ -20,7 +20,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
 * [RU](https://vuldb.com/?country.ru)
 * ...

-There are 13 more country items available. Please use our online service to access the data.
+There are 14 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -49,7 +49,7 @@ There are 60 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT41. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT41_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -58,7 +58,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 7 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -91,9 +91,10 @@ ID | Type | Indicator | Confidence
 23 | File | `/usr/bin/pkexec` | High
 24 | File | `/WEB-INF/web.xml` | High
 25 | File | `/wp-admin/admin-ajax.php` | High
-26 | ... | ... | ...
+26 | File | `/_next` | Low
+27 | ... | ... | ...

-There are 221 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 226 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Abcbot/README.md
+++ b/actors/Abcbot/README.md
@ -1,6 +1,6 @@
 # Abcbot - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Abcbot](https://vuldb.com/?actor.abcbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Abcbot](https://vuldb.com/?actor.abcbot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.abcbot](https://vuldb.com/?actor.abcbot)

@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Abcbot:

-* CN
+* [CN](https://vuldb.com/?country.cn)

 ## IOC - Indicator of Compromise

@ -16,11 +16,11 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 103.209.103.16 | - | - | High
+1 | [103.209.103.16](https://vuldb.com/?ip.103.209.103.16) | - | - | High

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Abcbot. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Abcbot_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/ActionRAT/README.md
+++ b/actors/ActionRAT/README.md
@ -27,7 +27,7 @@ There are 1 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by ActionRAT. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _ActionRAT_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Agrius/README.md
+++ b/actors/Agrius/README.md
@ -1,6 +1,6 @@
 # Agrius - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Agrius](https://vuldb.com/?actor.agrius). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Agrius](https://vuldb.com/?actor.agrius). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.agrius](https://vuldb.com/?actor.agrius)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Agrius:

-* US
-* RU
-* IR
+* [US](https://vuldb.com/?country.us)
+* [RU](https://vuldb.com/?country.ru)
+* [IR](https://vuldb.com/?country.ir)
 * ...

 There are 9 more country items available. Please use our online service to access the data.
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 5.2.67.85 | mail.astrilll.com | - | High
-2 | 5.2.73.67 | - | - | High
-3 | 37.59.236.232 | 37.59.236.232.rdns.hasaserver.com | - | High
+1 | [5.2.67.85](https://vuldb.com/?ip.5.2.67.85) | mail.astrilll.com | - | High
+2 | [5.2.73.67](https://vuldb.com/?ip.5.2.73.67) | - | - | High
+3 | [37.59.236.232](https://vuldb.com/?ip.37.59.236.232) | 37.59.236.232.rdns.hasaserver.com | - | High
 4 | ... | ... | ... | ...

 There are 9 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Agrius. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Agrius_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1211 | CWE-254 | 7PK Security Features | High
 4 | ... | ... | ... | ...

-There are 4 more TTP items available. Please use our online service to access the data.
+There are 3 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -59,7 +59,7 @@ ID | Type | Indicator | Confidence
 10 | File | `admin.asp` | Medium
 11 | ... | ... | ...

-There are 83 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 84 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/Viper/README.md
+++ b/Viper/README.md
@ -1,6 +1,6 @@
 # Arid Viper - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.arid_viper](https://vuldb.com/?actor.arid_viper)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Arid Viper:

-* US
-* DE
-* PL
+* [US](https://vuldb.com/?country.us)
+* [DE](https://vuldb.com/?country.de)
+* [PL](https://vuldb.com/?country.pl)
 * ...

 There are 1 more country items available. Please use our online service to access the data.
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 54.255.143.112 | ec2-54-255-143-112.ap-southeast-1.compute.amazonaws.com | - | Medium
-2 | 173.236.89.19 | 19.89.236.173.unassigned.ord.singlehop.net | - | High
-3 | 188.40.75.132 | static.132.75.40.188.clients.your-server.de | - | High
+1 | [54.255.143.112](https://vuldb.com/?ip.54.255.143.112) | ec2-54-255-143-112.ap-southeast-1.compute.amazonaws.com | - | Medium
+2 | [173.236.89.19](https://vuldb.com/?ip.173.236.89.19) | 19.89.236.173.unassigned.ord.singlehop.net | - | High
+3 | [188.40.75.132](https://vuldb.com/?ip.188.40.75.132) | static.132.75.40.188.clients.your-server.de | - | High
 4 | ... | ... | ... | ...

 There are 4 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Arid Viper. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Arid Viper_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Babuk/README.md
+++ b/actors/Babuk/README.md
@ -1,6 +1,6 @@
 # Babuk - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Babuk](https://vuldb.com/?actor.babuk). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Babuk](https://vuldb.com/?actor.babuk). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.babuk](https://vuldb.com/?actor.babuk)

--- a/actors/Bandook/README.md
+++ b/actors/Bandook/README.md
@ -0,0 +1,68 @@
+# Bandook - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bandook](https://vuldb.com/?actor.bandook). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bandook](https://vuldb.com/?actor.bandook)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bandook:
+
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+* [DE](https://vuldb.com/?country.de)
+* ...
+
+There are 1 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bandook.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [45.142.213.108](https://vuldb.com/?ip.45.142.213.108) | lv-ira.client | - | High
+2 | [45.142.214.31](https://vuldb.com/?ip.45.142.214.31) | vm341765.pq.hosting | - | High
+3 | [194.5.250.103](https://vuldb.com/?ip.194.5.250.103) | - | - | High
+4 | ... | ... | ... | ...
+
+There are 1 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Bandook_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+2 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bandook. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `album_portal.php` | High
+2 | File | `al_initialize.php` | High
+3 | File | `command.php` | Medium
+4 | ... | ... | ...
+
+There are 11 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://github.com/eset/malware-ioc/tree/master/bandook
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Barys/README.md
+++ b/actors/Barys/README.md
@ -1,6 +1,6 @@
 # Barys - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Barys](https://vuldb.com/?actor.barys). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Barys](https://vuldb.com/?actor.barys). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.barys](https://vuldb.com/?actor.barys)

@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Barys:

-* US
+* [US](https://vuldb.com/?country.us)

 ## IOC - Indicator of Compromise

@ -16,20 +16,20 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 13.107.21.200 | - | - | High
-2 | 13.107.22.200 | - | - | High
-3 | 23.225.145.234 | - | - | High
-4 | 47.246.136.160 | - | - | High
-5 | 52.137.90.34 | - | - | High
-6 | 52.185.71.28 | - | - | High
-7 | 58.215.145.95 | - | - | High
+1 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
+2 | [13.107.22.200](https://vuldb.com/?ip.13.107.22.200) | - | - | High
+3 | [23.225.145.234](https://vuldb.com/?ip.23.225.145.234) | - | - | High
+4 | [47.246.136.160](https://vuldb.com/?ip.47.246.136.160) | - | - | High
+5 | [52.137.90.34](https://vuldb.com/?ip.52.137.90.34) | - | - | High
+6 | [52.185.71.28](https://vuldb.com/?ip.52.185.71.28) | - | - | High
+7 | [58.215.145.95](https://vuldb.com/?ip.58.215.145.95) | - | - | High
 8 | ... | ... | ... | ...

 There are 30 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Barys. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Barys_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -38,7 +38,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1211 | CWE-254, CWE-358 | 7PK Security Features | High
 4 | ... | ... | ... | ...

-There are 2 more TTP items available. Please use our online service to access the data.
+There are 1 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

--- a/KingDom/README.md
+++ b/KingDom/README.md
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
 * [MX](https://vuldb.com/?country.mx)
 * ...

-There are 3 more country items available. Please use our online service to access the data.
+There are 4 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -30,16 +30,16 @@ There are 1 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Black KingDom. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Black KingDom_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
 1 | T1008 | CWE-757 | Algorithm Downgrade | High
-2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
-3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1059.007 | CWE-79 | Cross Site Scripting | High
+3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
 4 | ... | ... | ... | ...

-There are 10 more TTP items available. Please use our online service to access the data.
+There are 9 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -48,19 +48,19 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
 1 | File | `/admin-panel1.php` | High
-2 | File | `/admin/admin_manage/delete` | High
-3 | File | `/administrator/components/table_manager/` | High
-4 | File | `/adminzone/index.php?page=admin-commandr` | High
-5 | File | `/anony/mjpg.cgi` | High
-6 | File | `/api/servers` | Medium
-7 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
-8 | File | `/core/admin/comment.php` | High
-9 | File | `/data-service/users/` | High
-10 | File | `/etc/wpa_supplicant.conf` | High
-11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
-12 | File | `/js/app.js` | Medium
-13 | File | `/js/js-parser.c` | High
-14 | File | `/main?cmd=invalid_browser` | High
+2 | File | `/adminzone/index.php?page=admin-commandr` | High
+3 | File | `/api/servers` | Medium
+4 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
+5 | File | `/core/admin/comment.php` | High
+6 | File | `/data-service/users/` | High
+7 | File | `/etc/passwd` | Medium
+8 | File | `/etc/wpa_supplicant.conf` | High
+9 | File | `/goform/SetPptpServerCfg` | High
+10 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
+11 | File | `/js/app.js` | Medium
+12 | File | `/js/js-parser.c` | High
+13 | File | `/main?cmd=invalid_browser` | High
+14 | File | `/mdiy/dict/listExcludeApp` | High
 15 | File | `/ms/file/uploadTemplate.do` | High
 16 | File | `/ok_jpg.c` | Medium
 17 | File | `/ok_png.c` | Medium
@ -68,12 +68,9 @@ ID | Type | Indicator | Confidence
 19 | File | `/rootfs` | Low
 20 | File | `/SASWebReportStudio/logonAndRender.do` | High
 21 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
-22 | File | `/SHARED/<username>` | High
-23 | File | `/sys/user/queryUserComponentData` | High
-24 | File | `/template/unzip.do` | High
-25 | ... | ... | ...
+22 | ... | ... | ...

-There are 213 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 178 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Bondnet/README.md
+++ b/actors/Bondnet/README.md
@ -1,6 +1,6 @@
 # Bondnet - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bondnet](https://vuldb.com/?actor.bondnet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bondnet](https://vuldb.com/?actor.bondnet). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bondnet](https://vuldb.com/?actor.bondnet)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bondnet:

-* CN
-* US
-* FR
+* [CN](https://vuldb.com/?country.cn)
+* [US](https://vuldb.com/?country.us)
+* [FR](https://vuldb.com/?country.fr)

 ## IOC - Indicator of Compromise

@ -18,18 +18,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 47.90.206.226 | - | - | High
-2 | 50.207.71.22 | 50-207-71-22-static.hfc.comcastbusiness.net | - | High
-3 | 59.3.127.132 | - | - | High
-4 | 69.90.114.185 | - | - | High
-5 | 72.167.201.140 | ip-72-167-201-140.ip.secureserver.net | - | High
+1 | [47.90.206.226](https://vuldb.com/?ip.47.90.206.226) | - | - | High
+2 | [50.207.71.22](https://vuldb.com/?ip.50.207.71.22) | 50-207-71-22-static.hfc.comcastbusiness.net | - | High
+3 | [59.3.127.132](https://vuldb.com/?ip.59.3.127.132) | - | - | High
+4 | [69.90.114.185](https://vuldb.com/?ip.69.90.114.185) | - | - | High
+5 | [72.167.201.140](https://vuldb.com/?ip.72.167.201.140) | ip-72-167-201-140.ip.secureserver.net | - | High
 6 | ... | ... | ... | ...

 There are 22 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Bondnet. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Bondnet_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Brunhilda/README.md
+++ b/actors/Brunhilda/README.md
@ -1,6 +1,6 @@
 # Brunhilda - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Brunhilda](https://vuldb.com/?actor.brunhilda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Brunhilda](https://vuldb.com/?actor.brunhilda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.brunhilda](https://vuldb.com/?actor.brunhilda)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Brunhilda:

-* FR
-* US
-* DE
+* [FR](https://vuldb.com/?country.fr)
+* [US](https://vuldb.com/?country.us)
+* [DE](https://vuldb.com/?country.de)

 ## IOC - Indicator of Compromise

@ -18,16 +18,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 45.142.212.216 | vm324137.pq.hosting | - | High
-2 | 95.142.40.68 | vm482228.eurodir.ru | - | High
-3 | 185.177.92.213 | ip-185-177-92-213.ah-server.com | - | High
+1 | [45.142.212.216](https://vuldb.com/?ip.45.142.212.216) | vm324137.pq.hosting | - | High
+2 | [95.142.40.68](https://vuldb.com/?ip.95.142.40.68) | vm482228.eurodir.ru | - | High
+3 | [185.177.92.213](https://vuldb.com/?ip.185.177.92.213) | ip-185-177-92-213.ah-server.com | - | High
 4 | ... | ... | ... | ...

 There are 10 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Brunhilda. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Brunhilda_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Butter/README.md
+++ b/actors/Butter/README.md
@ -1,6 +1,6 @@
 # Butter - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Butter](https://vuldb.com/?actor.butter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Butter](https://vuldb.com/?actor.butter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.butter](https://vuldb.com/?actor.butter)

@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Butter:

-* CN
-* US
+* [CN](https://vuldb.com/?country.cn)
+* [US](https://vuldb.com/?country.us)

 ## IOC - Indicator of Compromise

@ -17,16 +17,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 37.187.154.79 | ns320600.ip-37-187-154.eu | - | High
-2 | 46.105.103.169 | ns383264.ip-46-105-103.eu | - | High
-3 | 103.51.109.217 | - | - | High
+1 | [37.187.154.79](https://vuldb.com/?ip.37.187.154.79) | ns320600.ip-37-187-154.eu | - | High
+2 | [46.105.103.169](https://vuldb.com/?ip.46.105.103.169) | ns383264.ip-46-105-103.eu | - | High
+3 | [103.51.109.217](https://vuldb.com/?ip.103.51.109.217) | - | - | High
 4 | ... | ... | ... | ...

 There are 7 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Butter. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Butter_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Candiru/README.md
+++ b/actors/Candiru/README.md
@ -0,0 +1,107 @@
+# Candiru - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Candiru](https://vuldb.com/?actor.candiru). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.candiru](https://vuldb.com/?actor.candiru)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Candiru:
+
+* [US](https://vuldb.com/?country.us)
+* [SC](https://vuldb.com/?country.sc)
+* [TR](https://vuldb.com/?country.tr)
+* ...
+
+There are 14 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Candiru.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [5.2.67.82](https://vuldb.com/?ip.5.2.67.82) | xanthium.astrotrain.xyz | - | High
+2 | [5.2.75.217](https://vuldb.com/?ip.5.2.75.217) | mq.is | - | High
+3 | [5.206.224.54](https://vuldb.com/?ip.5.206.224.54) | - | - | High
+4 | [5.206.224.197](https://vuldb.com/?ip.5.206.224.197) | - | - | High
+5 | [5.206.224.226](https://vuldb.com/?ip.5.206.224.226) | gofast | - | High
+6 | [5.206.227.93](https://vuldb.com/?ip.5.206.227.93) | noos-proxy | - | High
+7 | ... | ... | ... | ...
+
+There are 23 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Candiru_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...
+
+There are 9 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Candiru. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High
+2 | File | `/.vnc/sesman_${username}_passwd` | High
+3 | File | `/addsrv` | Low
+4 | File | `/Admin/Views/FileEditor/` | High
+5 | File | `/article/add` | Medium
+6 | File | `/cgi-bin/editBookmark` | High
+7 | File | `/computer/(agent-name)/api` | High
+8 | File | `/controller/pay.class.php` | High
+9 | File | `/dev/block/mmcblk0rpmb` | High
+10 | File | `/dev/kmem` | Medium
+11 | File | `/dev/shm` | Medium
+12 | File | `/dev/snd/seq` | Medium
+13 | File | `/device/device=140/tab=wifi/view` | High
+14 | File | `/dl/dl_print.php` | High
+15 | File | `/getcfg.php` | Medium
+16 | File | `/goform/addressNat` | High
+17 | File | `/htdocs/admin/dict.php?id=3` | High
+18 | File | `/include/menu_v.inc.php` | High
+19 | File | `/includes/rrdtool.inc.php` | High
+20 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
+21 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
+22 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
+23 | File | `/login` | Low
+24 | File | `/module/module_frame/index.php` | High
+25 | File | `/notice-edit.php` | High
+26 | File | `/nova/bin/sniffer` | High
+27 | File | `/proc/pid/syscall` | High
+28 | File | `/product_list.php` | High
+29 | File | `/rest/api/2/user/picker` | High
+30 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High
+31 | File | `/services/details.asp` | High
+32 | File | `/src/core/controllers/cm.php` | High
+33 | File | `/storage/app/media/evil.svg` | High
+34 | File | `/transmission/web/` | High
+35 | File | `/uapi/doc` | Medium
+36 | ... | ... | ...
+
+There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://github.com/eset/malware-ioc/tree/master/swc-candiru
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Cerber/README.md
+++ b/actors/Cerber/README.md
@ -1,62 +1,63 @@
 # Cerber - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cerber](https://vuldb.com/?actor.cerber). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cerber](https://vuldb.com/?actor.cerber). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.cerber](https://vuldb.com/?actor.cerber)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cerber](https://vuldb.com/?actor.cerber)

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cerber:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cerber:

-* US
-* CN
-* DE
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+* [DE](https://vuldb.com/?country.de)
 * ...

 There are 1 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Cerber.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cerber.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 5.9.49.12 | static.12.49.9.5.clients.your-server.de | High
-2 | 5.135.183.146 | freya.stelas.de | High
-3 | 5.196.159.173 | - | High
-4 | 13.107.21.200 | - | High
-5 | 23.94.5.133 | 23-94-5-133-host.colocrossing.com | High
-6 | 23.152.0.36 | tcts-000036.techtrapes.com | High
-7 | 34.199.22.139 | ec2-34-199-22-139.compute-1.amazonaws.com | Medium
-8 | 45.32.28.232 | - | High
-9 | 45.56.79.23 | li929-23.members.linode.com | High
-10 | 45.56.117.118 | li935-118.members.linode.com | High
-11 | 45.63.25.55 | 45.63.25.55.vultr.com | Medium
-12 | 45.63.99.180 | 45.63.99.180.vultr.com | Medium
-13 | 52.2.101.52 | ec2-52-2-101-52.compute-1.amazonaws.com | Medium
-14 | 52.21.132.24 | ec2-52-21-132-24.compute-1.amazonaws.com | Medium
-15 | 54.84.252.139 | ec2-54-84-252-139.compute-1.amazonaws.com | Medium
-16 | 54.87.5.88 | ec2-54-87-5-88.compute-1.amazonaws.com | Medium
-17 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [5.9.49.12](https://vuldb.com/?ip.5.9.49.12) | static.12.49.9.5.clients.your-server.de | - | High
+2 | [5.135.183.146](https://vuldb.com/?ip.5.135.183.146) | freya.stelas.de | - | High
+3 | [5.196.159.173](https://vuldb.com/?ip.5.196.159.173) | - | - | High
+4 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
+5 | [23.94.5.133](https://vuldb.com/?ip.23.94.5.133) | 23-94-5-133-host.colocrossing.com | - | High
+6 | [23.152.0.36](https://vuldb.com/?ip.23.152.0.36) | tcts-000036.techtrapes.com | - | High
+7 | [34.199.22.139](https://vuldb.com/?ip.34.199.22.139) | ec2-34-199-22-139.compute-1.amazonaws.com | - | Medium
+8 | [45.32.28.232](https://vuldb.com/?ip.45.32.28.232) | - | - | High
+9 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | - | High
+10 | [45.56.117.118](https://vuldb.com/?ip.45.56.117.118) | li935-118.members.linode.com | - | High
+11 | [45.63.25.55](https://vuldb.com/?ip.45.63.25.55) | 45.63.25.55.vultr.com | - | Medium
+12 | [45.63.99.180](https://vuldb.com/?ip.45.63.99.180) | 45.63.99.180.vultr.com | - | Medium
+13 | [52.2.101.52](https://vuldb.com/?ip.52.2.101.52) | ec2-52-2-101-52.compute-1.amazonaws.com | - | Medium
+14 | [52.21.132.24](https://vuldb.com/?ip.52.21.132.24) | ec2-52-21-132-24.compute-1.amazonaws.com | - | Medium
+15 | [54.84.252.139](https://vuldb.com/?ip.54.84.252.139) | ec2-54-84-252-139.compute-1.amazonaws.com | - | Medium
+16 | [54.87.5.88](https://vuldb.com/?ip.54.87.5.88) | ec2-54-87-5-88.compute-1.amazonaws.com | - | Medium
+17 | [54.88.175.149](https://vuldb.com/?ip.54.88.175.149) | ec2-54-88-175-149.compute-1.amazonaws.com | - | Medium
+18 | ... | ... | ... | ...

-There are 64 more IOC items available. Please use our online service to access the data.
+There are 66 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Cerber. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Cerber_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
-2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
-4 | ... | ... | ...
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...

-There are 6 more TTP items available. Please use our online service to access the data.
+There are 5 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Cerber. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Cerber. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -69,27 +70,26 @@ ID | Type | Indicator | Confidence
 7 | File | `/sap/public/bc/abap` | High
 8 | File | `/search.php` | Medium
 9 | File | `/shell?cmd` | Medium
-10 | File | `/tmp` | Low
-11 | File | `500page.jsp` | Medium
-12 | File | `activateuser.aspx` | High
-13 | File | `addentry.php` | Medium
-14 | File | `admin/password_forgotten.php` | High
-15 | File | `AndroidManifest.xml` | High
-16 | File | `application/admin/controller/Admin.php` | High
-17 | File | `asm/preproc.c` | High
-18 | File | `auth-gss2.c` | Medium
-19 | File | `authent.php4` | Medium
-20 | File | `authpam.c` | Medium
-21 | File | `bgp_packet.c` | Medium
-22 | File | `catalog.asp` | Medium
-23 | File | `Cgi/confirm.py` | High
-24 | ... | ... | ...
+10 | File | `activateuser.aspx` | High
+11 | File | `addentry.php` | Medium
+12 | File | `AndroidManifest.xml` | High
+13 | File | `application/admin/controller/Admin.php` | High
+14 | File | `asm/preproc.c` | High
+15 | File | `auth-gss2.c` | Medium
+16 | File | `authent.php4` | Medium
+17 | File | `bgp_packet.c` | Medium
+18 | File | `catalog.asp` | Medium
+19 | File | `Cgi/confirm.py` | High
+20 | File | `cli/caff.c` | Medium
+21 | File | `cli/dsdiff.c` | Medium
+22 | File | `content/unity-api.js` | High
+23 | ... | ... | ...

-There are 201 more IOA items available. Please use our online service to access the data.
+There are 194 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
 * https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
@ -100,10 +100,11 @@ The following list contains external sources which discuss the actor and the ass
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
 * https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
 * https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html
+* https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/ChaChi/README.md
+++ b/actors/ChaChi/README.md
@ -33,7 +33,7 @@ There are 26 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by ChaChi. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _ChaChi_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -80,7 +80,7 @@ ID | Type | Indicator | Confidence
 28 | File | `admin/config/confmgr.php` | High
 29 | ... | ... | ...

-There are 243 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 244 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Chthonic/README.md
+++ b/actors/Chthonic/README.md
@ -1,50 +1,50 @@
 # Chthonic - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chthonic](https://vuldb.com/?actor.chthonic). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chthonic](https://vuldb.com/?actor.chthonic). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.chthonic](https://vuldb.com/?actor.chthonic)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.chthonic](https://vuldb.com/?actor.chthonic)

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chthonic:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chthonic:

-* PL
-* DE
-* US
+* [PL](https://vuldb.com/?country.pl)
+* [DE](https://vuldb.com/?country.de)
+* [US](https://vuldb.com/?country.us)
 * ...

 There are 4 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Chthonic.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Chthonic.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 40.70.224.146 | - | High
-2 | 51.254.83.231 | pob01.mulx.net | High
-3 | 52.137.90.34 | - | High
-4 | 52.185.71.28 | - | High
-5 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [40.70.224.146](https://vuldb.com/?ip.40.70.224.146) | - | - | High
+2 | [51.254.83.231](https://vuldb.com/?ip.51.254.83.231) | pob01.mulx.net | - | High
+3 | [52.137.90.34](https://vuldb.com/?ip.52.137.90.34) | - | - | High
+4 | [52.185.71.28](https://vuldb.com/?ip.52.185.71.28) | - | - | High
+5 | ... | ... | ... | ...

 There are 17 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Chthonic. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Chthonic_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
-2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
-4 | ... | ... | ...
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...

-There are 2 more TTP items available. Please use our online service to access the data.
+There are 1 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Chthonic. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Chthonic. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -54,18 +54,18 @@ ID | Type | Indicator | Confidence
 4 | File | `config.php` | Medium
 5 | ... | ... | ...

-There are 26 more IOA items available. Please use our online service to access the data.
+There are 26 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
 * https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/Group/README.md
+++ b/Group/README.md
@ -8,8 +8,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Group:

-* [DE](https://vuldb.com/?country.de)
 * [IT](https://vuldb.com/?country.it)
+* [DE](https://vuldb.com/?country.de)
 * [ES](https://vuldb.com/?country.es)
 * ...

@ -31,7 +31,7 @@ There are 16 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Cobalt Group. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Cobalt Group_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -56,23 +56,23 @@ ID | Type | Indicator | Confidence
 6 | File | `/event-management/index.php` | High
 7 | File | `/goform/change_password_process` | High
 8 | File | `/goform/edit_opt` | High
-9 | File | `/hdf5/src/H5Fint.c` | High
-10 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
-11 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
-12 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
-13 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
-14 | File | `/secure/admin/ImporterFinishedPage.jspa` | High
-15 | File | `/src/njs_object.c` | High
-16 | File | `/template/unzip.do` | High
-17 | File | `/wp-json/wc/v3/webhooks` | High
-18 | File | `AccountManagerService.java` | High
-19 | File | `account_sponsor_page.php` | High
-20 | File | `act.php` | Low
-21 | File | `adduser.do` | Medium
-22 | File | `admin.php` | Medium
+9 | File | `/goform/SetPptpServerCfg` | High
+10 | File | `/hdf5/src/H5Fint.c` | High
+11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
+12 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
+13 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
+14 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
+15 | File | `/secure/admin/ImporterFinishedPage.jspa` | High
+16 | File | `/src/njs_object.c` | High
+17 | File | `/template/unzip.do` | High
+18 | File | `/wp-json/wc/v3/webhooks` | High
+19 | File | `AccountManagerService.java` | High
+20 | File | `account_sponsor_page.php` | High
+21 | File | `act.php` | Low
+22 | File | `adduser.do` | Medium
 23 | ... | ... | ...

-There are 193 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 196 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Confucius/README.md
+++ b/actors/Confucius/README.md
@ -1,6 +1,6 @@
 # Confucius - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Confucius](https://vuldb.com/?actor.confucius). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Confucius](https://vuldb.com/?actor.confucius). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.confucius](https://vuldb.com/?actor.confucius)

@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with Confucius:

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Confucius:

-* US
-* CN
-* GB
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+* [DE](https://vuldb.com/?country.de)
 * ...

 There are 21 more country items available. Please use our online service to access the data.
@ -27,21 +27,21 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 5.39.23.192 | ip192.ip-5-39-23.eu | - | High
-2 | 5.135.85.16 | flotweb-o20.bestonthenet.fr | - | High
-3 | 46.165.207.98 | - | - | High
-4 | 46.165.207.99 | - | - | High
-5 | 46.165.207.108 | - | - | High
-6 | 46.165.207.109 | - | - | High
-7 | 46.165.207.112 | - | - | High
-8 | 46.165.207.113 | - | - | High
+1 | [5.39.23.192](https://vuldb.com/?ip.5.39.23.192) | ip192.ip-5-39-23.eu | - | High
+2 | [5.135.85.16](https://vuldb.com/?ip.5.135.85.16) | flotweb-o20.bestonthenet.fr | - | High
+3 | [46.165.207.98](https://vuldb.com/?ip.46.165.207.98) | - | - | High
+4 | [46.165.207.99](https://vuldb.com/?ip.46.165.207.99) | - | - | High
+5 | [46.165.207.108](https://vuldb.com/?ip.46.165.207.108) | - | - | High
+6 | [46.165.207.109](https://vuldb.com/?ip.46.165.207.109) | - | - | High
+7 | [46.165.207.112](https://vuldb.com/?ip.46.165.207.112) | - | - | High
+8 | [46.165.207.113](https://vuldb.com/?ip.46.165.207.113) | - | - | High
 9 | ... | ... | ... | ...

 There are 33 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Confucius. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Confucius_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -61,62 +61,66 @@ ID | Type | Indicator | Confidence
 1 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
 2 | File | `/+CSCOE+/logon.html` | High
 3 | File | `/admin/index.php` | High
-4 | File | `/admin/model/database.class.php` | High
-5 | File | `/ajax/ImportCertificate` | High
-6 | File | `/assets/ctx` | Medium
-7 | File | `/concat?/%2557EB-INF/web.xml` | High
-8 | File | `/config/getuser` | High
-9 | File | `/contact/update.php` | High
-10 | File | `/ext/phar/phar_object.c` | High
-11 | File | `/get_getnetworkconf.cgi` | High
-12 | File | `/HNAP1` | Low
-13 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
-14 | File | `/login` | Low
-15 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
-16 | File | `/osm/REGISTER.cmd` | High
-17 | File | `/product_list.php` | High
-18 | File | `/replication` | Medium
-19 | File | `/see_more_details.php` | High
+4 | File | `/assets/ctx` | Medium
+5 | File | `/concat?/%2557EB-INF/web.xml` | High
+6 | File | `/config/getuser` | High
+7 | File | `/debug/pprof` | Medium
+8 | File | `/ext/phar/phar_object.c` | High
+9 | File | `/filemanager/php/connector.php` | High
+10 | File | `/get_getnetworkconf.cgi` | High
+11 | File | `/HNAP1` | Low
+12 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
+13 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
+14 | File | `/modx/manager/index.php` | High
+15 | File | `/osm/REGISTER.cmd` | High
+16 | File | `/product_list.php` | High
+17 | File | `/replication` | Medium
+18 | File | `/see_more_details.php` | High
+19 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
 20 | File | `/supervisor/procesa_carga.php` | High
 21 | File | `/type.php` | Medium
 22 | File | `/uncpath/` | Medium
 23 | File | `/usr/bin/pkexec` | High
-24 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
-25 | File | `/zm/index.php` | High
-26 | File | `4.2.0.CP09` | Medium
-27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
-28 | File | `802dot1xclientcert.cgi` | High
+24 | File | `/zm/index.php` | High
+25 | File | `4.2.0.CP09` | Medium
+26 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
+27 | File | `802dot1xclientcert.cgi` | High
+28 | File | `add.exe` | Low
 29 | File | `addentry.php` | Medium
-30 | File | `add_edit_user.asp` | High
-31 | File | `admin-ajax.php` | High
-32 | File | `admin.color.php` | High
-33 | File | `admin.cropcanvas.php` | High
-34 | File | `admin.joomlaradiov5.php` | High
-35 | File | `admin.php` | Medium
+30 | File | `admin-ajax.php` | High
+31 | File | `admin.color.php` | High
+32 | File | `admin.cropcanvas.php` | High
+33 | File | `admin.joomlaradiov5.php` | High
+34 | File | `admin.php` | Medium
+35 | File | `admin.php?m=Food&a=addsave` | High
 36 | File | `admin/category.inc.php` | High
 37 | File | `admin/conf_users_edit.php` | High
-38 | File | `admin/user.php` | High
-39 | File | `admin/write-post.php` | High
-40 | File | `administrator/components/com_media/helpers/media.php` | High
-41 | File | `admin_events.php` | High
-42 | File | `ajax_new_account.php` | High
-43 | File | `akocomments.php` | High
-44 | File | `allopass-error.php` | High
-45 | File | `announcement.php` | High
-46 | File | `api_poller.php` | High
+38 | File | `admin/index.php` | High
+39 | File | `admin/user.php` | High
+40 | File | `admin/write-post.php` | High
+41 | File | `administrator/components/com_media/helpers/media.php` | High
+42 | File | `admin_events.php` | High
+43 | File | `ajax_new_account.php` | High
+44 | File | `akocomments.php` | High
+45 | File | `allopass-error.php` | High
+46 | File | `announcement.php` | High
 47 | File | `app.php` | Low
 48 | File | `apply.cgi` | Medium
 49 | File | `archiver\index.php` | High
 50 | File | `artlinks.dispnew.php` | High
-51 | File | `authorization.do` | High
-52 | File | `awstats.pl` | Medium
-53 | File | `backoffice/login.asp` | High
-54 | File | `bb_usage_stats.php` | High
-55 | File | `binder.c` | Medium
-56 | File | `bl-kernel/ajax/upload-images.php` | High
-57 | ... | ... | ...
+51 | File | `auth.inc.php` | Medium
+52 | File | `authorization.do` | High
+53 | File | `awstats.pl` | Medium
+54 | File | `backoffice/login.asp` | High
+55 | File | `bb_usage_stats.php` | High
+56 | File | `binder.c` | Medium
+57 | File | `bl-kernel/ajax/upload-images.php` | High
+58 | File | `books.php` | Medium
+59 | File | `C:\Python27` | Medium
+60 | File | `C:\Windows\System32\config\SAM` | High
+61 | ... | ... | ...

-There are 502 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 529 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Conti/README.md
+++ b/actors/Conti/README.md
@ -19,7 +19,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
 * [GB](https://vuldb.com/?country.gb)
 * ...

-There are 34 more country items available. Please use our online service to access the data.
+There are 33 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -83,7 +83,7 @@ There are 200 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Conti. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Conti_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -115,34 +115,34 @@ ID | Type | Indicator | Confidence
 13 | File | `/public/plugins/` | High
 14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
 15 | File | `/secure/QueryComponent!Default.jspa` | High
-16 | File | `/servlet/webacc` | High
-17 | File | `/show_news.php` | High
-18 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
-19 | File | `/tmp` | Low
-20 | File | `/uncpath/` | Medium
-21 | File | `/usr/bin/pkexec` | High
-22 | File | `/WEB-INF/web.xml` | High
-23 | File | `/wp-json/wc/v3/webhooks` | High
-24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
-25 | File | `AccountManagerService.java` | High
-26 | File | `actions/CompanyDetailsSave.php` | High
-27 | File | `ActivityManagerService.java` | High
-28 | File | `adclick.php` | Medium
-29 | File | `admin.php` | Medium
-30 | File | `admin.php?page=languages` | High
-31 | File | `admin/add-glossary.php` | High
-32 | File | `admin/admin.php` | High
-33 | File | `admin/conf_users_edit.php` | High
-34 | File | `admin/edit-comments.php` | High
-35 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
-36 | File | `admin\db\DoSql.php` | High
-37 | File | `adverts/assets/plugins/ultimate/content/downloader.php` | High
-38 | File | `advsearch.asp` | High
-39 | File | `AjaxApplication.java` | High
-40 | File | `AllowBindAppWidgetActivity.java` | High
+16 | File | `/show_news.php` | High
+17 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
+18 | File | `/tmp` | Low
+19 | File | `/uncpath/` | Medium
+20 | File | `/usr/bin/pkexec` | High
+21 | File | `/WEB-INF/web.xml` | High
+22 | File | `/wp-json/wc/v3/webhooks` | High
+23 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
+24 | File | `AccountManagerService.java` | High
+25 | File | `actions/CompanyDetailsSave.php` | High
+26 | File | `ActivityManagerService.java` | High
+27 | File | `adclick.php` | Medium
+28 | File | `admin.php` | Medium
+29 | File | `admin.php?page=languages` | High
+30 | File | `admin/add-glossary.php` | High
+31 | File | `admin/admin.php` | High
+32 | File | `admin/conf_users_edit.php` | High
+33 | File | `admin/edit-comments.php` | High
+34 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
+35 | File | `admin\db\DoSql.php` | High
+36 | File | `adverts/assets/plugins/ultimate/content/downloader.php` | High
+37 | File | `advsearch.asp` | High
+38 | File | `AjaxApplication.java` | High
+39 | File | `AllowBindAppWidgetActivity.java` | High
+40 | File | `android/webkit/SearchBoxImpl.java` | High
 41 | ... | ... | ...

-There are 355 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 349 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Cridex/README.md
+++ b/actors/Cridex/README.md
@ -1,6 +1,6 @@
 # Cridex - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cridex](https://vuldb.com/?actor.cridex). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cridex](https://vuldb.com/?actor.cridex). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cridex](https://vuldb.com/?actor.cridex)

@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cridex:

-* US
+* [US](https://vuldb.com/?country.us)

 ## IOC - Indicator of Compromise

@ -16,9 +16,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 5.135.28.118 | - | - | High
-2 | 37.187.156.123 | ns323845.ip-37-187-156.eu | - | High
-3 | 46.165.241.0 | - | - | High
+1 | [5.135.28.118](https://vuldb.com/?ip.5.135.28.118) | - | - | High
+2 | [37.187.156.123](https://vuldb.com/?ip.37.187.156.123) | ns323845.ip-37-187-156.eu | - | High
+3 | [46.165.241.0](https://vuldb.com/?ip.46.165.241.0) | - | - | High
 4 | ... | ... | ... | ...

 There are 10 more IOC items available. Please use our online service to access the data.
--- a/Blink/README.md
+++ b/Blink/README.md
@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cyclops Blink:

 * [FR](https://vuldb.com/?country.fr)
-* [DE](https://vuldb.com/?country.de)
 * [IT](https://vuldb.com/?country.it)
+* [DE](https://vuldb.com/?country.de)
 * ...

 There are 2 more country items available. Please use our online service to access the data.
@ -32,16 +32,16 @@ There are 20 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Cyclops Blink. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Cyclops Blink_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
 2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
-3 | T1499 | CWE-401, CWE-404, CWE-770 | Resource Consumption | High
+3 | T1548.002 | CWE-285 | Improper Authorization | High
 4 | ... | ... | ... | ...

-There are 4 more TTP items available. Please use our online service to access the data.
+There are 3 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -58,7 +58,7 @@ ID | Type | Indicator | Confidence
 7 | File | `ajax.php?type=../admin-panel/autoload&page=manage-users` | High
 8 | ... | ... | ...

-There are 56 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 59 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/DNSBirthday/README.md
+++ b/actors/DNSBirthday/README.md
@ -1,6 +1,6 @@
 # DNSBirthday - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DNSBirthday](https://vuldb.com/?actor.dnsbirthday). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DNSBirthday](https://vuldb.com/?actor.dnsbirthday). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dnsbirthday](https://vuldb.com/?actor.dnsbirthday)

@ -30,7 +30,7 @@ There are 1 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by DNSBirthday. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _DNSBirthday_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/DPRK/README.md
+++ b/actors/DPRK/README.md
@ -1,12 +1,12 @@
 # DPRK - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DPRK](https://vuldb.com/?actor.dprk). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DPRK](https://vuldb.com/?actor.dprk). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dprk](https://vuldb.com/?actor.dprk)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dprk](https://vuldb.com/?actor.dprk)

 ## Campaigns

-The following campaigns are known and can be associated with DPRK:
+The following _campaigns_ are known and can be associated with DPRK:

 * AppleJeus
 * BLINDINGCAN
@ -17,47 +17,47 @@ There are 1 more campaign items available. Please use our online service to acce

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DPRK:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DPRK:

-* US
+* [US](https://vuldb.com/?country.us)

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of DPRK.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DPRK.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 5.62.56.160 | r-160-56-62-5.consumer-pool.prcdn.net | High
-2 | 5.62.56.161 | r-161-56-62-5.consumer-pool.prcdn.net | High
-3 | 5.62.56.162 | r-162-56-62-5.consumer-pool.prcdn.net | High
-4 | 5.62.56.163 | r-163-56-62-5.consumer-pool.prcdn.net | High
-5 | 5.62.61.64 | r-64-61-62-5.consumer-pool.prcdn.net | High
-6 | 5.62.61.65 | r-65-61-62-5.consumer-pool.prcdn.net | High
-7 | 5.62.61.66 | r-66-61-62-5.consumer-pool.prcdn.net | High
-8 | 5.62.61.67 | r-67-61-62-5.consumer-pool.prcdn.net | High
-9 | 21.252.107.198 | - | High
-10 | 26.165.218.44 | - | High
-11 | 45.33.2.79 | li956-79.members.linode.com | High
-12 | 45.33.23.183 | li977-183.members.linode.com | High
-13 | 45.42.151.11 | - | High
-14 | 45.42.151.12 | - | High
-15 | 45.42.151.13 | - | High
-16 | 45.42.151.14 | - | High
-17 | 45.56.79.23 | li929-23.members.linode.com | High
-18 | 45.79.19.196 | li1118-196.members.linode.com | High
-19 | 45.199.63.220 | - | High
-20 | 47.206.4.145 | static-47-206-4-145.srst.fl.frontiernet.net | High
-21 | 51.68.152.96 | ns3122934.ip-51-68-152.eu | High
-22 | 54.241.91.49 | ec2-54-241-91-49.us-west-1.compute.amazonaws.com | Medium
-23 | 70.224.36.194 | adsl-70-224-36-194.dsl.sbndin.ameritech.net | High
-24 | 81.94.192.10 | 10-192-94-81.rackcentre.redstation.net.uk | High
-25 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [5.62.56.160](https://vuldb.com/?ip.5.62.56.160) | r-160.56.62.5.ptr.avast.com | - | High
+2 | [5.62.56.161](https://vuldb.com/?ip.5.62.56.161) | r-161.56.62.5.ptr.avast.com | - | High
+3 | [5.62.56.162](https://vuldb.com/?ip.5.62.56.162) | r-162.56.62.5.ptr.avast.com | - | High
+4 | [5.62.56.163](https://vuldb.com/?ip.5.62.56.163) | r-163.56.62.5.ptr.avast.com | - | High
+5 | [5.62.61.64](https://vuldb.com/?ip.5.62.61.64) | r-64.61.62.5.ptr.avast.com | - | High
+6 | [5.62.61.65](https://vuldb.com/?ip.5.62.61.65) | r-65.61.62.5.ptr.avast.com | - | High
+7 | [5.62.61.66](https://vuldb.com/?ip.5.62.61.66) | r-66.61.62.5.ptr.avast.com | - | High
+8 | [5.62.61.67](https://vuldb.com/?ip.5.62.61.67) | r-67.61.62.5.ptr.avast.com | - | High
+9 | [21.252.107.198](https://vuldb.com/?ip.21.252.107.198) | - | HOPLIGHT | High
+10 | [26.165.218.44](https://vuldb.com/?ip.26.165.218.44) | - | HOPLIGHT | High
+11 | [45.33.2.79](https://vuldb.com/?ip.45.33.2.79) | li956-79.members.linode.com | AppleJeus | High
+12 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | AppleJeus | High
+13 | [45.42.151.11](https://vuldb.com/?ip.45.42.151.11) | - | - | High
+14 | [45.42.151.12](https://vuldb.com/?ip.45.42.151.12) | - | - | High
+15 | [45.42.151.13](https://vuldb.com/?ip.45.42.151.13) | - | - | High
+16 | [45.42.151.14](https://vuldb.com/?ip.45.42.151.14) | - | - | High
+17 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | AppleJeus | High
+18 | [45.79.19.196](https://vuldb.com/?ip.45.79.19.196) | li1118-196.members.linode.com | AppleJeus | High
+19 | [45.199.63.220](https://vuldb.com/?ip.45.199.63.220) | - | AppleJeus | High
+20 | [47.206.4.145](https://vuldb.com/?ip.47.206.4.145) | static-47-206-4-145.srst.fl.frontiernet.net | HOPLIGHT | High
+21 | [51.68.152.96](https://vuldb.com/?ip.51.68.152.96) | ns3122934.ip-51-68-152.eu | BLINDINGCAN | High
+22 | [54.241.91.49](https://vuldb.com/?ip.54.241.91.49) | ec2-54-241-91-49.us-west-1.compute.amazonaws.com | BLINDINGCAN | Medium
+23 | [70.224.36.194](https://vuldb.com/?ip.70.224.36.194) | adsl-70-224-36-194.dsl.sbndin.ameritech.net | HOPLIGHT | High
+24 | [81.94.192.10](https://vuldb.com/?ip.81.94.192.10) | 10-192-94-81.rackcentre.redstation.net.uk | HOPLIGHT | High
+25 | ... | ... | ... | ...

 There are 96 more IOC items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DPRK. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DPRK. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -65,7 +65,7 @@ ID | Type | Indicator | Confidence

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://en.wikipedia.org/wiki/Internet_in_North_Korea#IP_address_ranges
 * https://github.com/blackorbird/APT_REPORT/tree/master/International%20Strategic/Korea
@ -79,7 +79,7 @@ The following list contains external sources which discuss the actor and the ass

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/DazzleSpy/README.md
+++ b/actors/DazzleSpy/README.md
@ -0,0 +1,44 @@
+# DazzleSpy - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DazzleSpy](https://vuldb.com/?actor.dazzlespy). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dazzlespy](https://vuldb.com/?actor.dazzlespy)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DazzleSpy:
+
+* [CN](https://vuldb.com/?country.cn)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DazzleSpy.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [88.218.192.128](https://vuldb.com/?ip.88.218.192.128) | 88.218.192.128.static.xtom.com | - | High
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _DazzleSpy_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://github.com/eset/malware-ioc/tree/master/dazzlespy
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Dofoil/README.md
+++ b/actors/Dofoil/README.md
@ -1,6 +1,6 @@
 # Dofoil - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dofoil](https://vuldb.com/?actor.dofoil). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dofoil](https://vuldb.com/?actor.dofoil). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dofoil](https://vuldb.com/?actor.dofoil)

@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dofoil:

-* US
-* DE
-* IT
+* [CN](https://vuldb.com/?country.cn)
+* [US](https://vuldb.com/?country.us)
+* [DE](https://vuldb.com/?country.de)
 * ...

-There are 5 more country items available. Please use our online service to access the data.
+There are 23 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -21,24 +21,32 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 13.107.21.200 | - | - | High
-2 | 23.3.13.137 | a23-3-13-137.deploy.static.akamaitechnologies.com | - | High
-3 | 23.6.24.15 | a23-6-24-15.deploy.static.akamaitechnologies.com | - | High
-4 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
-5 | 23.209.185.159 | a23-209-185-159.deploy.static.akamaitechnologies.com | - | High
-6 | ... | ... | ... | ...
+1 | [5.149.253.100](https://vuldb.com/?ip.5.149.253.100) | enappiv.com | - | High
+2 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
+3 | [23.3.13.137](https://vuldb.com/?ip.23.3.13.137) | a23-3-13-137.deploy.static.akamaitechnologies.com | - | High
+4 | [23.6.24.15](https://vuldb.com/?ip.23.6.24.15) | a23-6-24-15.deploy.static.akamaitechnologies.com | - | High
+5 | [23.6.65.194](https://vuldb.com/?ip.23.6.65.194) | a23-6-65-194.deploy.static.akamaitechnologies.com | - | High
+6 | [23.209.185.159](https://vuldb.com/?ip.23.209.185.159) | a23-209-185-159.deploy.static.akamaitechnologies.com | - | High
+7 | [27.100.36.191](https://vuldb.com/?ip.27.100.36.191) | - | - | High
+8 | [37.230.112.146](https://vuldb.com/?ip.37.230.112.146) | audiotop.ru | - | High
+9 | [45.63.25.55](https://vuldb.com/?ip.45.63.25.55) | 45.63.25.55.vultr.com | - | Medium
+10 | [50.3.75.246](https://vuldb.com/?ip.50.3.75.246) | web.netkolik.org | - | High
+11 | ... | ... | ... | ...

-There are 20 more IOC items available. Please use our online service to access the data.
+There are 38 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Dofoil. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Dofoil_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
-2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
-3 | T1600 | CWE-310 | Cryptographic Issues | High
+2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...
+
+There are 4 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -46,24 +54,46 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
-2 | File | `addentry.php` | Medium
-3 | File | `admin/conf_users_edit.php` | High
-4 | File | `authent.php4` | Medium
-5 | File | `AxLoader.ocx` | Medium
-6 | File | `base_maintenance.php` | High
-7 | File | `catalog.asp` | Medium
-8 | File | `dapur/index.php` | High
-9 | File | `data/gbconfiguration.dat` | High
-10 | ... | ... | ...
+1 | File | `/?module=users&section=cpanel&page=list` | High
+2 | File | `/admin/powerline` | High
+3 | File | `/admin/syslog` | High
+4 | File | `/api/upload` | Medium
+5 | File | `/cgi-bin` | Medium
+6 | File | `/config/getuser` | High
+7 | File | `/context/%2e/WEB-INF/web.xml` | High
+8 | File | `/export` | Low
+9 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
+10 | File | `/monitoring` | Medium
+11 | File | `/new` | Low
+12 | File | `/proc/<pid>/status` | High
+13 | File | `/public/plugins/` | High
+14 | File | `/scripts/killpvhost` | High
+15 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
+16 | File | `/secure/QueryComponent!Default.jspa` | High
+17 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
+18 | File | `/tmp` | Low
+19 | File | `/tmp/redis.ds` | High
+20 | File | `/uncpath/` | Medium
+21 | File | `/wp-admin` | Medium
+22 | File | `/wp-json/wc/v3/webhooks` | High
+23 | File | `AccountManagerService.java` | High
+24 | File | `actions/CompanyDetailsSave.php` | High
+25 | File | `ActiveServices.java` | High
+26 | File | `ActivityManagerService.java` | High
+27 | File | `admin.php` | Medium
+28 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
+29 | File | `admin/add-glossary.php` | High
+30 | File | `admin/conf_users_edit.php` | High
+31 | ... | ... | ...

-There are 79 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 260 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

 The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
+* https://blogs.blackberry.com/en/2018/07/threat-spotlight-resurgent-smoke-loader-malware-dissected

 ## Literature

--- a/actors/Donot/README.md
+++ b/actors/Donot/README.md
@ -1,6 +1,6 @@
 # Donot - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Donot](https://vuldb.com/?actor.donot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Donot](https://vuldb.com/?actor.donot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.donot](https://vuldb.com/?actor.donot)

@ -15,9 +15,9 @@ The following _campaigns_ are known and can be associated with Donot:

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Donot:

-* US
-* GB
-* TR
+* [US](https://vuldb.com/?country.us)
+* [GB](https://vuldb.com/?country.gb)
+* [TR](https://vuldb.com/?country.tr)
 * ...

 There are 24 more country items available. Please use our online service to access the data.
@ -28,22 +28,22 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 5.135.19.26 | - | - | High
-2 | 5.135.199.0 | - | - | High
-3 | 37.48.122.145 | - | Gedit | High
-4 | 37.120.140.211 | - | - | High
-5 | 37.120.198.208 | - | DarkMusical | High
-6 | 37.139.3.130 | - | - | High
-7 | 37.139.28.208 | - | - | High
-8 | 45.33.29.133 | li1046-133.members.linode.com | - | High
-9 | 46.101.204.168 | - | - | High
+1 | [5.135.19.26](https://vuldb.com/?ip.5.135.19.26) | - | - | High
+2 | [5.135.199.0](https://vuldb.com/?ip.5.135.199.0) | - | - | High
+3 | [37.48.122.145](https://vuldb.com/?ip.37.48.122.145) | - | Gedit | High
+4 | [37.120.140.211](https://vuldb.com/?ip.37.120.140.211) | - | - | High
+5 | [37.120.198.208](https://vuldb.com/?ip.37.120.198.208) | - | DarkMusical | High
+6 | [37.139.3.130](https://vuldb.com/?ip.37.139.3.130) | - | - | High
+7 | [37.139.28.208](https://vuldb.com/?ip.37.139.28.208) | - | - | High
+8 | [45.33.29.133](https://vuldb.com/?ip.45.33.29.133) | li1046-133.members.linode.com | - | High
+9 | [46.101.204.168](https://vuldb.com/?ip.46.101.204.168) | - | - | High
 10 | ... | ... | ... | ...

 There are 38 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Donot. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Donot_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -52,7 +52,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 6 more TTP items available. Please use our online service to access the data.
+There are 5 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -85,17 +85,18 @@ ID | Type | Indicator | Confidence
 23 | File | `adclick.php` | Medium
 24 | File | `addentry.php` | Medium
 25 | File | `add_vhost.php` | High
-26 | File | `admin/default.asp` | High
-27 | File | `admin/media/rename.php` | High
-28 | File | `admin/user.php` | High
-29 | File | `advanced_component_system/index.php` | High
-30 | File | `agent.cfg` | Medium
-31 | File | `ajax/render/widget_php` | High
-32 | File | `ampie.swf` | Medium
-33 | File | `announcements.php` | High
-34 | ... | ... | ...
+26 | File | `admin/conf_users_edit.php` | High
+27 | File | `admin/default.asp` | High
+28 | File | `admin/media/rename.php` | High
+29 | File | `admin/user.php` | High
+30 | File | `advanced_component_system/index.php` | High
+31 | File | `agent.cfg` | Medium
+32 | File | `ajax/render/widget_php` | High
+33 | File | `ampie.swf` | Medium
+34 | File | `announcements.php` | High
+35 | ... | ... | ...

-There are 293 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 295 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Dragonfly/README.md
+++ b/actors/Dragonfly/README.md
@ -1,6 +1,6 @@
 # Dragonfly - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly](https://vuldb.com/?actor.dragonfly). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly](https://vuldb.com/?actor.dragonfly). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dragonfly](https://vuldb.com/?actor.dragonfly)

@ -14,12 +14,12 @@ The following _campaigns_ are known and can be associated with Dragonfly:

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dragonfly:

-* US
-* RU
-* GB
+* [US](https://vuldb.com/?country.us)
+* [RU](https://vuldb.com/?country.ru)
+* [GB](https://vuldb.com/?country.gb)
 * ...

-There are 6 more country items available. Please use our online service to access the data.
+There are 7 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -27,18 +27,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 5.45.119.124 | - | - | High
-2 | 5.135.104.77 | - | Karagany | High
-3 | 5.196.167.184 | ip184.ip-5-196-167.eu | - | High
-4 | 37.139.7.16 | - | - | High
-5 | 51.159.28.101 | 51-159-28-101.rev.poneytelecom.eu | - | High
+1 | [5.45.119.124](https://vuldb.com/?ip.5.45.119.124) | - | - | High
+2 | [5.135.104.77](https://vuldb.com/?ip.5.135.104.77) | - | Karagany | High
+3 | [5.196.167.184](https://vuldb.com/?ip.5.196.167.184) | ip184.ip-5-196-167.eu | - | High
+4 | [37.139.7.16](https://vuldb.com/?ip.37.139.7.16) | - | - | High
+5 | [51.159.28.101](https://vuldb.com/?ip.51.159.28.101) | 51-159-28-101.rev.poneytelecom.eu | - | High
 6 | ... | ... | ... | ...

 There are 18 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Dragonfly. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Dragonfly_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -47,7 +47,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 3 more TTP items available. Please use our online service to access the data.
+There are 2 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -67,7 +67,7 @@ ID | Type | Indicator | Confidence
 10 | File | `bull/javamelody/PayloadNameRequestWrapper.java` | High
 11 | ... | ... | ...

-There are 81 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 82 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Dukes/README.md
+++ b/actors/Dukes/README.md
@ -1,6 +1,6 @@
 # Dukes - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dukes](https://vuldb.com/?actor.dukes). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dukes](https://vuldb.com/?actor.dukes). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.dukes](https://vuldb.com/?actor.dukes)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dukes:

-* US
-* RU
-* ID
+* [US](https://vuldb.com/?country.us)
+* [RU](https://vuldb.com/?country.ru)
+* [ID](https://vuldb.com/?country.id)
 * ...

 There are 9 more country items available. Please use our online service to access the data.
@ -21,18 +21,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 5.45.66.134 | - | - | High
-2 | 46.246.120.178 | - | - | High
-3 | 50.7.192.146 | - | - | High
-4 | 64.18.143.66 | - | - | High
-5 | 66.29.115.55 | 647807.ds.nac.net | - | High
+1 | [5.45.66.134](https://vuldb.com/?ip.5.45.66.134) | - | - | High
+2 | [46.246.120.178](https://vuldb.com/?ip.46.246.120.178) | - | - | High
+3 | [50.7.192.146](https://vuldb.com/?ip.50.7.192.146) | - | - | High
+4 | [64.18.143.66](https://vuldb.com/?ip.64.18.143.66) | - | - | High
+5 | [66.29.115.55](https://vuldb.com/?ip.66.29.115.55) | 647807.ds.nac.net | - | High
 6 | ... | ... | ... | ...

 There are 22 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Dukes. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Dukes_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -41,7 +41,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1211 | CWE-254 | 7PK Security Features | High
 4 | ... | ... | ... | ...

-There are 2 more TTP items available. Please use our online service to access the data.
+There are 1 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -58,7 +58,7 @@ ID | Type | Indicator | Confidence
 7 | File | `bbcode.php` | Medium
 8 | ... | ... | ...

-There are 55 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 56 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/ESPecter/README.md
+++ b/actors/ESPecter/README.md
@ -0,0 +1,59 @@
+# ESPecter - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ESPecter](https://vuldb.com/?actor.especter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.especter](https://vuldb.com/?actor.especter)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with ESPecter:
+
+* [US](https://vuldb.com/?country.us)
+* [GB](https://vuldb.com/?country.gb)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of ESPecter.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [61.178.79.69](https://vuldb.com/?ip.61.178.79.69) | - | - | High
+2 | [103.212.69.175](https://vuldb.com/?ip.103.212.69.175) | - | - | High
+3 | [183.90.187.65](https://vuldb.com/?ip.183.90.187.65) | - | - | High
+4 | ... | ... | ... | ...
+
+There are 1 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _ESPecter_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by ESPecter. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `smart.cgi` | Medium
+2 | Argument | `disk` | Low
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://github.com/eset/malware-ioc/tree/master/especter
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Elknot/README.md
+++ b/actors/Elknot/README.md
@ -1,6 +1,6 @@
 # Elknot - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Elknot](https://vuldb.com/?actor.elknot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Elknot](https://vuldb.com/?actor.elknot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.elknot](https://vuldb.com/?actor.elknot)

@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Elknot:

-* CN
+* [CN](https://vuldb.com/?country.cn)

 ## IOC - Indicator of Compromise

@ -16,13 +16,13 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 115.231.218.64 | - | - | High
-2 | 154.82.110.5 | - | - | High
-3 | 155.94.154.170 | 155.94.154.170.static.quadranet.com | - | High
+1 | [115.231.218.64](https://vuldb.com/?ip.115.231.218.64) | - | - | High
+2 | [154.82.110.5](https://vuldb.com/?ip.154.82.110.5) | - | - | High
+3 | [155.94.154.170](https://vuldb.com/?ip.155.94.154.170) | 155.94.154.170.static.quadranet.com | - | High

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Elknot. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Elknot_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/EvilBunny/README.md
+++ b/actors/EvilBunny/README.md
@ -1,6 +1,6 @@
 # EvilBunny - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EvilBunny](https://vuldb.com/?actor.evilbunny). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [EvilBunny](https://vuldb.com/?actor.evilbunny). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.evilbunny](https://vuldb.com/?actor.evilbunny)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with EvilBunny:

-* US
-* CN
-* GB
+* [US](https://vuldb.com/?country.us)
+* [GB](https://vuldb.com/?country.gb)
+* [CN](https://vuldb.com/?country.cn)
 * ...

 There are 6 more country items available. Please use our online service to access the data.
@ -21,17 +21,17 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 1.9.32.11 | - | - | High
-2 | 8.5.1.34 | - | - | High
-3 | 64.15.136.137 | - | - | High
-4 | 66.45.225.11 | - | - | High
+1 | [1.9.32.11](https://vuldb.com/?ip.1.9.32.11) | - | - | High
+2 | [8.5.1.34](https://vuldb.com/?ip.8.5.1.34) | - | - | High
+3 | [64.15.136.137](https://vuldb.com/?ip.64.15.136.137) | - | - | High
+4 | [66.45.225.11](https://vuldb.com/?ip.66.45.225.11) | - | - | High
 5 | ... | ... | ... | ...

 There are 16 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by EvilBunny. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _EvilBunny_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/Marauder/README.md
+++ b/Marauder/README.md
@ -1,55 +1,55 @@
 # Exchange Marauder - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.exchange_marauder](https://vuldb.com/?actor.exchange_marauder)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.exchange_marauder](https://vuldb.com/?actor.exchange_marauder)

 ## Campaigns

-The following campaigns are known and can be associated with Exchange Marauder:
+The following _campaigns_ are known and can be associated with Exchange Marauder:

 * Exchange Marauder

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Exchange Marauder:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Exchange Marauder:

-* US
-* CN
-* KR
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+* [KR](https://vuldb.com/?country.kr)
 * ...

 There are 3 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Exchange Marauder.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Exchange Marauder.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 5.254.43.18 | - | High
-2 | 80.92.205.81 | vm302679.pq.hosting | High
-3 | 103.77.192.219 | - | High
-4 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [5.254.43.18](https://vuldb.com/?ip.5.254.43.18) | - | Exchange Marauder | High
+2 | [80.92.205.81](https://vuldb.com/?ip.80.92.205.81) | vm302679.pq.hosting | Exchange Marauder | High
+3 | [103.77.192.219](https://vuldb.com/?ip.103.77.192.219) | - | Exchange Marauder | High
+4 | ... | ... | ... | ...

 There are 10 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Exchange Marauder. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Exchange Marauder_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
-2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
-4 | ... | ... | ...
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...

-There are 2 more TTP items available. Please use our online service to access the data.
+There are 1 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Exchange Marauder. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Exchange Marauder. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -61,17 +61,17 @@ ID | Type | Indicator | Confidence
 6 | File | `cmd.php?cmd=login_form` | High
 7 | ... | ... | ...

-There are 45 more IOA items available. Please use our online service to access the data.
+There are 46 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://vxug.fakedoma.in/archive/APTs/2021/2021.03.02(1)/Operation%20Exchange%20Marauder.pdf

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/FIN12/README.md
+++ b/actors/FIN12/README.md
@ -27,7 +27,7 @@ There are 2 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FIN12. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FIN12_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -36,7 +36,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 5 more TTP items available. Please use our online service to access the data.
+There are 4 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -59,9 +59,10 @@ ID | Type | Indicator | Confidence
 13 | File | `addsite.php` | Medium
 14 | File | `admin/review.php` | High
 15 | File | `AdvancedBluetoothDetailsHeaderController.java` | High
-16 | ... | ... | ...
+16 | File | `ajax/profile-picture-upload.php` | High
+17 | ... | ... | ...

-There are 132 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 133 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/FIN7/README.md
+++ b/actors/FIN7/README.md
@ -77,7 +77,7 @@ There are 172 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FIN7. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FIN7_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -86,7 +86,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 8 more TTP items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -96,59 +96,58 @@ ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
 1 | File | `/+CSCOE+/logon.html` | High
 2 | File | `/context/%2e/WEB-INF/web.xml` | High
-3 | File | `/ext/phar/phar_object.c` | High
-4 | File | `/filemanager/php/connector.php` | High
-5 | File | `/get_getnetworkconf.cgi` | High
-6 | File | `/HNAP1` | Low
-7 | File | `/modx/manager/index.php` | High
-8 | File | `/monitoring` | Medium
-9 | File | `/new` | Low
-10 | File | `/proc/<pid>/status` | High
-11 | File | `/public/plugins/` | High
-12 | File | `/replication` | Medium
-13 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
-14 | File | `/secure/QueryComponent!Default.jspa` | High
-15 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
-16 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
-17 | File | `/tmp` | Low
-18 | File | `/type.php` | Medium
-19 | File | `/uncpath/` | Medium
-20 | File | `/usr/bin/pkexec` | High
-21 | File | `/wp-json/wc/v3/webhooks` | High
-22 | File | `4.2.0.CP09` | Medium
-23 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
-24 | File | `802dot1xclientcert.cgi` | High
-25 | File | `AccountManagerService.java` | High
-26 | File | `actions/CompanyDetailsSave.php` | High
-27 | File | `ActivityManagerService.java` | High
-28 | File | `add.exe` | Low
-29 | File | `admin.color.php` | High
-30 | File | `admin.cropcanvas.php` | High
-31 | File | `admin.joomlaradiov5.php` | High
-32 | File | `admin.php` | Medium
-33 | File | `admin.php?m=Food&a=addsave` | High
-34 | File | `admin/add-glossary.php` | High
-35 | File | `admin/conf_users_edit.php` | High
-36 | File | `admin/edit-comments.php` | High
-37 | File | `admin/index.php` | High
-38 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
-39 | File | `admin/write-post.php` | High
-40 | File | `administrator/components/com_media/helpers/media.php` | High
-41 | File | `admin_events.php` | High
-42 | File | `AjaxApplication.java` | High
-43 | File | `akocomments.php` | High
-44 | File | `allopass-error.php` | High
-45 | File | `AllowBindAppWidgetActivity.java` | High
-46 | File | `android/webkit/SearchBoxImpl.java` | High
-47 | File | `AndroidManifest.xml` | High
-48 | File | `announcement.php` | High
-49 | File | `api/settings/values` | High
-50 | File | `app/topic/action/admin/topic.php` | High
-51 | File | `apply.cgi` | Medium
-52 | File | `artlinks.dispnew.php` | High
-53 | ... | ... | ...
+3 | File | `/debug/pprof` | Medium
+4 | File | `/ext/phar/phar_object.c` | High
+5 | File | `/filemanager/php/connector.php` | High
+6 | File | `/get_getnetworkconf.cgi` | High
+7 | File | `/HNAP1` | Low
+8 | File | `/modx/manager/index.php` | High
+9 | File | `/monitoring` | Medium
+10 | File | `/new` | Low
+11 | File | `/proc/<pid>/status` | High
+12 | File | `/public/plugins/` | High
+13 | File | `/replication` | Medium
+14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
+15 | File | `/secure/QueryComponent!Default.jspa` | High
+16 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
+17 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
+18 | File | `/tmp` | Low
+19 | File | `/type.php` | Medium
+20 | File | `/uncpath/` | Medium
+21 | File | `/usr/bin/pkexec` | High
+22 | File | `/wp-json/wc/v3/webhooks` | High
+23 | File | `4.2.0.CP09` | Medium
+24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
+25 | File | `802dot1xclientcert.cgi` | High
+26 | File | `AccountManagerService.java` | High
+27 | File | `actions/CompanyDetailsSave.php` | High
+28 | File | `ActivityManagerService.java` | High
+29 | File | `add.exe` | Low
+30 | File | `admin.color.php` | High
+31 | File | `admin.cropcanvas.php` | High
+32 | File | `admin.joomlaradiov5.php` | High
+33 | File | `admin.php` | Medium
+34 | File | `admin.php?m=Food&a=addsave` | High
+35 | File | `admin/add-glossary.php` | High
+36 | File | `admin/conf_users_edit.php` | High
+37 | File | `admin/edit-comments.php` | High
+38 | File | `admin/index.php` | High
+39 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
+40 | File | `admin/write-post.php` | High
+41 | File | `administrator/components/com_media/helpers/media.php` | High
+42 | File | `admin_events.php` | High
+43 | File | `AjaxApplication.java` | High
+44 | File | `akocomments.php` | High
+45 | File | `allopass-error.php` | High
+46 | File | `AllowBindAppWidgetActivity.java` | High
+47 | File | `android/webkit/SearchBoxImpl.java` | High
+48 | File | `AndroidManifest.xml` | High
+49 | File | `announcement.php` | High
+50 | File | `api/settings/values` | High
+51 | File | `app/topic/action/admin/topic.php` | High
+52 | ... | ... | ...

-There are 458 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 451 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/FamousSparrow/README.md
+++ b/actors/FamousSparrow/README.md
@ -22,7 +22,7 @@ ID | IP address | Hostname | Campaign | Confidence

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FamousSparrow. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FamousSparrow_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -31,7 +31,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 2 more TTP items available. Please use our online service to access the data.
+There are 3 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

--- a/actors/FritzFrog/README.md
+++ b/actors/FritzFrog/README.md
@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FritzFrog:

 * [VN](https://vuldb.com/?country.vn)
+* [CN](https://vuldb.com/?country.cn)
 * [ES](https://vuldb.com/?country.es)
-* [US](https://vuldb.com/?country.us)
 * ...

-There are 14 more country items available. Please use our online service to access the data.
+There are 13 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -327,7 +327,7 @@ There are 1200 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by FritzFrog. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _FritzFrog_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -336,7 +336,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 5 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -344,52 +344,54 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/CMD_ACCOUNT_ADMIN` | High
-2 | File | `/config/getuser` | High
-3 | File | `/core/admin/categories.php` | High
-4 | File | `/debug/pprof` | Medium
-5 | File | `/dev/cpu/*/msr` | High
-6 | File | `/filemanager/php/connector.php` | High
-7 | File | `/forum/away.php` | High
-8 | File | `/front/document.form.php` | High
-9 | File | `/horde/util/go.php` | High
-10 | File | `/hostapd` | Medium
-11 | File | `/include/chart_generator.php` | High
-12 | File | `/modx/manager/index.php` | High
-13 | File | `/MTFWU` | Low
-14 | File | `/my_photo_gallery/image.php` | High
-15 | File | `/public/admin.php` | High
-16 | File | `/public/login.htm` | High
-17 | File | `/public/plugins/` | High
-18 | File | `/rest/api/1.0/render` | High
-19 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
-20 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
-21 | File | `/uncpath/` | Medium
-22 | File | `/user-utils/users/md5.json` | High
-23 | File | `/userRpm/popupSiteSurveyRpm.html` | High
-24 | File | `/usr/bin/pkexec` | High
-25 | File | `/wp-json` | Medium
-26 | File | `/x_program_center/jaxrs/invoke` | High
-27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
-28 | File | `102/tcp` | Low
-29 | File | `802dot1xclientcert.cgi` | High
-30 | File | `add.exe` | Low
-31 | File | `admin.php?m=Food&a=addsave` | High
-32 | File | `admin.remository.php` | High
-33 | File | `admin/conf_users_edit.php` | High
-34 | File | `admin/index.php` | High
-35 | File | `admin/theme-edit.php` | High
-36 | File | `adminpanel/modules/pro/inc/ajax.php` | High
-37 | File | `admin_ajax.php?action=checkrepeat` | High
-38 | File | `affich.php` | Medium
-39 | File | `ajax/kanban.php` | High
-40 | File | `ajax_calls.php` | High
-41 | File | `akocomments.php` | High
-42 | File | `api-third-party/download/extdisks../etc/config/account` | High
-43 | File | `app/topic/action/admin/topic.php` | High
-44 | ... | ... | ...
+1 | File | `%PROGRAMDATA%\ASUS\GamingCenterLib` | High
+2 | File | `/administrator/components/menu/` | High
+3 | File | `/apply_noauth.cgi` | High
+4 | File | `/cgi-bin/login` | High
+5 | File | `/CMD_ACCOUNT_ADMIN` | High
+6 | File | `/config/getuser` | High
+7 | File | `/core/admin/categories.php` | High
+8 | File | `/debug/pprof` | Medium
+9 | File | `/dev/cpu/*/msr` | High
+10 | File | `/filemanager/php/connector.php` | High
+11 | File | `/forum/away.php` | High
+12 | File | `/front/document.form.php` | High
+13 | File | `/ghost/preview` | High
+14 | File | `/horde/util/go.php` | High
+15 | File | `/include/chart_generator.php` | High
+16 | File | `/index.php` | Medium
+17 | File | `/member/index/login.html` | High
+18 | File | `/modx/manager/index.php` | High
+19 | File | `/MTFWU` | Low
+20 | File | `/my_photo_gallery/image.php` | High
+21 | File | `/products/details.asp` | High
+22 | File | `/public/admin.php` | High
+23 | File | `/public/login.htm?errormsg=&loginurl=%22%3E%3Csvg%20onload=prompt%28/XSS/%29%3E` | High
+24 | File | `/public/plugins/` | High
+25 | File | `/rest/api/1.0/render` | High
+26 | File | `/s/` | Low
+27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
+28 | File | `/siteminderagent/pwcgi/smpwservicescgi.exe` | High
+29 | File | `/uncpath/` | Medium
+30 | File | `/user-utils/users/md5.json` | High
+31 | File | `/usr/bin/pkexec` | High
+32 | File | `/webhooks/aws` | High
+33 | File | `/x_program_center/jaxrs/invoke` | High
+34 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
+35 | File | `add.exe` | Low
+36 | File | `admin.php?m=Food&a=addsave` | High
+37 | File | `admin.remository.php` | High
+38 | File | `admin/conf_users_edit.php` | High
+39 | File | `admin/index.php` | High
+40 | File | `admin/login.asp` | High
+41 | File | `adminpanel/modules/pro/inc/ajax.php` | High
+42 | File | `admin\db\DoSql.php` | High
+43 | File | `affich.php` | Medium
+44 | File | `ajax/kanban.php` | High
+45 | File | `ajax_calls.php` | High
+46 | ... | ... | ...

-There are 381 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 399 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/GRU/README.md
+++ b/actors/GRU/README.md
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce

 * [US](https://vuldb.com/?country.us)
 * [RO](https://vuldb.com/?country.ro)
-* [FR](https://vuldb.com/?country.fr)
+* [RU](https://vuldb.com/?country.ru)
 * ...

 There are 11 more country items available. Please use our online service to access the data.
@ -30,7 +30,7 @@ There are 7 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by GRU. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _GRU_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Gamaredon/README.md
+++ b/actors/Gamaredon/README.md
@ -1,6 +1,6 @@
 # Gamaredon - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gamaredon](https://vuldb.com/?actor.gamaredon)

@ -77,7 +77,7 @@ There are 198 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gamaredon. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Gamaredon_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Gh0stRAT/README.md
+++ b/actors/Gh0stRAT/README.md
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
 * [CN](https://vuldb.com/?country.cn)
 * ...

-There are 16 more country items available. Please use our online service to access the data.
+There are 17 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -47,16 +47,16 @@ ID | IP address | Hostname | Campaign | Confidence
 24 | [58.221.47.47](https://vuldb.com/?ip.58.221.47.47) | - | - | High
 25 | ... | ... | ... | ...

-There are 94 more IOC items available. Please use our online service to access the data.
+There are 97 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gh0stRAT. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Gh0stRAT_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
-2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
+2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
 3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

@ -76,20 +76,20 @@ ID | Type | Indicator | Confidence
 6 | File | `/car.php` | Medium
 7 | File | `/CMD_ACCOUNT_ADMIN` | High
 8 | File | `/concat?/%2557EB-INF/web.xml` | High
-9 | File | `/config/getuser` | High
-10 | File | `/core/admin/categories.php` | High
-11 | File | `/dashboards/#` | High
-12 | File | `/data/remove` | Medium
-13 | File | `/etc/controller-agent/agent.conf` | High
-14 | File | `/etc/postfix/sender_login` | High
-15 | File | `/etc/sudoers` | Medium
-16 | File | `/etc/tomcat8/Catalina/attack` | High
-17 | File | `/filemanager/php/connector.php` | High
-18 | File | `/forum/away.php` | High
-19 | File | `/fudforum/adm/hlplist.php` | High
-20 | File | `/GponForm/fsetup_Form` | High
-21 | File | `/log_download.cgi` | High
-22 | File | `/modules/profile/index.php` | High
+9 | File | `/core/admin/categories.php` | High
+10 | File | `/dashboards/#` | High
+11 | File | `/data/remove` | Medium
+12 | File | `/etc/controller-agent/agent.conf` | High
+13 | File | `/etc/postfix/sender_login` | High
+14 | File | `/etc/sudoers` | Medium
+15 | File | `/etc/tomcat8/Catalina/attack` | High
+16 | File | `/filemanager/php/connector.php` | High
+17 | File | `/forum/away.php` | High
+18 | File | `/fudforum/adm/hlplist.php` | High
+19 | File | `/GponForm/fsetup_Form` | High
+20 | File | `/log_download.cgi` | High
+21 | File | `/modules/profile/index.php` | High
+22 | File | `/MTFWU` | Low
 23 | File | `/navigate/navigate_download.php` | High
 24 | File | `/out.php` | Medium
 25 | File | `/password.html` | High
@ -106,7 +106,7 @@ ID | Type | Indicator | Confidence
 36 | File | `/tmp/kamailio_ctl` | High
 37 | ... | ... | ...

-There are 322 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 317 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

@ -130,6 +130,7 @@ The following list contains _external sources_ which discuss the actor and the a
 * https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
 * https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
 * https://blog.talosintelligence.com/2022/02/threat-roundup-0218-0225.html
+* https://blog.talosintelligence.com/2022/03/threat-roundup-0225-0304.html

 ## Literature

--- a/actors/GreyEnergy/README.md
+++ b/actors/GreyEnergy/README.md
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
 * [RO](https://vuldb.com/?country.ro)
 * ...

-There are 28 more country items available. Please use our online service to access the data.
+There are 26 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -28,20 +28,20 @@ ID | IP address | Hostname | Campaign | Confidence
 5 | [62.210.77.169](https://vuldb.com/?ip.62.210.77.169) | 62-210-77-169.rev.poneytelecom.eu | - | High
 6 | ... | ... | ... | ...

-There are 21 more IOC items available. Please use our online service to access the data.
+There are 22 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by GreyEnergy. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _GreyEnergy_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
 2 | T1068 | CWE-264, CWE-266, CWE-284 | Execution with Unnecessary Privileges | High
-3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 8 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -57,44 +57,43 @@ ID | Type | Indicator | Confidence
 6 | File | `/cgi-bin/kerbynet` | High
 7 | File | `/context/%2e/WEB-INF/web.xml` | High
 8 | File | `/dcim/sites/add/` | High
-9 | File | `/EXCU_SHELL` | Medium
-10 | File | `/forum/away.php` | High
-11 | File | `/fudforum/adm/hlplist.php` | High
-12 | File | `/login` | Low
-13 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
-14 | File | `/monitoring` | Medium
-15 | File | `/new` | Low
-16 | File | `/proc/<pid>/status` | High
-17 | File | `/public/plugins/` | High
-18 | File | `/rom` | Low
-19 | File | `/scripts/killpvhost` | High
-20 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
-21 | File | `/secure/QueryComponent!Default.jspa` | High
-22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
-23 | File | `/tmp` | Low
-24 | File | `/tmp/redis.ds` | High
-25 | File | `/uncpath/` | Medium
-26 | File | `/ViewUserHover.jspa` | High
-27 | File | `/wp-admin` | Medium
-28 | File | `/wp-json/wc/v3/webhooks` | High
-29 | File | `AccountManagerService.java` | High
-30 | File | `actions/CompanyDetailsSave.php` | High
-31 | File | `ActiveServices.java` | High
-32 | File | `ActivityManagerService.java` | High
-33 | File | `addlink.php` | Medium
-34 | File | `addtocart.asp` | High
-35 | File | `admin.php` | Medium
-36 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
-37 | File | `admin/add-glossary.php` | High
-38 | ... | ... | ...
+9 | File | `/fudforum/adm/hlplist.php` | High
+10 | File | `/login` | Low
+11 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
+12 | File | `/monitoring` | Medium
+13 | File | `/new` | Low
+14 | File | `/proc/<pid>/status` | High
+15 | File | `/public/plugins/` | High
+16 | File | `/rom` | Low
+17 | File | `/scripts/killpvhost` | High
+18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
+19 | File | `/secure/QueryComponent!Default.jspa` | High
+20 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
+21 | File | `/tmp` | Low
+22 | File | `/tmp/redis.ds` | High
+23 | File | `/uncpath/` | Medium
+24 | File | `/wp-admin` | Medium
+25 | File | `/wp-json/wc/v3/webhooks` | High
+26 | File | `AccountManagerService.java` | High
+27 | File | `actions/CompanyDetailsSave.php` | High
+28 | File | `ActiveServices.java` | High
+29 | File | `ActivityManagerService.java` | High
+30 | File | `admin.php` | Medium
+31 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
+32 | File | `admin/add-glossary.php` | High
+33 | File | `admin/conf_users_edit.php` | High
+34 | File | `admin/dashboard.php` | High
+35 | File | `admin/edit-comments.php` | High
+36 | ... | ... | ...

-There are 324 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

 The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://github.com/eset/malware-ioc/tree/master/greyenergy
+* https://github.com/eset/malware-ioc/tree/master/quarterly_reports/2020_Q3

 ## Literature

--- a/actors/Inception/README.md
+++ b/actors/Inception/README.md
@ -14,9 +14,9 @@ The following _campaigns_ are known and can be associated with Inception:

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Inception:

-* [SV](https://vuldb.com/?country.sv)
 * [ES](https://vuldb.com/?country.es)
-* [PL](https://vuldb.com/?country.pl)
+* [SV](https://vuldb.com/?country.sv)
+* [DE](https://vuldb.com/?country.de)
 * ...

 There are 4 more country items available. Please use our online service to access the data.
@ -36,7 +36,7 @@ There are 7 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Inception. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Inception_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -56,29 +56,28 @@ ID | Type | Indicator | Confidence
 1 | File | `/admin/page_edit/3` | High
 2 | File | `/api/notify.php` | High
 3 | File | `/domain/service/.ewell-known/caldav` | High
-4 | File | `/etc/passwd` | Medium
-5 | File | `/formAdvFirewall` | High
-6 | File | `/master/article.php` | High
-7 | File | `/mobile/SelectUsers.jsp` | High
-8 | File | `/ProteinArraySignificanceTest.json` | High
-9 | File | `/usr/local/bin/mjs` | High
-10 | File | `/web` | Low
-11 | File | `admin/bad.php` | High
-12 | File | `admin/dl_sendmail.php` | High
-13 | File | `admin/pages/useredit.php` | High
-14 | File | `AdminBaseController.class.php` | High
-15 | File | `AlertReceiver.java` | High
-16 | File | `AndroidFuture.java` | High
-17 | File | `AndroidManifest.xml` | High
-18 | File | `api/info.php` | Medium
-19 | File | `attach.c` | Medium
-20 | File | `box_code_apple.c` | High
-21 | File | `bugs.aspx` | Medium
-22 | File | `bug_actiongroup.php` | High
-23 | File | `bug_report_page.php` | High
-24 | ... | ... | ...
+4 | File | `/formAdvFirewall` | High
+5 | File | `/mobile/SelectUsers.jsp` | High
+6 | File | `/ProteinArraySignificanceTest.json` | High
+7 | File | `/usr/local/bin/mjs` | High
+8 | File | `/web` | Low
+9 | File | `admin/bad.php` | High
+10 | File | `admin/dl_sendmail.php` | High
+11 | File | `admin/pages/useredit.php` | High
+12 | File | `AdminBaseController.class.php` | High
+13 | File | `AlertReceiver.java` | High
+14 | File | `alfresco/s/admin/admin-nodebrowser` | High
+15 | File | `AndroidFuture.java` | High
+16 | File | `AndroidManifest.xml` | High
+17 | File | `api/info.php` | Medium
+18 | File | `attach.c` | Medium
+19 | File | `box_code_apple.c` | High
+20 | File | `bug_actiongroup.php` | High
+21 | File | `bug_report_page.php` | High
+22 | File | `cavsdec.c` | Medium
+23 | ... | ... | ...

-There are 196 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 192 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Indexsinas/README.md
+++ b/actors/Indexsinas/README.md
@ -9,8 +9,8 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Indexsinas:

 * [VN](https://vuldb.com/?country.vn)
+* [NZ](https://vuldb.com/?country.nz)
 * [US](https://vuldb.com/?country.us)
-* [MX](https://vuldb.com/?country.mx)
 * ...

 There are 2 more country items available. Please use our online service to access the data.
@ -283,16 +283,16 @@ There are 1024 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Indexsinas. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Indexsinas_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
-1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
-3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 5 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -300,18 +300,16 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/members/view_member.php` | High
-2 | File | `/rest/api/1.0/render` | High
-3 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
-4 | File | `/tmp` | Low
-5 | File | `/usr/bin/pkexec` | High
+1 | File | `/config/getuser` | High
+2 | File | `/etc/passwd` | Medium
+3 | File | `/mdiy/dict/listExcludeApp` | High
+4 | File | `/public/login.htm` | High
+5 | File | `/web/MCmsAction.java` | High
 6 | File | `admin.php` | Medium
-7 | File | `bash_completion` | High
-8 | File | `coders/tiff.c` | High
-9 | File | `default_validator.cc` | High
-10 | ... | ... | ...
+7 | File | `admin/cgi-bin/listdir.pl` | High
+8 | ... | ... | ...

-There are 72 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 59 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Kimsuky/README.md
+++ b/actors/Kimsuky/README.md
@ -1,55 +1,55 @@
 # Kimsuky - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kimsuky](https://vuldb.com/?actor.kimsuky). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kimsuky](https://vuldb.com/?actor.kimsuky). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.kimsuky](https://vuldb.com/?actor.kimsuky)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.kimsuky](https://vuldb.com/?actor.kimsuky)

 ## Campaigns

-The following campaigns are known and can be associated with Kimsuky:
+The following _campaigns_ are known and can be associated with Kimsuky:

 * AppleSeed

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kimsuky:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kimsuky:

-* CN
-* US
-* JP
+* [CN](https://vuldb.com/?country.cn)
+* [US](https://vuldb.com/?country.us)
+* [JP](https://vuldb.com/?country.jp)
 * ...

 There are 1 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Kimsuky.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Kimsuky.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 27.102.107.63 | - | High
-2 | 27.102.114.89 | - | High
-3 | 45.13.135.103 | - | High
-4 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [27.102.107.63](https://vuldb.com/?ip.27.102.107.63) | - | AppleSeed | High
+2 | [27.102.114.89](https://vuldb.com/?ip.27.102.114.89) | - | AppleSeed | High
+3 | [45.13.135.103](https://vuldb.com/?ip.45.13.135.103) | - | AppleSeed | High
+4 | ... | ... | ... | ...

 There are 6 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Kimsuky. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Kimsuky_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
-2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
-4 | ... | ... | ...
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...

-There are 5 more TTP items available. Please use our online service to access the data.
+There are 4 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Kimsuky. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Kimsuky. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -61,18 +61,18 @@ ID | Type | Indicator | Confidence
 6 | File | `/upload` | Low
 7 | ... | ... | ...

-There are 50 more IOA items available. Please use our online service to access the data.
+There are 51 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://blog.alyac.co.kr/2234
 * https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/Kinsing/README.md
+++ b/actors/Kinsing/README.md
@ -1,84 +1,116 @@
 # Kinsing - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kinsing](https://vuldb.com/?actor.kinsing). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kinsing](https://vuldb.com/?actor.kinsing). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.kinsing](https://vuldb.com/?actor.kinsing)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.kinsing](https://vuldb.com/?actor.kinsing)

 ## Campaigns

-The following campaigns are known and can be associated with Kinsing:
+The following _campaigns_ are known and can be associated with Kinsing:

 * Log4Shell

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kinsing:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kinsing:

-* US
-* RU
-* CN
+* [US](https://vuldb.com/?country.us)
+* [RU](https://vuldb.com/?country.ru)
+* [CN](https://vuldb.com/?country.cn)
 * ...

-There are 4 more country items available. Please use our online service to access the data.
+There are 13 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Kinsing.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Kinsing.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 3.215.110.66 | ec2-3-215-110-66.compute-1.amazonaws.com | Medium
-2 | 31.210.20.181 | - | High
-3 | 34.81.218.76 | 76.218.81.34.bc.googleusercontent.com | Medium
-4 | 42.112.28.216 | midp.highlatrol.com | High
-5 | 45.129.2.107 | - | High
-6 | 45.137.151.106 | - | High
-7 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [3.215.110.66](https://vuldb.com/?ip.3.215.110.66) | ec2-3-215-110-66.compute-1.amazonaws.com | Log4Shell | Medium
+2 | [5.34.183.14](https://vuldb.com/?ip.5.34.183.14) | vds-904894.hosted-by-itldc.com | - | High
+3 | [5.34.183.145](https://vuldb.com/?ip.5.34.183.145) | a.sadeghi | - | High
+4 | [31.210.20.181](https://vuldb.com/?ip.31.210.20.181) | - | Log4Shell | High
+5 | [34.81.218.76](https://vuldb.com/?ip.34.81.218.76) | 76.218.81.34.bc.googleusercontent.com | Log4Shell | Medium
+6 | [42.112.28.216](https://vuldb.com/?ip.42.112.28.216) | midp.highlatrol.com | Log4Shell | High
+7 | [45.10.88.124](https://vuldb.com/?ip.45.10.88.124) | - | - | High
+8 | [45.67.230.68](https://vuldb.com/?ip.45.67.230.68) | vm330138.pq.hosting | - | High
+9 | [45.129.2.107](https://vuldb.com/?ip.45.129.2.107) | - | Log4Shell | High
+10 | [45.137.151.106](https://vuldb.com/?ip.45.137.151.106) | - | Log4Shell | High
+11 | ... | ... | ... | ...

-There are 26 more IOC items available. Please use our online service to access the data.
+There are 42 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Kinsing. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Kinsing_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
-2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
-4 | ... | ... | ...
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...

-There are 4 more TTP items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Kinsing. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Kinsing. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/filemanager/upload.php` | High
-2 | File | `/includes/event-management/index.php` | High
-3 | File | `/Main_AdmStatus_Content.asp` | High
-4 | File | `/member/picture/album` | High
-5 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
-6 | File | `actions.php` | Medium
-7 | File | `admin.php` | Medium
-8 | File | `admin\controller\uploadfile.php` | High
-9 | File | `album_portal.php` | High
-10 | ... | ... | ...
+1 | File | `/api/files/` | Medium
+2 | File | `/api/trackedEntityInstances` | High
+3 | File | `/app/Http/Controllers/Admin/NEditorController.php` | High
+4 | File | `/de/cgi/dfs_guest/` | High
+5 | File | `/filemanager/upload.php` | High
+6 | File | `/include/makecvs.php` | High
+7 | File | `/includes/event-management/index.php` | High
+8 | File | `/Main_AdmStatus_Content.asp` | High
+9 | File | `/member/picture/album` | High
+10 | File | `/mifs/c/i/reg/reg.html` | High
+11 | File | `/modules/profile/index.php` | High
+12 | File | `/products/details.asp` | High
+13 | File | `/services/details.asp` | High
+14 | File | `/uncpath/` | Medium
+15 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
+16 | File | `/usr/syno/etc/mount.conf` | High
+17 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
+18 | File | `/xAdmin/html/cm_doclist_view_uc.jsp` | High
+19 | File | `a-b-membres.php` | High
+20 | File | `actions.php` | Medium
+21 | File | `adclick.php` | Medium
+22 | File | `add.php` | Low
+23 | File | `add_2_basket.asp` | High
+24 | File | `add_comment.php` | High
+25 | File | `admin.php` | Medium
+26 | File | `admin.php/comments/batchdel/` | High
+27 | File | `admin/aboutus.php` | High
+28 | File | `admin\controller\uploadfile.php` | High
+29 | File | `album_portal.php` | High
+30 | File | `al_initialize.php` | High
+31 | File | `application/modules/admin/views/ecommerce/products.php` | High
+32 | File | `ArchiveNews.aspx` | High
+33 | File | `ashnews.php/ashheadlines.php` | High
+34 | File | `blog.php` | Medium
+35 | File | `board.php` | Medium
+36 | ... | ... | ...

-There are 75 more IOA items available. Please use our online service to access the data.
+There are 310 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

+* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-indicators-of-compromise-to-date/
 * https://gist.github.com/Iansus/050e121170a864c37b13f979c1883ad4
 * https://twitter.com/iansus/status/1472867647410819073
+* https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-actively-exploited/IOCs-PatchNow-Log4Shell-Vulnerability.txt

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/Lazarus/README.md
+++ b/actors/Lazarus/README.md
@ -20,8 +20,8 @@ There are 5 more campaign items available. Please use our online service to acce
 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:

 * [VN](https://vuldb.com/?country.vn)
+* [FR](https://vuldb.com/?country.fr)
 * [IN](https://vuldb.com/?country.in)
-* [US](https://vuldb.com/?country.us)
 * ...

 There are 3 more country items available. Please use our online service to access the data.
@ -218,13 +218,13 @@ There are 722 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Lazarus. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Lazarus_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
-1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
-3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

 There are 5 more TTP items available. Please use our online service to access the data.
@ -235,23 +235,16 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/admin-panel1.php` | High
-2 | File | `/admin/?page=members/view_member` | High
-3 | File | `/admin/files` | Medium
-4 | File | `/admin/options` | High
-5 | File | `/admin/page_edit/3` | High
-6 | File | `/admin_page/all-files-update-ajax.php` | High
-7 | File | `/api/servers` | Medium
-8 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
-9 | File | `/members/view_member.php` | High
-10 | File | `/ok_jpg.c` | Medium
-11 | File | `/ok_png.c` | Medium
-12 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
-13 | File | `/rootfs` | Low
-14 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
-15 | ... | ... | ...
+1 | File | `/etc/passwd` | Medium
+2 | File | `/mdiy/dict/listExcludeApp` | High
+3 | File | `/uncpath/` | Medium
+4 | File | `/web/MCmsAction.java` | High
+5 | File | `admin.php` | Medium
+6 | File | `admin/cgi-bin/listdir.pl` | High
+7 | File | `admin/cgi-bin/rulemgr.pl/getfile/` | High
+8 | ... | ... | ...

-There are 119 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 58 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Leafminer/README.md
+++ b/actors/Leafminer/README.md
@ -1,29 +1,29 @@
 # Leafminer - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Leafminer](https://vuldb.com/?actor.leafminer). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Leafminer](https://vuldb.com/?actor.leafminer). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.leafminer](https://vuldb.com/?actor.leafminer)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.leafminer](https://vuldb.com/?actor.leafminer)

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Leafminer.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Leafminer.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 51.254.173.240 | ip240.ip-51-254-173.eu | High
-2 | 188.165.187.235 | - | High
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [51.254.173.240](https://vuldb.com/?ip.51.254.173.240) | ip240.ip-51-254-173.eu | - | High
+2 | [188.165.187.235](https://vuldb.com/?ip.188.165.187.235) | - | - | High

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Leafminer. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Leafminer_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79 | Cross Site Scripting | High

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Leafminer. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Leafminer. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -31,13 +31,13 @@ ID | Type | Indicator | Confidence

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://symantec-enterprise-blogs.security.com/sites/default/files/2018-07/Leafminer_IOCs.txt

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/Duck/README.md
+++ b/Duck/README.md
@ -1,6 +1,6 @@
 # Lemon Duck - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lemon Duck](https://vuldb.com/?actor.lemon_duck). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lemon Duck](https://vuldb.com/?actor.lemon_duck). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lemon_duck](https://vuldb.com/?actor.lemon_duck)

@ -8,9 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lemon Duck:

-* VN
-* CN
-* US
+* [VN](https://vuldb.com/?country.vn)
+* [CN](https://vuldb.com/?country.cn)
+* [US](https://vuldb.com/?country.us)
+* ...
+
+There are 2 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -18,31 +21,31 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 1.202.15.246 | 246.15.202.1.static.bjtelecom.net | - | High
-2 | 27.195.157.70 | - | - | High
-3 | 36.48.94.254 | - | - | High
-4 | 36.110.1.222 | 222.1.110.36.static.bjtelecom.net | - | High
-5 | 40.68.42.171 | - | - | High
-6 | 42.7.4.88 | - | - | High
-7 | 42.7.31.243 | - | - | High
-8 | 42.176.133.183 | - | - | High
-9 | 49.71.208.124 | - | - | High
-10 | 49.147.72.67 | dsl.49.148.72.67.pldt.net | - | High
-11 | 51.36.170.221 | - | - | High
-12 | 58.56.135.198 | - | - | High
-13 | 58.62.125.245 | - | - | High
-14 | 58.221.24.178 | - | - | High
-15 | 58.251.2.115 | reverse.gdsz.cncnet.net | - | High
-16 | 59.111.181.116 | - | - | High
-17 | 59.175.154.97 | - | - | High
-18 | 60.10.56.169 | hebei.10.60.in-addr.arpa | - | High
+1 | [1.202.15.246](https://vuldb.com/?ip.1.202.15.246) | 246.15.202.1.static.bjtelecom.net | - | High
+2 | [27.195.157.70](https://vuldb.com/?ip.27.195.157.70) | - | - | High
+3 | [36.48.94.254](https://vuldb.com/?ip.36.48.94.254) | - | - | High
+4 | [36.110.1.222](https://vuldb.com/?ip.36.110.1.222) | 222.1.110.36.static.bjtelecom.net | - | High
+5 | [40.68.42.171](https://vuldb.com/?ip.40.68.42.171) | - | - | High
+6 | [42.7.4.88](https://vuldb.com/?ip.42.7.4.88) | - | - | High
+7 | [42.7.31.243](https://vuldb.com/?ip.42.7.31.243) | - | - | High
+8 | [42.176.133.183](https://vuldb.com/?ip.42.176.133.183) | - | - | High
+9 | [49.71.208.124](https://vuldb.com/?ip.49.71.208.124) | - | - | High
+10 | [49.147.72.67](https://vuldb.com/?ip.49.147.72.67) | dsl.49.148.72.67.pldt.net | - | High
+11 | [51.36.170.221](https://vuldb.com/?ip.51.36.170.221) | - | - | High
+12 | [58.56.135.198](https://vuldb.com/?ip.58.56.135.198) | - | - | High
+13 | [58.62.125.245](https://vuldb.com/?ip.58.62.125.245) | - | - | High
+14 | [58.221.24.178](https://vuldb.com/?ip.58.221.24.178) | - | - | High
+15 | [58.251.2.115](https://vuldb.com/?ip.58.251.2.115) | reverse.gdsz.cncnet.net | - | High
+16 | [59.111.181.116](https://vuldb.com/?ip.59.111.181.116) | - | - | High
+17 | [59.175.154.97](https://vuldb.com/?ip.59.175.154.97) | - | - | High
+18 | [60.10.56.169](https://vuldb.com/?ip.60.10.56.169) | hebei.10.60.in-addr.arpa | - | High
 19 | ... | ... | ... | ...

 There are 71 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Lemon Duck. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Lemon Duck_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -51,7 +54,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 7 more TTP items available. Please use our online service to access the data.
+There are 5 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -63,29 +66,37 @@ ID | Type | Indicator | Confidence
 2 | File | `/alumni/admin/ajax.php?action=save_settings` | High
 3 | File | `/assets/ctx` | Medium
 4 | File | `/cgi-bin/luci` | High
-5 | File | `/cimom` | Low
-6 | File | `/config/getuser` | High
-7 | File | `/export` | Low
-8 | File | `/gcp/roleset/*` | High
+5 | File | `/config/getuser` | High
+6 | File | `/forum/away.php` | High
+7 | File | `/gcp/roleset/*` | High
+8 | File | `/horde/util/go.php` | High
 9 | File | `/hostapd` | Medium
-10 | File | `/iisadmpwd` | Medium
-11 | File | `/IISADMPWD` | Medium
+10 | File | `/IISADMPWD` | Medium
+11 | File | `/iisadmpwd` | Medium
 12 | File | `/include/chart_generator.php` | High
-13 | File | `/pro/repo-create.html` | High
-14 | File | `/proc/sysvipc/sem` | High
-15 | File | `/public/login.htm` | High
-16 | File | `/public/plugins/` | High
-17 | File | `/rest/api/1.0/render` | High
-18 | File | `/rest/api/latest/user/avatar/temporary` | High
-19 | File | `/secure/admin/ConfigureBatching!default.jspa` | High
-20 | File | `/sm/api/v1/firewall/zone/services` | High
-21 | File | `/sys/attachment/uploaderServlet` | High
-22 | File | `/uncpath/` | Medium
-23 | File | `/userRpm/popupSiteSurveyRpm.html` | High
-24 | File | `/users/{id}` | Medium
-25 | ... | ... | ...
+13 | File | `/MTFWU` | Low
+14 | File | `/my_photo_gallery/image.php` | High
+15 | File | `/public/admin.php` | High
+16 | File | `/public/login.htm` | High
+17 | File | `/public/login.htm?errormsg=&loginurl=%22%3E%3Csvg%20onload=prompt%28/XSS/%29%3E` | High
+18 | File | `/public/plugins/` | High
+19 | File | `/rest/api/1.0/render` | High
+20 | File | `/rest/api/latest/user/avatar/temporary` | High
+21 | File | `/s/` | Low
+22 | File | `/secure/admin/ConfigureBatching!default.jspa` | High
+23 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
+24 | File | `/sm/api/v1/firewall/zone/services` | High
+25 | File | `/sys/attachment/uploaderServlet` | High
+26 | File | `/uncpath/` | Medium
+27 | File | `/user-utils/users/md5.json` | High
+28 | File | `/userRpm/popupSiteSurveyRpm.html` | High
+29 | File | `/users/{id}` | Medium
+30 | File | `/usr/bin/pkexec` | High
+31 | File | `/wp-admin` | Medium
+32 | File | `/wp-admin/admin-ajax.php` | High
+33 | ... | ... | ...

-There are 206 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 277 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/LightBasin/README.md
+++ b/actors/LightBasin/README.md
@ -1,6 +1,6 @@
 # LightBasin - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LightBasin](https://vuldb.com/?actor.lightbasin). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LightBasin](https://vuldb.com/?actor.lightbasin). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lightbasin](https://vuldb.com/?actor.lightbasin)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LightBasin:

-* CN
-* US
-* IR
+* [CN](https://vuldb.com/?country.cn)
+* [US](https://vuldb.com/?country.us)
+* [IR](https://vuldb.com/?country.ir)
 * ...

 There are 1 more country items available. Please use our online service to access the data.
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 45.32.116.0 | - | - | High
-2 | 45.33.77.0 | - | - | High
-3 | 45.76.215.0 | 45.76.215.0.vultr.com | - | Medium
+1 | [45.32.116.0](https://vuldb.com/?ip.45.32.116.0) | - | - | High
+2 | [45.33.77.0](https://vuldb.com/?ip.45.33.77.0) | - | - | High
+3 | [45.76.215.0](https://vuldb.com/?ip.45.76.215.0) | 45.76.215.0.vultr.com | - | Medium
 4 | ... | ... | ... | ...

 There are 6 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by LightBasin. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _LightBasin_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Lock360/README.md
+++ b/actors/Lock360/README.md
@ -28,7 +28,7 @@ ID | IP address | Hostname | Campaign | Confidence

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Lock360. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Lock360_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/LokiBot/README.md
+++ b/actors/LokiBot/README.md
@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
 * [CN](https://vuldb.com/?country.cn)
 * ...

-There are 12 more country items available. Please use our online service to access the data.
+There are 13 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -45,7 +45,7 @@ There are 71 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by LokiBot. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _LokiBot_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -54,7 +54,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 6 more TTP items available. Please use our online service to access the data.
+There are 5 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -67,19 +67,19 @@ ID | Type | Indicator | Confidence
 3 | File | `/car.php` | Medium
 4 | File | `/CMD_ACCOUNT_ADMIN` | High
 5 | File | `/config/getuser` | High
-6 | File | `/context/%2e/WEB-INF/web.xml` | High
-7 | File | `/core/admin/categories.php` | High
-8 | File | `/dashboards/#` | High
-9 | File | `/etc/controller-agent/agent.conf` | High
-10 | File | `/etc/postfix/sender_login` | High
-11 | File | `/etc/sudoers` | Medium
-12 | File | `/etc/tomcat8/Catalina/attack` | High
-13 | File | `/filemanager/php/connector.php` | High
-14 | File | `/forum/away.php` | High
-15 | File | `/fudforum/adm/hlplist.php` | High
-16 | File | `/GponForm/fsetup_Form` | High
-17 | File | `/log_download.cgi` | High
-18 | File | `/modules/profile/index.php` | High
+6 | File | `/core/admin/categories.php` | High
+7 | File | `/dashboards/#` | High
+8 | File | `/etc/controller-agent/agent.conf` | High
+9 | File | `/etc/postfix/sender_login` | High
+10 | File | `/etc/sudoers` | Medium
+11 | File | `/etc/tomcat8/Catalina/attack` | High
+12 | File | `/filemanager/php/connector.php` | High
+13 | File | `/forum/away.php` | High
+14 | File | `/fudforum/adm/hlplist.php` | High
+15 | File | `/GponForm/fsetup_Form` | High
+16 | File | `/log_download.cgi` | High
+17 | File | `/modules/profile/index.php` | High
+18 | File | `/MTFWU` | Low
 19 | File | `/out.php` | Medium
 20 | File | `/public/plugins/` | High
 21 | File | `/s/` | Low
@ -91,13 +91,13 @@ ID | Type | Indicator | Confidence
 27 | File | `/tmp/kamailio_fifo` | High
 28 | File | `/uncpath/` | Medium
 29 | File | `/updown/upload.cgi` | High
-30 | File | `/usr/bin/at` | Medium
-31 | File | `/usr/bin/pkexec` | High
-32 | File | `/way4acs/enroll` | High
-33 | File | `/WEB-INF/web.xml` | High
+30 | File | `/usr/bin/pkexec` | High
+31 | File | `/way4acs/enroll` | High
+32 | File | `/WEB-INF/web.xml` | High
+33 | File | `/wp-json/wc/v3/webhooks` | High
 34 | ... | ... | ...

-There are 287 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 288 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Machete/README.md
+++ b/actors/Machete/README.md
@ -1,6 +1,6 @@
 # Machete - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Machete](https://vuldb.com/?actor.machete). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Machete](https://vuldb.com/?actor.machete). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.machete](https://vuldb.com/?actor.machete)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Machete:

-* US
-* CA
-* FR
+* [US](https://vuldb.com/?country.us)
+* [CA](https://vuldb.com/?country.ca)
+* [FR](https://vuldb.com/?country.fr)
 * ...

 There are 1 more country items available. Please use our online service to access the data.
@ -21,25 +21,22 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 69.64.43.33 | falcon207.startdedicated.com | - | High
-2 | 109.61.164.33 | 109-61-164-33.dsl.orel.ru | - | High
-3 | 142.44.236.215 | ip215.ip-142-44-236.net | - | High
+1 | [69.64.43.33](https://vuldb.com/?ip.69.64.43.33) | falcon207.startdedicated.com | - | High
+2 | [109.61.164.33](https://vuldb.com/?ip.109.61.164.33) | 109-61-164-33.dsl.orel.ru | - | High
+3 | [142.44.236.215](https://vuldb.com/?ip.142.44.236.215) | ip215.ip-142-44-236.net | - | High
 4 | ... | ... | ... | ...

 There are 6 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Machete. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Machete_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
 3 | T1211 | CWE-254 | 7PK Security Features | High
-4 | ... | ... | ... | ...
-
-There are 1 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

--- a/actors/Magecart/README.md
+++ b/actors/Magecart/README.md
@ -34,7 +34,7 @@ There are 27 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Magecart. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Magecart_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -43,7 +43,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 7 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -51,19 +51,19 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `/admin/delete_image.php` | High
-2 | File | `/admin/login.php` | High
-3 | File | `/administrator/components/table_manager/` | High
-4 | File | `/changePassword` | High
-5 | File | `/context/%2e/WEB-INF/web.xml` | High
-6 | File | `/data-service/users/` | High
-7 | File | `/Hospital-Management-System-master/func.php` | High
-8 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
-9 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
-10 | File | `/js/app.js` | Medium
-11 | File | `/message-bus/_diagnostics` | High
-12 | File | `/ms/cms/content/list.do` | High
-13 | File | `/new` | Low
+1 | File | `/admin-panel1.php` | High
+2 | File | `/admin/delete_image.php` | High
+3 | File | `/admin/login.php` | High
+4 | File | `/administrator/components/table_manager/` | High
+5 | File | `/changePassword` | High
+6 | File | `/context/%2e/WEB-INF/web.xml` | High
+7 | File | `/data-service/users/` | High
+8 | File | `/Hospital-Management-System-master/func.php` | High
+9 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
+10 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
+11 | File | `/js/app.js` | Medium
+12 | File | `/message-bus/_diagnostics` | High
+13 | File | `/ms/cms/content/list.do` | High
 14 | File | `/plugin/jcapture/applet.php` | High
 15 | File | `/preferences/tags` | High
 16 | File | `/proc/<pid>/status` | High
@ -71,13 +71,13 @@ ID | Type | Indicator | Confidence
 18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
 19 | File | `/secure/EditSubscription.jspa` | High
 20 | File | `/secure/QueryComponent!Default.jspa` | High
-21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
-22 | File | `/tmp` | Low
-23 | File | `/uncpath/` | Medium
-24 | File | `1.2.2.pl4` | Medium
-25 | File | `AccountManagerService.java` | High
-26 | File | `actions/CompanyDetailsSave.php` | High
-27 | File | `ActivityManagerService.java` | High
+21 | File | `/tmp` | Low
+22 | File | `/uncpath/` | Medium
+23 | File | `1.2.2.pl4` | Medium
+24 | File | `AccountManagerService.java` | High
+25 | File | `actions/CompanyDetailsSave.php` | High
+26 | File | `ActivityManagerService.java` | High
+27 | File | `admin.php` | Medium
 28 | ... | ... | ...

 There are 234 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
--- a/actors/Metamorfo/README.md
+++ b/actors/Metamorfo/README.md
@ -1,26 +1,26 @@
 # Metamorfo - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Metamorfo](https://vuldb.com/?actor.metamorfo). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Metamorfo](https://vuldb.com/?actor.metamorfo). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.metamorfo](https://vuldb.com/?actor.metamorfo)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.metamorfo](https://vuldb.com/?actor.metamorfo)

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Metamorfo:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Metamorfo:

-* PL
+* [PL](https://vuldb.com/?country.pl)

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Metamorfo.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Metamorfo.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 80.211.252.12 | host12-252-211-80.static.arubacloud.pl | High
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [80.211.252.12](https://vuldb.com/?ip.80.211.252.12) | host12-252-211-80.static.arubacloud.pl | - | High

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Metamorfo. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Metamorfo. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -29,17 +29,17 @@ ID | Type | Indicator | Confidence
 3 | Argument | `cid` | Low
 4 | ... | ... | ...

-There are 1 more IOA items available. Please use our online service to access the data.
+There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/Mirai/README.md
+++ b/actors/Mirai/README.md
@ -1,6 +1,6 @@
 # Mirai - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mirai](https://vuldb.com/?actor.mirai). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mirai](https://vuldb.com/?actor.mirai). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.mirai](https://vuldb.com/?actor.mirai)

@ -8,13 +8,19 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 The following _campaigns_ are known and can be associated with Mirai:

+* DDoS Ukraine
 * Log4Shell

 ## Countries

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Mirai:

-* US
+* [US](https://vuldb.com/?country.us)
+* [NL](https://vuldb.com/?country.nl)
+* [CN](https://vuldb.com/?country.cn)
+* ...
+
+There are 6 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -22,20 +28,65 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 2.56.56.78 | - | - | High
-2 | 34.80.131.135 | 135.131.80.34.bc.googleusercontent.com | - | Medium
-3 | 45.88.181.46 | pelko.incifios.org.uk | - | High
+1 | [2.56.56.78](https://vuldb.com/?ip.2.56.56.78) | - | - | High
+2 | [5.182.211.5](https://vuldb.com/?ip.5.182.211.5) | - | - | High
+3 | [34.80.131.135](https://vuldb.com/?ip.34.80.131.135) | 135.131.80.34.bc.googleusercontent.com | - | Medium
+4 | [45.61.136.130](https://vuldb.com/?ip.45.61.136.130) | - | DDoS Ukraine | High
+5 | [45.61.186.13](https://vuldb.com/?ip.45.61.186.13) | - | DDoS Ukraine | High
+6 | ... | ... | ... | ...
+
+There are 22 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Mirai_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 6 more IOC items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Mirai. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/etc/skel` | Medium
+2 | File | `/formSetPortTr` | High
+3 | File | `/forum/away.php` | High
+4 | File | `/guest/s/default/` | High
+5 | File | `/jeecg-boot/sys/common/upload` | High
+6 | File | `/public/plugins/` | High
+7 | File | `/question/ask` | High
+8 | File | `/rest/api/2/search` | High
+9 | File | `/rom-0` | Low
+10 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
+11 | File | `/uncpath/` | Medium
+12 | File | `/usr/sbin/httpd` | High
+13 | File | `adclick.php` | Medium
+14 | File | `admin.php` | Medium
+15 | File | `admin/scripts/FileUploader/php.php` | High
+16 | ... | ... | ...
+
+There are 129 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

 The following list contains _external sources_ which discuss the actor and the associated activities:

+* https://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/
 * https://blog.netlab.360.com/emptiness-a-new-evolving-botnet/
+* https://blog.netlab.360.com/gpon-exploit-in-the-wild-iii-mettle-hajime-mirai-omni-imgay/
+* https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
 * https://blog.netlab.360.com/wei-xie-kuai-xun-log4jlou-dong-yi-jing-bei-yong-lai-zu-jian-botnet-zhen-dui-linuxshe-bei/
+* https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/
 * https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-indicators-of-compromise-to-date/
+* https://urlhaus.abuse.ch/host/185.243.56.167/

 ## Literature

--- a/actors/Mofang/README.md
+++ b/actors/Mofang/README.md
@ -1,6 +1,6 @@
 # Mofang - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mofang](https://vuldb.com/?actor.mofang). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mofang](https://vuldb.com/?actor.mofang). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.mofang](https://vuldb.com/?actor.mofang)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Mofang:

-* US
-* CN
-* AT
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+* [AT](https://vuldb.com/?country.at)
 * ...

 There are 6 more country items available. Please use our online service to access the data.
@ -21,18 +21,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 22.2.0.31 | - | - | High
-2 | 23.89.200.128 | - | - | High
-3 | 23.89.201.173 | - | - | High
-4 | 38.109.190.55 | lauras-creative-catering.com | - | High
-5 | 49.213.18.15 | - | - | High
+1 | [22.2.0.31](https://vuldb.com/?ip.22.2.0.31) | - | - | High
+2 | [23.89.200.128](https://vuldb.com/?ip.23.89.200.128) | - | - | High
+3 | [23.89.201.173](https://vuldb.com/?ip.23.89.201.173) | - | - | High
+4 | [38.109.190.55](https://vuldb.com/?ip.38.109.190.55) | lauras-creative-catering.com | - | High
+5 | [49.213.18.15](https://vuldb.com/?ip.49.213.18.15) | - | - | High
 6 | ... | ... | ... | ...

 There are 20 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Mofang. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Mofang_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -41,7 +41,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 4 more TTP items available. Please use our online service to access the data.
+There are 3 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -60,7 +60,7 @@ ID | Type | Indicator | Confidence
 9 | File | `blog.php` | Medium
 10 | ... | ... | ...

-There are 75 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 76 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Molerats/README.md
+++ b/actors/Molerats/README.md
@ -42,7 +42,7 @@ There are 17 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Molerats. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Molerats_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -51,7 +51,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 7 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -87,9 +87,10 @@ ID | Type | Indicator | Confidence
 26 | File | `agents.php` | Medium
 27 | File | `api_poller.php` | High
 28 | File | `app/View/Helper/CommandHelper.php` | High
-29 | ... | ... | ...
+29 | File | `apport/hookutils.py` | High
+30 | ... | ... | ...

-There are 249 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/MuddyWater/README.md
+++ b/actors/MuddyWater/README.md
@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce

 * [JP](https://vuldb.com/?country.jp)
 * [US](https://vuldb.com/?country.us)
-* [GB](https://vuldb.com/?country.gb)
+* [FR](https://vuldb.com/?country.fr)
 * ...

 There are 13 more country items available. Please use our online service to access the data.
@ -51,7 +51,7 @@ There are 50 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by MuddyWater. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _MuddyWater_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -60,7 +60,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 9 more TTP items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -76,28 +76,27 @@ ID | Type | Indicator | Confidence
 6 | File | `/css/..%2f` | Medium
 7 | File | `/etc/tomcat8/Catalina/attack` | High
 8 | File | `/etc/wpa_supplicant.conf` | High
-9 | File | `/files/$username/Myfolder/Mysubfolder/shared.txt` | High
-10 | File | `/formSetPortTr` | High
-11 | File | `/forum/away.php` | High
-12 | File | `/getcfg.php` | Medium
-13 | File | `/GetCopiedFile` | High
-14 | File | `/hdf5/src/H5T.c` | High
-15 | File | `/include/chart_generator.php` | High
-16 | File | `/jerry-core/parser/js/js-scanner-util.c` | High
-17 | File | `/modules/profile/index.php` | High
-18 | File | `/music/ajax.php` | High
-19 | File | `/opensis/functions/GetStuListFnc.php` | High
-20 | File | `/owa/auth/logon.aspx` | High
-21 | File | `/post/editing` | High
-22 | File | `/product.php` | Medium
-23 | File | `/product_list.php` | High
-24 | File | `/public/plugins/` | High
-25 | File | `/RestAPI` | Medium
-26 | File | `/rsms/` | Low
-27 | File | `/secure/admin/AssociatedProjectsForCustomField.jspa` | High
-28 | ... | ... | ...
+9 | File | `/formSetPortTr` | High
+10 | File | `/forum/away.php` | High
+11 | File | `/GetCopiedFile` | High
+12 | File | `/hdf5/src/H5T.c` | High
+13 | File | `/include/chart_generator.php` | High
+14 | File | `/jerry-core/parser/js/js-scanner-util.c` | High
+15 | File | `/modules/profile/index.php` | High
+16 | File | `/music/ajax.php` | High
+17 | File | `/opensis/functions/GetStuListFnc.php` | High
+18 | File | `/owa/auth/logon.aspx` | High
+19 | File | `/post/editing` | High
+20 | File | `/product.php` | Medium
+21 | File | `/product_list.php` | High
+22 | File | `/public/plugins/` | High
+23 | File | `/RestAPI` | Medium
+24 | File | `/rsms/` | Low
+25 | File | `/secure/admin/ViewInstrumentation.jspa` | High
+26 | File | `/userRpm/PingIframeRpm.htm` | High
+27 | ... | ... | ...

-There are 234 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 223 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/Panda/README.md
+++ b/Panda/README.md
@ -1,6 +1,6 @@
 # Mustang Panda - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mustang Panda](https://vuldb.com/?actor.mustang_panda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mustang Panda](https://vuldb.com/?actor.mustang_panda). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.mustang_panda](https://vuldb.com/?actor.mustang_panda)

@ -8,15 +8,15 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 The following _campaigns_ are known and can be associated with Mustang Panda:

-* Operation Diànxùn
+* Diànxùn

 ## Countries

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Mustang Panda:

-* DE
-* US
-* CN
+* [DE](https://vuldb.com/?country.de)
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)

 ## IOC - Indicator of Compromise

@ -24,18 +24,18 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 43.254.217.67 | - | - | High
-2 | 45.32.50.150 | 45.32.50.150.vultr.com | - | Medium
-3 | 45.77.184.12 | comm.phiu.pw | - | High
-4 | 45.248.87.14 | - | - | High
-5 | 91.195.240.117 | - | - | High
+1 | [42.99.117.95](https://vuldb.com/?ip.42.99.117.95) | - | - | High
+2 | [43.254.217.67](https://vuldb.com/?ip.43.254.217.67) | - | - | High
+3 | [45.32.50.150](https://vuldb.com/?ip.45.32.50.150) | 45.32.50.150.vultr.com | - | Medium
+4 | [45.77.184.12](https://vuldb.com/?ip.45.77.184.12) | comm.phiu.pw | - | High
+5 | [45.248.87.14](https://vuldb.com/?ip.45.248.87.14) | - | - | High
 6 | ... | ... | ... | ...

-There are 21 more IOC items available. Please use our online service to access the data.
+There are 22 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Mustang Panda. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Mustang Panda_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -44,7 +44,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 8 more TTP items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -71,6 +71,7 @@ There are 89 more IOA items available (file, library, argument, input value, pat

 The following list contains _external sources_ which discuss the actor and the associated activities:

+* https://github.com/eset/malware-ioc/tree/master/quarterly_reports/2020_Q2
 * https://twitter.com/ESETresearch/status/1400165861973966854
 * https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
 * https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
--- a/Group/README.md
+++ b/Group/README.md
@ -1,6 +1,6 @@
 # NSO Group - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NSO Group](https://vuldb.com/?actor.nso_group). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NSO Group](https://vuldb.com/?actor.nso_group). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nso_group](https://vuldb.com/?actor.nso_group)

@ -16,9 +16,9 @@ The following _campaigns_ are known and can be associated with NSO Group:

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with NSO Group:

-* DE
-* US
-* CN
+* [DE](https://vuldb.com/?country.de)
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
 * ...

 There are 11 more country items available. Please use our online service to access the data.
@ -29,21 +29,21 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 3.13.132.96 | ec2-3-13-132-96.us-east-2.compute.amazonaws.com | Pegasus | Medium
-2 | 3.16.75.157 | ec2-3-16-75-157.us-east-2.compute.amazonaws.com | Pegasus | Medium
-3 | 13.58.85.100 | ec2-13-58-85-100.us-east-2.compute.amazonaws.com | Pegasus | Medium
-4 | 13.59.79.240 | ec2-13-59-79-240.us-east-2.compute.amazonaws.com | Pegasus | Medium
-5 | 18.191.63.125 | ec2-18-191-63-125.us-east-2.compute.amazonaws.com | Pegasus | Medium
-6 | 18.217.13.50 | ec2-18-217-13-50.us-east-2.compute.amazonaws.com | Pegasus | Medium
-7 | 18.225.12.72 | ec2-18-225-12-72.us-east-2.compute.amazonaws.com | Pegasus | Medium
-8 | 23.239.16.143 | li685-143.members.linode.com | Pegasus | High
+1 | [3.13.132.96](https://vuldb.com/?ip.3.13.132.96) | ec2-3-13-132-96.us-east-2.compute.amazonaws.com | Pegasus | Medium
+2 | [3.16.75.157](https://vuldb.com/?ip.3.16.75.157) | ec2-3-16-75-157.us-east-2.compute.amazonaws.com | Pegasus | Medium
+3 | [13.58.85.100](https://vuldb.com/?ip.13.58.85.100) | ec2-13-58-85-100.us-east-2.compute.amazonaws.com | Pegasus | Medium
+4 | [13.59.79.240](https://vuldb.com/?ip.13.59.79.240) | ec2-13-59-79-240.us-east-2.compute.amazonaws.com | Pegasus | Medium
+5 | [18.191.63.125](https://vuldb.com/?ip.18.191.63.125) | ec2-18-191-63-125.us-east-2.compute.amazonaws.com | Pegasus | Medium
+6 | [18.217.13.50](https://vuldb.com/?ip.18.217.13.50) | ec2-18-217-13-50.us-east-2.compute.amazonaws.com | Pegasus | Medium
+7 | [18.225.12.72](https://vuldb.com/?ip.18.225.12.72) | ec2-18-225-12-72.us-east-2.compute.amazonaws.com | Pegasus | Medium
+8 | [23.239.16.143](https://vuldb.com/?ip.23.239.16.143) | li685-143.members.linode.com | Pegasus | High
 9 | ... | ... | ... | ...

 There are 31 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by NSO Group. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _NSO Group_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -52,7 +52,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
 4 | ... | ... | ... | ...

-There are 8 more TTP items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -80,7 +80,7 @@ ID | Type | Indicator | Confidence
 18 | File | `admin.php` | Medium
 19 | ... | ... | ...

-There are 152 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 154 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Numando/README.md
+++ b/actors/Numando/README.md
@ -0,0 +1,38 @@
+# Numando - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Numando](https://vuldb.com/?actor.numando). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.numando](https://vuldb.com/?actor.numando)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Numando:
+
+* [US](https://vuldb.com/?country.us)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Numando.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [20.195.196.231](https://vuldb.com/?ip.20.195.196.231) | - | - | High
+2 | [20.197.228.40](https://vuldb.com/?ip.20.197.228.40) | - | - | High
+3 | [138.91.168.205](https://vuldb.com/?ip.138.91.168.205) | - | - | High
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://github.com/eset/malware-ioc/tree/master/numando
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Nymaim/README.md
+++ b/actors/Nymaim/README.md
@ -33,7 +33,7 @@ There are 22 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Nymaim. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Nymaim_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/OilRig/README.md
+++ b/actors/OilRig/README.md
@ -1,6 +1,6 @@
 # OilRig - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [OilRig](https://vuldb.com/?actor.oilrig). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [OilRig](https://vuldb.com/?actor.oilrig). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.oilrig](https://vuldb.com/?actor.oilrig)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with OilRig:

-* US
-* IR
-* CN
+* [US](https://vuldb.com/?country.us)
+* [IR](https://vuldb.com/?country.ir)
+* [CN](https://vuldb.com/?country.cn)
 * ...

 There are 3 more country items available. Please use our online service to access the data.
@ -21,17 +21,17 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 11.24.237.110 | - | - | High
-2 | 24.125.0.1 | - | - | High
-3 | 31.3.225.55 | h31-3-225-55.host.redstation.co.uk | - | High
-4 | 33.33.94.94 | - | - | High
+1 | [11.24.237.110](https://vuldb.com/?ip.11.24.237.110) | - | - | High
+2 | [24.125.0.1](https://vuldb.com/?ip.24.125.0.1) | - | - | High
+3 | [31.3.225.55](https://vuldb.com/?ip.31.3.225.55) | h31-3-225-55.host.redstation.co.uk | - | High
+4 | [33.33.94.94](https://vuldb.com/?ip.33.33.94.94) | - | - | High
 5 | ... | ... | ... | ...

 There are 14 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by OilRig. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _OilRig_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -40,7 +40,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 6 more TTP items available. Please use our online service to access the data.
+There are 5 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

--- a/Gonderici/README.md
+++ b/Gonderici/README.md
@ -30,7 +30,7 @@ There are 1 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Oto Gonderici. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Oto Gonderici_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Patchwork/README.md
+++ b/actors/Patchwork/README.md
@ -103,7 +103,7 @@ There are 274 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Patchwork. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Patchwork_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -145,37 +145,37 @@ ID | Type | Indicator | Confidence
 23 | File | `/rest/api/2/search` | High
 24 | File | `/s/` | Low
 25 | File | `/scripts/cpan_config` | High
-26 | File | `/services/system/setup.json` | High
-27 | File | `/uncpath/` | Medium
-28 | File | `/videotalk` | Medium
-29 | File | `/webconsole/APIController` | High
-30 | File | `/websocket/exec` | High
-31 | File | `/wp-admin/admin-ajax.php` | High
-32 | File | `/wp-json/oembed/1.0/embed?url` | High
-33 | File | `/_next` | Low
-34 | File | `4.edu.php\conn\function.php` | High
-35 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
-36 | File | `about.php` | Medium
-37 | File | `acl.c` | Low
-38 | File | `activity_log.php` | High
-39 | File | `adclick.php` | Medium
-40 | File | `addentry.php` | Medium
-41 | File | `add_vhost.php` | High
-42 | File | `adm/systools.asp` | High
-43 | File | `admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user` | High
-44 | File | `admin/category.inc.php` | High
-45 | File | `admin/conf_users_edit.php` | High
-46 | File | `admin/default.asp` | High
-47 | File | `admin/dl_sendmail.php` | High
-48 | File | `admin/getparam.cgi` | High
-49 | File | `admin/index.php` | High
-50 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
-51 | File | `admin/media/rename.php` | High
-52 | File | `admin/password_forgotten.php` | High
-53 | File | `admin/versions.html` | High
+26 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
+27 | File | `/services/system/setup.json` | High
+28 | File | `/uncpath/` | Medium
+29 | File | `/videotalk` | Medium
+30 | File | `/web/MCmsAction.java` | High
+31 | File | `/webconsole/APIController` | High
+32 | File | `/websocket/exec` | High
+33 | File | `/wp-admin/admin-ajax.php` | High
+34 | File | `/wp-json/oembed/1.0/embed?url` | High
+35 | File | `/_next` | Low
+36 | File | `4.edu.php\conn\function.php` | High
+37 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
+38 | File | `about.php` | Medium
+39 | File | `acl.c` | Low
+40 | File | `activity_log.php` | High
+41 | File | `adclick.php` | Medium
+42 | File | `addentry.php` | Medium
+43 | File | `add_vhost.php` | High
+44 | File | `adm/systools.asp` | High
+45 | File | `admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user` | High
+46 | File | `admin/category.inc.php` | High
+47 | File | `admin/conf_users_edit.php` | High
+48 | File | `admin/default.asp` | High
+49 | File | `admin/dl_sendmail.php` | High
+50 | File | `admin/getparam.cgi` | High
+51 | File | `admin/index.php` | High
+52 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
+53 | File | `admin/media/rename.php` | High
 54 | ... | ... | ...

-There are 475 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 472 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/PcShare/README.md
+++ b/actors/PcShare/README.md
@ -0,0 +1,50 @@
+# PcShare - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PcShare](https://vuldb.com/?actor.pcshare). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.pcshare](https://vuldb.com/?actor.pcshare)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PcShare:
+
+* [US](https://vuldb.com/?country.us)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PcShare.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [45.32.181.48](https://vuldb.com/?ip.45.32.181.48) | 45.32.181.48.vultr.com | - | Medium
+2 | [142.4.124.124](https://vuldb.com/?ip.142.4.124.124) | - | - | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PcShare. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `data/gbconfiguration.dat` | High
+2 | File | `email.php` | Medium
+3 | File | `info.php4` | Medium
+4 | ... | ... | ...
+
+There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://blogs.blackberry.com/en/2019/09/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Platinum/README.md
+++ b/actors/Platinum/README.md
@ -1,6 +1,6 @@
 # Platinum - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Platinum](https://vuldb.com/?actor.platinum). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Platinum](https://vuldb.com/?actor.platinum). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.platinum](https://vuldb.com/?actor.platinum)

@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Platinum:

-* ES
+* [ES](https://vuldb.com/?country.es)

 ## IOC - Indicator of Compromise

@ -16,9 +16,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 61.31.203.98 | - | - | High
-2 | 70.39.115.196 | - | - | High
-3 | 190.96.47.9 | - | - | High
+1 | [61.31.203.98](https://vuldb.com/?ip.61.31.203.98) | - | - | High
+2 | [70.39.115.196](https://vuldb.com/?ip.70.39.115.196) | - | - | High
+3 | [190.96.47.9](https://vuldb.com/?ip.190.96.47.9) | - | - | High
 4 | ... | ... | ... | ...

 There are 3 more IOC items available. Please use our online service to access the data.
--- a/Spider/README.md
+++ b/Spider/README.md
@ -16,10 +16,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce

 * [US](https://vuldb.com/?country.us)
 * [SC](https://vuldb.com/?country.sc)
-* [MX](https://vuldb.com/?country.mx)
+* [FR](https://vuldb.com/?country.fr)
 * ...

-There are 6 more country items available. Please use our online service to access the data.
+There are 7 more country items available. Please use our online service to access the data.

 ## IOC - Indicator of Compromise

@ -42,7 +42,7 @@ There are 35 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Prophet Spider. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Prophet Spider_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -51,7 +51,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
 4 | ... | ... | ... | ...

-There are 7 more TTP items available. Please use our online service to access the data.
+There are 8 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -66,24 +66,24 @@ ID | Type | Indicator | Confidence
 5 | File | `/admin_page/all-files-update-ajax.php` | High
 6 | File | `/api/servers` | Medium
 7 | File | `/aya/module/admin/ust_tab_e.inc.php` | High
-8 | File | `/core/admin/comment.php` | High
-9 | File | `/etc/cobbler` | Medium
+8 | File | `/etc/cobbler` | Medium
+9 | File | `/etc/passwd` | Medium
 10 | File | `/etc/wpa_supplicant.conf` | High
-11 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
-12 | File | `/js/js-parser.c` | High
-13 | File | `/languages/index.php` | High
-14 | File | `/main?cmd=invalid_browser` | High
-15 | File | `/members/view_member.php` | High
-16 | File | `/ms/file/uploadTemplate.do` | High
-17 | File | `/northstar/Admin/changePassword.jsp` | High
-18 | File | `/ok_png.c` | Medium
-19 | File | `/ping.html` | Medium
-20 | File | `/projeqtor/tool/saveAttachment.php` | High
-21 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
-22 | File | `/rootfs` | Low
+11 | File | `/goform/SetPptpServerCfg` | High
+12 | File | `/jeecg-boot/sys/user/queryUserByDepId` | High
+13 | File | `/js/js-parser.c` | High
+14 | File | `/languages/index.php` | High
+15 | File | `/mdiy/dict/listExcludeApp` | High
+16 | File | `/members/view_member.php` | High
+17 | File | `/ms/file/uploadTemplate.do` | High
+18 | File | `/northstar/Admin/changePassword.jsp` | High
+19 | File | `/ok_jpg.c` | Medium
+20 | File | `/ok_png.c` | Medium
+21 | File | `/ping.html` | Medium
+22 | File | `/rest/jpo/1.0/hierarchyConfiguration` | High
 23 | ... | ... | ...

-There are 193 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 194 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Qakbot/README.md
+++ b/actors/Qakbot/README.md
@ -104,7 +104,7 @@ There are 306 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Qakbot. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Qakbot_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -113,7 +113,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 9 more TTP items available. Please use our online service to access the data.
+There are 8 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

@ -122,32 +122,32 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
 1 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High
-2 | File | `/(((a\2)|(a*)\g&lt/-1&gt/))*/` | High
-3 | File | `/+CSCOE+/logon.html` | High
-4 | File | `/alumni/admin/ajax.php?action=save_settings` | High
-5 | File | `/auth/session` | High
-6 | File | `/cfg` | Low
-7 | File | `/cgi-bin/webproc` | High
-8 | File | `/config/getuser` | High
-9 | File | `/etc/passwd` | Medium
-10 | File | `/exponent_constants.php` | High
-11 | File | `/front/document.form.php` | High
-12 | File | `/ibi_apps/WFServlet.cfg` | High
+2 | File | `/+CSCOE+/logon.html` | High
+3 | File | `/alumni/admin/ajax.php?action=save_settings` | High
+4 | File | `/auth/session` | High
+5 | File | `/cfg` | Low
+6 | File | `/cgi-bin/webproc` | High
+7 | File | `/config/getuser` | High
+8 | File | `/etc/passwd` | Medium
+9 | File | `/exponent_constants.php` | High
+10 | File | `/front/document.form.php` | High
+11 | File | `/ibi_apps/WFServlet.cfg` | High
+12 | File | `/include/chart_generator.php` | High
 13 | File | `/log_download.cgi` | High
 14 | File | `/proc/sysvipc/sem` | High
 15 | File | `/replication` | Medium
 16 | File | `/rest/collectors/1.0/template/custom` | High
 17 | File | `/RestAPI` | Medium
 18 | File | `/search.php` | Medium
-19 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
-20 | File | `/tmp` | Low
-21 | File | `/trigger` | Medium
-22 | File | `/uncpath/` | Medium
-23 | File | `/user/login/oauth` | High
-24 | File | `/usr/bin/pkexec` | High
-25 | File | `/usr/doc` | Medium
-26 | File | `/WEB-INF/web.xml` | High
-27 | File | `/webpages/data` | High
+19 | File | `/tmp` | Low
+20 | File | `/trigger` | Medium
+21 | File | `/uncpath/` | Medium
+22 | File | `/user/login/oauth` | High
+23 | File | `/usr/bin/pkexec` | High
+24 | File | `/usr/doc` | Medium
+25 | File | `/WEB-INF/web.xml` | High
+26 | File | `/webpages/data` | High
+27 | File | `/wp-admin/admin-ajax.php` | High
 28 | ... | ... | ...

 There are 238 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
--- a/actors/RagnarLocker/README.md
+++ b/actors/RagnarLocker/README.md
@ -0,0 +1,91 @@
+# RagnarLocker - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [RagnarLocker](https://vuldb.com/?actor.ragnarlocker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ragnarlocker](https://vuldb.com/?actor.ragnarlocker)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with RagnarLocker:
+
+* [US](https://vuldb.com/?country.us)
+* [DE](https://vuldb.com/?country.de)
+* [CN](https://vuldb.com/?country.cn)
+* ...
+
+There are 7 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of RagnarLocker.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [5.45.65.52](https://vuldb.com/?ip.5.45.65.52) | - | - | High
+2 | [23.106.122.192](https://vuldb.com/?ip.23.106.122.192) | - | - | High
+3 | [23.227.202.72](https://vuldb.com/?ip.23.227.202.72) | 23-227-202-72.static.hvvc.us | - | High
+4 | [37.120.238.107](https://vuldb.com/?ip.37.120.238.107) | - | - | High
+5 | [45.63.89.250](https://vuldb.com/?ip.45.63.89.250) | 45.63.89.250.vultr.com | - | Medium
+6 | [45.90.59.131](https://vuldb.com/?ip.45.90.59.131) | unallocated.layer6.net | - | High
+7 | ... | ... | ... | ...
+
+There are 26 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _RagnarLocker_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1211 | CWE-254 | 7PK Security Features | High
+4 | ... | ... | ... | ...
+
+There are 4 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by RagnarLocker. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/adminlogin.asp` | High
+2 | File | `/category_view.php` | High
+3 | File | `/forum/away.php` | High
+4 | File | `/HNAP1` | Low
+5 | File | `/mc-admin/post.php?state=delete&delete` | High
+6 | File | `/public/login.htm` | High
+7 | File | `/usr/ucb/mail` | High
+8 | File | `/wp-content/plugins/updraftplus/admin.php` | High
+9 | File | `adclick.php` | Medium
+10 | File | `addmember.php` | High
+11 | File | `addtocart.asp` | High
+12 | File | `addtomylist.asp` | High
+13 | File | `admin.x-shop.php` | High
+14 | File | `admin/auth.php` | High
+15 | File | `admin/import/class-import-settings.php` | High
+16 | File | `admin/sqlpatch.php` | High
+17 | File | `admincp/auth/checklogin.php` | High
+18 | File | `adminlogin.asp` | High
+19 | File | `aj.html` | Low
+20 | ... | ... | ...
+
+There are 165 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://www.ic3.gov/Media/News/2022/220307.pdf
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Ratsnif/README.md
+++ b/actors/Ratsnif/README.md
@ -0,0 +1,46 @@
+# Ratsnif - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ratsnif](https://vuldb.com/?actor.ratsnif). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ratsnif](https://vuldb.com/?actor.ratsnif)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Ratsnif:
+
+* [BR](https://vuldb.com/?country.br)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Ratsnif.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [66.85.185.126](https://vuldb.com/?ip.66.85.185.126) | ess.amosbusiness.info | - | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Ratsnif. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `shop.php` | Medium
+2 | Library | `unrarlib.c` | Medium
+3 | Argument | `id` | Low
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://blogs.blackberry.com/en/2019/07/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Retefe/README.md
+++ b/actors/Retefe/README.md
@ -1,6 +1,6 @@
 # Retefe - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Retefe](https://vuldb.com/?actor.retefe). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Retefe](https://vuldb.com/?actor.retefe). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.retefe](https://vuldb.com/?actor.retefe)

@ -30,13 +30,12 @@ There are 12 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Retefe. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Retefe_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
 1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
 2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
-3 | T1499 | CWE-400, CWE-404 | Resource Consumption | High

 ## IOA - Indicator of Attack

--- a/actors/Ryuk/README.md
+++ b/actors/Ryuk/README.md
@ -1,26 +1,26 @@
 # Ryuk - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ryuk](https://vuldb.com/?actor.ryuk). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Ryuk](https://vuldb.com/?actor.ryuk). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ryuk](https://vuldb.com/?actor.ryuk)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ryuk](https://vuldb.com/?actor.ryuk)

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Ryuk.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Ryuk.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 104.248.83.13 | - | High
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [104.248.83.13](https://vuldb.com/?ip.104.248.83.13) | - | - | High

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Ryuk.csv

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/Sandworm
+++ b/actors/Sandworm
@ -40,7 +40,7 @@ There are 26 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Sandworm Team. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Sandworm Team_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -90,11 +90,11 @@ ID | Type | Indicator | Confidence
 31 | File | `/tmp/redis.ds` | High
 32 | File | `/uncpath/` | Medium
 33 | File | `/usr/bin/pkexec` | High
-34 | File | `/ViewUserHover.jspa` | High
-35 | File | `/wp-admin` | Medium
+34 | File | `/wp-admin` | Medium
+35 | File | `/wp-json/wc/v3/webhooks` | High
 36 | ... | ... | ...

-There are 310 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 308 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/actors/Satana/README.md
+++ b/actors/Satana/README.md
@ -0,0 +1,53 @@
+# Satana - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Satana](https://vuldb.com/?actor.satana). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.satana](https://vuldb.com/?actor.satana)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Satana:
+
+* [US](https://vuldb.com/?country.us)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Satana.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [185.127.26.186](https://vuldb.com/?ip.185.127.26.186) | post.contell.ru | - | High
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Satana_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Satana. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `sl-xml.php` | Medium
+2 | Argument | `sl_custom_field` | High
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://blogs.blackberry.com/en/2016/08/satana-ransomware-devil-in-a-black-screen-of-death
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Sednit/README.md
+++ b/actors/Sednit/README.md
@ -0,0 +1,44 @@
+# Sednit - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sednit](https://vuldb.com/?actor.sednit). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sednit](https://vuldb.com/?actor.sednit)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sednit:
+
+* [US](https://vuldb.com/?country.us)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Sednit.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [31.7.62.103](https://vuldb.com/?ip.31.7.62.103) | - | - | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Sednit. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `admin/admin.shtml` | High
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://github.com/eset/malware-ioc/tree/master/quarterly_reports/2020_Q3
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/ShadowPad/README.md
+++ b/actors/ShadowPad/README.md
@ -27,7 +27,7 @@ ID | IP address | Hostname | Campaign | Confidence

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by ShadowPad. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _ShadowPad_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Shadowcrew/README.md
+++ b/actors/Shadowcrew/README.md
--- a/actors/Silence/README.md
+++ b/actors/Silence/README.md
@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce

 * [US](https://vuldb.com/?country.us)
 * [CN](https://vuldb.com/?country.cn)
-* [FR](https://vuldb.com/?country.fr)
+* [ES](https://vuldb.com/?country.es)
 * ...

 There are 26 more country items available. Please use our online service to access the data.
@ -52,7 +52,7 @@ There are 101 more IOC items available. Please use our online service to access

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Silence. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Silence_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -106,7 +106,7 @@ ID | Type | Indicator | Confidence
 35 | File | `ActiveServices.java` | High
 36 | ... | ... | ...

-There are 312 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 309 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/Unknown/README.md
+++ b/Unknown/README.md
@ -1,6 +1,6 @@
 # South Asia Unknown - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [South Asia Unknown](https://vuldb.com/?actor.south_asia_unknown). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [South Asia Unknown](https://vuldb.com/?actor.south_asia_unknown). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.south_asia_unknown](https://vuldb.com/?actor.south_asia_unknown)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with South Asia Unknown:

-* US
-* RU
-* IR
+* [US](https://vuldb.com/?country.us)
+* [RU](https://vuldb.com/?country.ru)
+* [IR](https://vuldb.com/?country.ir)
 * ...

 There are 3 more country items available. Please use our online service to access the data.
@ -21,16 +21,16 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 91.92.136.239 | osca.gotdns.ch | - | High
-2 | 139.28.38.231 | 139.28.38.231.deltahost-ptr | - | High
-3 | 139.28.38.236 | 139.28.38.236.deltahost-ptr | - | High
+1 | [91.92.136.239](https://vuldb.com/?ip.91.92.136.239) | osca.gotdns.ch | - | High
+2 | [139.28.38.231](https://vuldb.com/?ip.139.28.38.231) | 139.28.38.231.deltahost-ptr | - | High
+3 | [139.28.38.236](https://vuldb.com/?ip.139.28.38.236) | 139.28.38.236.deltahost-ptr | - | High
 4 | ... | ... | ... | ...

 There are 5 more IOC items available. Please use our online service to access the data.

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by South Asia Unknown. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _South Asia Unknown_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -39,7 +39,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1211 | CWE-254 | 7PK Security Features | High
 4 | ... | ... | ... | ...

-There are 2 more TTP items available. Please use our online service to access the data.
+There are 1 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

--- a/actors/SparklingGoblin/README.md
+++ b/actors/SparklingGoblin/README.md
@ -0,0 +1,69 @@
+# SparklingGoblin - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SparklingGoblin](https://vuldb.com/?actor.sparklinggoblin). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sparklinggoblin](https://vuldb.com/?actor.sparklinggoblin)
+
+## Campaigns
+
+The following _campaigns_ are known and can be associated with SparklingGoblin:
+
+* SideWalk
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SparklingGoblin:
+
+* [US](https://vuldb.com/?country.us)
+* [RU](https://vuldb.com/?country.ru)
+* [NL](https://vuldb.com/?country.nl)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SparklingGoblin.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [80.85.155.80](https://vuldb.com/?ip.80.85.155.80) | svr4.pcloud.ru.g.kwwwy.com | SideWalk | High
+2 | [104.21.49.220](https://vuldb.com/?ip.104.21.49.220) | - | SideWalk | High
+3 | [193.38.54.110](https://vuldb.com/?ip.193.38.54.110) | 4ser-1637423172.4server.su | SideWalk | High
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _SparklingGoblin_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
+3 | T1211 | CWE-254 | 7PK Security Features | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SparklingGoblin. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `FileDownload.jsp` | High
+2 | File | `gallery.php` | Medium
+3 | File | `Illuminate/Validation/Concerns/ValidatesAttributes.php` | High
+4 | ... | ... | ...
+
+There are 3 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://github.com/eset/malware-ioc/tree/master/sparklinggoblin
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/Sugar/README.md
+++ b/actors/Sugar/README.md
@ -1,6 +1,6 @@
 # Sugar - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sugar](https://vuldb.com/?actor.sugar). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sugar](https://vuldb.com/?actor.sugar). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sugar](https://vuldb.com/?actor.sugar)

@ -8,9 +8,9 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sugar:

-* US
-* ES
-* AR
+* [US](https://vuldb.com/?country.us)
+* [ES](https://vuldb.com/?country.es)
+* [AR](https://vuldb.com/?country.ar)
 * ...

 There are 3 more country items available. Please use our online service to access the data.
@ -21,12 +21,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 82.146.53.237 | docker-05.yarperspektiva.ru | - | High
-2 | 179.43.160.195 | - | - | High
+1 | [82.146.53.237](https://vuldb.com/?ip.82.146.53.237) | docker-05.yarperspektiva.ru | - | High
+2 | [179.43.160.195](https://vuldb.com/?ip.179.43.160.195) | - | - | High

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Sugar. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Sugar_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -35,7 +35,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...

-There are 8 more TTP items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.

 ## IOA - Indicator of Attack

--- a/actors/SunSeed/README.md
+++ b/actors/SunSeed/README.md
@ -0,0 +1,54 @@
+# SunSeed - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SunSeed](https://vuldb.com/?actor.sunseed). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sunseed](https://vuldb.com/?actor.sunseed)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SunSeed:
+
+* [US](https://vuldb.com/?country.us)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SunSeed.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [84.32.188.96](https://vuldb.com/?ip.84.32.188.96) | - | - | High
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _SunSeed_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-80 | Cross Site Scripting | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SunSeed. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `search.php` | Medium
+2 | Argument | `find_str` | Medium
+3 | Argument | `project[name]` | High
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
--- a/actors/TA505/README.md
+++ b/actors/TA505/README.md
@ -10,10 +10,10 @@ The following _campaigns_ are known and can be associated with TA505:

 * Ammyy
 * SDBbot
-* SDBbot RAT
+* servhelper
 * ...

-There are 2 more campaign items available. Please use our online service to access the data.
+There are 1 more campaign items available. Please use our online service to access the data.

 ## Countries

@ -49,7 +49,7 @@ There are 42 more IOC items available. Please use our online service to access t

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by TA505. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _TA505_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@ -108,7 +108,7 @@ ID | Type | Indicator | Confidence
 40 | File | `axspawn.c` | Medium
 41 | ... | ... | ...

-There are 354 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 353 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

--- a/Reservoir/README.md
+++ b/Reservoir/README.md
@ -1,37 +1,37 @@
 # Thamar Reservoir - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Thamar Reservoir](https://vuldb.com/?actor.thamar_reservoir). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Thamar Reservoir](https://vuldb.com/?actor.thamar_reservoir). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.thamar_reservoir](https://vuldb.com/?actor.thamar_reservoir)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.thamar_reservoir](https://vuldb.com/?actor.thamar_reservoir)

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Thamar Reservoir:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Thamar Reservoir:

-* US
-* PL
+* [US](https://vuldb.com/?country.us)
+* [PL](https://vuldb.com/?country.pl)

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Thamar Reservoir.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Thamar Reservoir.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 5.39.223.227 | - | High
-2 | 31.192.105.10 | muatypecast.com | High
-3 | 107.6.172.51 | hd-europe2124.banahosting.com | High
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [5.39.223.227](https://vuldb.com/?ip.5.39.223.227) | - | - | High
+2 | [31.192.105.10](https://vuldb.com/?ip.31.192.105.10) | - | - | High
+3 | [107.6.172.51](https://vuldb.com/?ip.107.6.172.51) | hd-europe2124.banahosting.com | - | High

 ## TTP - Tactics, Techniques, Procedures

-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Thamar Reservoir. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Thamar Reservoir_. This data is unique as it uses our predictive model for actor profiling.

-ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79 | Cross Site Scripting | High

 ## IOA - Indicator of Attack

-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Thamar Reservoir. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Thamar Reservoir. This data is unique as it uses our predictive model for actor profiling.

 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@ -40,17 +40,17 @@ ID | Type | Indicator | Confidence
 3 | Argument | `form` | Low
 4 | ... | ... | ...

-There are 1 more IOA items available. Please use our online service to access the data.
+There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://www.threatminer.org/report.php?q=Thamar-Reservoir.pdf&y=2015

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/Tinba/README.md
+++ b/actors/Tinba/README.md
@ -1,31 +1,32 @@
 # Tinba - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tinba](https://vuldb.com/?actor.tinba). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tinba](https://vuldb.com/?actor.tinba). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tinba](https://vuldb.com/?actor.tinba)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.tinba](https://vuldb.com/?actor.tinba)

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Tinba.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Tinba.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 198.54.117.197 | - | High
-2 | 198.54.117.198 | - | High
-3 | 198.54.117.199 | - | High
-4 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [198.54.117.197](https://vuldb.com/?ip.198.54.117.197) | - | - | High
+2 | [198.54.117.198](https://vuldb.com/?ip.198.54.117.198) | - | - | High
+3 | [198.54.117.199](https://vuldb.com/?ip.198.54.117.199) | - | - | High
+4 | ... | ... | ... | ...

-There are 1 more IOC items available. Please use our online service to access the data.
+There are 2 more IOC items available. Please use our online service to access the data.

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

+* https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan
 * https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_tinba.ipset

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/Tortilla/README.md
+++ b/actors/Tortilla/README.md
@ -1,40 +1,40 @@
 # Tortilla - Cyber Threat Intelligence

-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tortilla](https://vuldb.com/?actor.tortilla). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tortilla](https://vuldb.com/?actor.tortilla). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tortilla](https://vuldb.com/?actor.tortilla)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.tortilla](https://vuldb.com/?actor.tortilla)

 ## Campaigns

-The following campaigns are known and can be associated with Tortilla:
+The following _campaigns_ are known and can be associated with Tortilla:

 * Microsoft Exchange

 ## Countries

-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Tortilla:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Tortilla:

-* IT
+* [IT](https://vuldb.com/?country.it)

 ## IOC - Indicator of Compromise

-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Tortilla.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Tortilla.

-ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
-1 | 54.221.65.242 | ec2-54-221-65-242.compute-1.amazonaws.com | Medium
-2 | 168.119.93.163 | dupa.tk | High
-3 | 185.219.52.229 | - | High
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [54.221.65.242](https://vuldb.com/?ip.54.221.65.242) | ec2-54-221-65-242.compute-1.amazonaws.com | Microsoft Exchange | Medium
+2 | [168.119.93.163](https://vuldb.com/?ip.168.119.93.163) | dupa.tk | Microsoft Exchange | High
+3 | [185.219.52.229](https://vuldb.com/?ip.185.219.52.229) | - | Microsoft Exchange | High

 ## References

-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:

 * https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

 ## Literature

-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:

 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
--- a/actors/Tortoiseshell/README.md
+++ b/actors/Tortoiseshell/README.md
@ -1,6 +1,6 @@
 # Tortoiseshell - Cyber Threat Intelligence

-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tortoiseshell](https://vuldb.com/?actor.tortoiseshell). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tortoiseshell](https://vuldb.com/?actor.tortoiseshell). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.

 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.tortoiseshell](https://vuldb.com/?actor.tortoiseshell)

@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com

 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Tortoiseshell:

-* US
+* [US](https://vuldb.com/?country.us)

 ## IOC - Indicator of Compromise

@ -16,12 +16,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi

 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 64.235.39.45 | lasvegas-nv-datacenter.serverpoint.com | - | High
-2 | 64.235.60.123 | lasvegas-nv-datacenter.serverpoint.com | - | High
+1 | [64.235.39.45](https://vuldb.com/?ip.64.235.39.45) | lasvegas-nv-datacenter.serverpoint.com | - | High
+2 | [64.235.60.123](https://vuldb.com/?ip.64.235.60.123) | lasvegas-nv-datacenter.serverpoint.com | - | High

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Tortoiseshell. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Tortoiseshell_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/actors/Unrecom/README.md
+++ b/actors/Unrecom/README.md
@ -27,7 +27,7 @@ There are 1 more IOC items available. Please use our online service to access th

 ## TTP - Tactics, Techniques, Procedures

-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Unrecom. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Unrecom_. This data is unique as it uses our predictive model for actor profiling.

 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
--- a/Show More
+++ b/Show More