Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update

This commit is contained in:
Marc Ruef 2022-08-04 12:18:19 +02:00
parent e8e862b297
commit a963970493
209 changed files with 6225 additions and 2686 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
actors/3LOSH/README.md Normal file
View File

@ -0,0 +1,55 @@
# 3LOSH - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [3LOSH](https://vuldb.com/?actor.3losh). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.3losh](https://vuldb.com/?actor.3losh)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with 3LOSH:
* [DE](https://vuldb.com/?country.de)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of 3LOSH.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [94.130.207.164](https://vuldb.com/?ip.94.130.207.164) | static.164.207.130.94.clients.your-server.de | - | High
2 | [141.95.89.79](https://vuldb.com/?ip.141.95.89.79) | ip79.ip-141-95-89.eu | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _3LOSH_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1592 | CWE-200 | Configuration | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by 3LOSH. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `data/gbconfiguration.dat` | High
2 | File | `redirect.php` | Medium
3 | Argument | `goto` | Low
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/272/3losh-srypter-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
actors/8220 Gang/README.md
View File

@ -27,7 +27,7 @@ ID | IP address | Hostname | Campaign | Confidence
3 | [146.59.198.38](https://vuldb.com/?ip.146.59.198.38) | vps-19ede15a.vps.ovh.net | CVE-2022-26134 | High
4 | ... | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
There are 3 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -36,8 +36,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059 | CWE-94 | Cross Site Scripting | High
2 | T1505 | CWE-89 | SQL Injection | High
3 | T1592 | CWE-200 | Configuration | High
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
3 | T1068 | CWE-269 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -46,16 +49,17 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `data/gbconfiguration.dat` | High
2 | File | `inc/config.php` | High
3 | Argument | `basePath` | Medium
2 | File | `GatewaySettings.bin` | High
3 | File | `import.php` | Medium
4 | ... | ... | ...
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 6 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/503/8220-botnet-iocs/
* https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/
## Literature

5
actors/APT28/README.md
View File

@ -131,10 +131,9 @@ ID | Type | Indicator | Confidence
26 | File | `afr.php` | Low
27 | File | `apcupsd.pid` | Medium
28 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
29 | File | `api/sms/send-sms` | High
30 | ... | ... | ...
29 | ... | ... | ...
There are 252 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 250 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

16
actors/APT33/README.md
View File

@ -102,13 +102,17 @@ ID | Type | Indicator | Confidence
31 | File | `/TeleoptiWFM/Administration/GetOneTenant` | High
32 | File | `/vicidial/admin.php` | High
33 | File | `/vicidial/AST_agent_time_sheet.php` | High
34 | File | `add_comment.php` | High
35 | File | `add_edit_cat.asp` | High
36 | File | `add_url.htm` | Medium
37 | File | `adm.cgi` | Low
38 | ... | ... | ...
34 | File | `addphotosform.php` | High
35 | File | `addreviewsform.php` | High
36 | File | `add_comment.php` | High
37 | File | `add_edit_cat.asp` | High
38 | File | `add_url.htm` | Medium
39 | File | `adm.cgi` | Low
40 | File | `admin/index.php` | High
41 | File | `adminAttachments.php` | High
42 | ... | ... | ...
There are 329 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 363 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

4
actors/APT34/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [IR](https://vuldb.com/?country.ir)
* ...
There are 8 more country items available. Please use our online service to access the data.
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -89,7 +89,7 @@ ID | Type | Indicator | Confidence
27 | File | `/var/run/watchman.pid` | High
28 | ... | ... | ...
There are 236 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 240 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/APT41/README.md
View File

@ -121,7 +121,7 @@ ID | Type | Indicator | Confidence
43 | File | `admin.php/comments/batchdel/` | High
44 | ... | ... | ...
There are 378 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 376 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

5
actors/Africa Unknown/README.md
View File

@ -101,10 +101,9 @@ ID | Type | Indicator | Confidence
36 | File | `ajax/deletePage.php` | High
37 | File | `ajouter_tva.php` | High
38 | File | `apcupsd.pid` | Medium
39 | File | `api/sms/send-sms` | High
40 | ... | ... | ...
39 | ... | ... | ...
There are 342 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 340 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

31
actors/Agent OGR/README.md Normal file
View File

@ -0,0 +1,31 @@
# Agent OGR - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Agent OGR](https://vuldb.com/?actor.agent_ogr). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.agent_ogr](https://vuldb.com/?actor.agent_ogr)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Agent OGR.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [159.69.101.96](https://vuldb.com/?ip.159.69.101.96) | static.96.101.69.159.clients.your-server.de | - | High
2 | [193.106.191.201](https://vuldb.com/?ip.193.106.191.201) | - | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/256/gs-004-agent-ogr-tr-pws-stealer-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

95
actors/Agent/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [RU](https://vuldb.com/?country.ru)
* ...
There are 29 more country items available. Please use our online service to access the data.
There are 31 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -54,56 +54,57 @@ ID | Type | Indicator | Confidence
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/.env` | Low
3 | File | `/.ssh/authorized_keys` | High
4 | File | `/accountancy/admin/accountmodel.php` | High
5 | File | `/admin/default.asp` | High
6 | File | `/ajax/networking/get_netcfg.php` | High
7 | File | `/app/options.py` | High
8 | File | `/assets/ctx` | Medium
9 | File | `/checkLogin.cgi` | High
10 | File | `/ci_spms/admin/category` | High
11 | File | `/ci_spms/admin/search/searching/` | High
12 | File | `/classes/Master.php?f=delete_train` | High
13 | File | `/cms/print.php` | High
14 | File | `/concat?/%2557EB-INF/web.xml` | High
15 | File | `/Content/Template/root/reverse-shell.aspx` | High
4 | File | `/admin/default.asp` | High
5 | File | `/ajax/networking/get_netcfg.php` | High
6 | File | `/app/options.py` | High
7 | File | `/assets/ctx` | Medium
8 | File | `/checkLogin.cgi` | High
9 | File | `/ci_spms/admin/category` | High
10 | File | `/ci_spms/admin/search/searching/` | High
11 | File | `/classes/Master.php?f=delete_train` | High
12 | File | `/cms/print.php` | High
13 | File | `/concat?/%2557EB-INF/web.xml` | High
14 | File | `/Content/Template/root/reverse-shell.aspx` | High
15 | File | `/dashboard/menu-list.php` | High
16 | File | `/data/remove` | Medium
17 | File | `/download` | Medium
18 | File | `/etc/passwd` | Medium
19 | File | `/goforms/rlminfo` | High
20 | File | `/login` | Low
21 | File | `/navigate/navigate_download.php` | High
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
23 | File | `/ofrs/admin/?page=user/manage_user` | High
24 | File | `/owa/auth/logon.aspx` | High
25 | File | `/p` | Low
26 | File | `/password.html` | High
27 | File | `/proc/ioports` | High
28 | File | `/property-list/property_view.php` | High
29 | File | `/ptms/classes/Users.php` | High
30 | File | `/rest` | Low
31 | File | `/rest/api/2/search` | High
32 | File | `/s/` | Low
33 | File | `/scripts/cpan_config` | High
34 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
35 | File | `/services/system/setup.json` | High
36 | File | `/spip.php` | Medium
37 | File | `/uncpath/` | Medium
38 | File | `/vloggers_merch/?p=view_product` | High
39 | File | `/webconsole/APIController` | High
40 | File | `/websocket/exec` | High
41 | File | `/wp-admin/admin-ajax.php` | High
42 | File | `/wp-json` | Medium
43 | File | `/wp-json/oembed/1.0/embed?url` | High
44 | File | `/_next` | Low
45 | File | `4.edu.php\conn\function.php` | High
46 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
47 | File | `adclick.php` | Medium
48 | File | `addentry.php` | Medium
49 | File | `admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser` | High
50 | File | `admin/category.inc.php` | High
51 | ... | ... | ...
19 | File | `/ffos/classes/Master.php?f=save_category` | High
20 | File | `/goforms/rlminfo` | High
21 | File | `/Items/*/RemoteImages/Download` | High
22 | File | `/login` | Low
23 | File | `/navigate/navigate_download.php` | High
24 | File | `/ocwbs/admin/?page=user/manage_user` | High
25 | File | `/ofrs/admin/?page=user/manage_user` | High
26 | File | `/owa/auth/logon.aspx` | High
27 | File | `/p` | Low
28 | File | `/password.html` | High
29 | File | `/proc/ioports` | High
30 | File | `/property-list/property_view.php` | High
31 | File | `/ptms/classes/Users.php` | High
32 | File | `/rest` | Low
33 | File | `/rest/api/2/search` | High
34 | File | `/s/` | Low
35 | File | `/scripts/cpan_config` | High
36 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
37 | File | `/services/system/setup.json` | High
38 | File | `/spip.php` | Medium
39 | File | `/uncpath/` | Medium
40 | File | `/vloggers_merch/?p=view_product` | High
41 | File | `/webconsole/APIController` | High
42 | File | `/websocket/exec` | High
43 | File | `/wp-admin/admin-ajax.php` | High
44 | File | `/wp-json` | Medium
45 | File | `/wp-json/oembed/1.0/embed?url` | High
46 | File | `/_next` | Low
47 | File | `4.edu.php\conn\function.php` | High
48 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
49 | File | `adclick.php` | Medium
50 | File | `addentry.php` | Medium
51 | File | `admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser` | High
52 | ... | ... | ...
There are 444 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 448 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

38
actors/Amadey Bot/README.md
View File

@ -9,6 +9,15 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
The following _campaigns_ are known and can be associated with Amadey Bot:
* Azorult
* SmokeLoader
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Amadey Bot:
* [US](https://vuldb.com/?country.us)
* [IT](https://vuldb.com/?country.it)
* [DE](https://vuldb.com/?country.de)
## IOC - Indicator of Compromise
@ -17,11 +26,40 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [2.59.42.63](https://vuldb.com/?ip.2.59.42.63) | vds-cw08597.timeweb.ru | Azorult | High
2 | [185.17.0.52](https://vuldb.com/?ip.185.17.0.52) | physicalteam.aeza.network | SmokeLoader | High
3 | [185.17.0.63](https://vuldb.com/?ip.185.17.0.63) | braveteeth.aeza.network | SmokeLoader | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Amadey Bot_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1059 | CWE-94 | Cross Site Scripting | High
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Amadey Bot. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `carbon/admin/login.jsp` | High
2 | File | `inc/config.php` | High
3 | File | `index.php` | Medium
4 | ... | ... | ...
There are 17 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://asec.ahnlab.com/en/36634/
* https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot
## Literature

68
actors/Armageddon/README.md Normal file
View File

@ -0,0 +1,68 @@
# Armageddon - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Armageddon](https://vuldb.com/?actor.armageddon). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.armageddon](https://vuldb.com/?actor.armageddon)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Armageddon:
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Armageddon.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [66.42.95.123](https://vuldb.com/?ip.66.42.95.123) | 66.42.95.123.vultrusercontent.com | - | High
2 | [92.53.116.145](https://vuldb.com/?ip.92.53.116.145) | smtpout7.timeweb.ru | - | High
3 | [194.58.121.198](https://vuldb.com/?ip.194.58.121.198) | 194-58-121-198.cloudvps.regruhosting.ru | - | High
4 | ... | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Armageddon_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
3 | T1505 | CWE-89 | SQL Injection | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Armageddon. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `ngx_http_lua_subrequest.c` | High
2 | File | `stream.h` | Medium
3 | File | `utility.c` | Medium
4 | ... | ... | ...
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/220/armageddon-apt-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

84
actors/AveMaria/README.md
View File

@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with AveMaria:
* [US](https://vuldb.com/?country.us)
* [ES](https://vuldb.com/?country.es)
* [IO](https://vuldb.com/?country.io)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 12 more country items available. Please use our online service to access the data.
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -22,11 +22,11 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [5.2.68.67](https://vuldb.com/?ip.5.2.68.67) | - | - | High
2 | [185.140.53.174](https://vuldb.com/?ip.185.140.53.174) | - | - | High
3 | [185.183.98.169](https://vuldb.com/?ip.185.183.98.169) | - | - | High
2 | [31.210.20.231](https://vuldb.com/?ip.31.210.20.231) | - | - | High
3 | [169.159.91.226](https://vuldb.com/?ip.169.159.91.226) | - | - | High
4 | ... | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
There are 5 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -34,12 +34,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
There are 18 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -47,22 +49,50 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/syslog` | High
2 | File | `/anony/mjpg.cgi` | High
3 | File | `/etc/shadow` | Medium
4 | File | `/plain` | Low
5 | File | `/public/login.htm` | High
6 | File | `/service/upload` | High
7 | File | `/uncpath/` | Medium
8 | File | `/upload/catalog/controller/account/password.php` | High
9 | File | `admin/admin_users.php` | High
10 | File | `admin/pageEditGroup.php` | High
11 | File | `admin/record_company.php` | High
12 | File | `admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list` | High
13 | File | `api/account/register` | High
14 | ... | ... | ...
1 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
2 | File | `.htaccess` | Medium
3 | File | `/.ssh/authorized_keys` | High
4 | File | `/account/details.php` | High
5 | File | `/admin/academic/studenview_left.php` | High
6 | File | `/admin/contenttemp` | High
7 | File | `/admin/payment.php` | High
8 | File | `/admin/syslog` | High
9 | File | `/anony/mjpg.cgi` | High
10 | File | `/assets/components/gallery/connector.php` | High
11 | File | `/ctcprotocol/Protocol` | High
12 | File | `/device/device=140/tab=wifi/view` | High
13 | File | `/etc/shadow` | Medium
14 | File | `/Forms/` | Low
15 | File | `/framework/modules/users/models/user.php` | High
16 | File | `/HNAP1/SetAccessPointMode` | High
17 | File | `/iisadmin` | Medium
18 | File | `/index.php` | Medium
19 | File | `/mcategory.php` | High
20 | File | `/member/picture/album` | High
21 | File | `/mysql/api/diags.php` | High
22 | File | `/phpcollab/users/edituser.php` | High
23 | File | `/plain` | Low
24 | File | `/products/details.asp` | High
25 | File | `/product_list.php` | High
26 | File | `/public/login.htm` | High
27 | File | `/replication` | Medium
28 | File | `/service/upload` | High
29 | File | `/services/details.asp` | High
30 | File | `/trx_addons/v2/get/sc_layout` | High
31 | File | `/uncpath/` | Medium
32 | File | `/upload/catalog/controller/account/password.php` | High
33 | File | `/var/log/postgresql` | High
34 | File | `/_vti_pvt/access.cnf` | High
35 | File | `4.edu.php` | Medium
36 | File | `add_ons.php` | Medium
37 | File | `add_to_cart.php` | High
38 | File | `admin.php` | Medium
39 | File | `admin/admin_users.php` | High
40 | File | `admin/index.php` | High
41 | File | `admin/mod_users/controller.php?action=edit` | High
42 | ... | ... | ...
There are 111 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 365 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
@ -70,6 +100,10 @@ The following list contains _external sources_ which discuss the actor and the a
* https://asec.ahnlab.com/en/34102/
* https://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery
* https://github.com/executemalware/Malware-IOCs/blob/main/2021-10-11%20AveMaria%20IOCs
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-01-28%20AveMaria_Warzone%20IOCs
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-04-19%20AveMaria_Warzone%20IOCs
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-06-24%20AveMaria_Warzone%20RAT%20IOCs
## Literature

68
actors/Avos/README.md Normal file
View File

@ -0,0 +1,68 @@
# Avos - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Avos](https://vuldb.com/?actor.avos). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.avos](https://vuldb.com/?actor.avos)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Avos:
* [FR](https://vuldb.com/?country.fr)
* [RU](https://vuldb.com/?country.ru)
* [ES](https://vuldb.com/?country.es)
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Avos.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [45.136.230.191](https://vuldb.com/?ip.45.136.230.191) | - | - | High
2 | [176.113.115.107](https://vuldb.com/?ip.176.113.115.107) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Avos_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Avos. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/iwguestbook/admin/badwords_edit.asp` | High
2 | File | `/iwguestbook/admin/messages_edit.asp` | High
3 | File | `admin/dashboard.php` | High
4 | ... | ... | ...
There are 22 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/364/avos-apt-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
actors/Azorult/README.md
View File

@ -29,7 +29,7 @@ ID | IP address | Hostname | Campaign | Confidence
6 | [45.139.236.14](https://vuldb.com/?ip.45.139.236.14) | - | - | High
7 | ... | ... | ... | ...
There are 22 more IOC items available. Please use our online service to access the data.
There are 26 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -37,12 +37,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
There are 15 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -66,7 +67,7 @@ ID | Type | Indicator | Confidence
14 | File | `actions/ChangeConfiguration.html` | High
15 | ... | ... | ...
There are 118 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 123 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
@ -74,6 +75,7 @@ The following list contains _external sources_ which discuss the actor and the a
* https://blog.cyble.com/2021/10/26/a-deep-dive-analysis-of-azorult-stealer/
* https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html
* https://cert.gov.ua/article/2806
* https://isc.sans.edu/forums/diary/More+malspam+pushing+passwordprotected+Word+docs+for+AZORult+and+Hermes+Ransomware/23992/
## Literature

59
actors/B1txor20/README.md
View File

@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with B1txor20:
* [US](https://vuldb.com/?country.us)
* [GB](https://vuldb.com/?country.gb)
* [CN](https://vuldb.com/?country.cn)
* [PT](https://vuldb.com/?country.pt)
* ...
There are 13 more country items available. Please use our online service to access the data.
There are 6 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -45,14 +45,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 20 more TTP items available. Please use our online service to access the data.
There are 19 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -60,30 +60,33 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.encfs6.xml` | Medium
2 | File | `.forward` | Medium
3 | File | `.python-version` | High
4 | File | `/ajax/remove_sniffer_raw_log/` | High
5 | File | `/api/sys_username_passwd.cmd` | High
6 | File | `/auth/callback` | High
7 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
8 | File | `/bmis/pages/resident/resident.php` | High
9 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
10 | File | `/cgi-bin/nightled.cgi` | High
11 | File | `/cgi-bin/nobody` | High
12 | File | `/ci_spms/admin/category` | High
13 | File | `/conf/` | Low
14 | File | `/dashboard/menu-list.php` | High
15 | File | `/dashboard/profile.php` | High
16 | File | `/dashboard/reports/logs/view` | High
17 | File | `/dashboard/table-list.php` | High
18 | File | `/dev/pts/` | Medium
19 | File | `/editbrand.php` | High
20 | File | `/etc/hosts` | Medium
21 | File | `/etc/lighttpd.d/ca.pem` | High
22 | ... | ... | ...
1 | File | `/admin` | Low
2 | File | `/api/plugin/uninstall` | High
3 | File | `/api/plugin/upload` | High
4 | File | `/artist-display.php` | High
5 | File | `/assets/partials/_handleLogin.php` | High
6 | File | `/cgi-bin/ExportAllSettings.sh` | High
7 | File | `/chart` | Low
8 | File | `/context.json` | High
9 | File | `/ecrire` | Low
10 | File | `/editbrand.php` | High
11 | File | `/edituser.php` | High
12 | File | `/login.php` | Medium
13 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
14 | File | `/movie.php` | Medium
15 | File | `/pages/activity/activity.php` | High
16 | File | `/pages/permit/permit.php` | High
17 | File | `/pay-with-paypal/{id}` | High
18 | File | `/php_action/createUser.php` | High
19 | File | `/req_password_user.php` | High
20 | File | `/show_news.php` | High
21 | File | `/sistema/flash/reboot` | High
22 | File | `/smarthome/devicecontrol` | High
23 | File | `/src/video/x11/SDL_x11yuv.c` | High
24 | File | `/wordpress-gallery-transformation/gallery.php` | High
25 | ... | ... | ...
There are 179 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 207 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

45
actors/Beastmode/README.md Normal file
View File

@ -0,0 +1,45 @@
# Beastmode - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Beastmode](https://vuldb.com/?actor.beastmode). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.beastmode](https://vuldb.com/?actor.beastmode)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Beastmode:
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Beastmode.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [136.144.41.69](https://vuldb.com/?ip.136.144.41.69) | - | - | High
2 | [195.133.18.119](https://vuldb.com/?ip.195.133.18.119) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Beastmode_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/81/beastmode-botnet-ioc/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

30
actors/Black Basta/README.md Normal file
View File

@ -0,0 +1,30 @@
# Black Basta - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Black Basta](https://vuldb.com/?actor.black_basta). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.black_basta](https://vuldb.com/?actor.black_basta)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Black Basta.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [23.106.160.188](https://vuldb.com/?ip.23.106.160.188) | - | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/311/black-basta-apt-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

61
actors/BlackCat/README.md
View File

@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BlackCat:
* [US](https://vuldb.com/?country.us)
* [PT](https://vuldb.com/?country.pt)
* [DE](https://vuldb.com/?country.de)
* [FR](https://vuldb.com/?country.fr)
* ...
There are 5 more country items available. Please use our online service to access the data.
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -34,7 +34,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24, CWE-425 | Pathname Traversal | High
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
@ -42,7 +42,7 @@ ID | Technique | Weakness | Description | Confidence
6 | T1068 | CWE-250, CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
7 | ... | ... | ... | ...
There are 24 more TTP items available. Please use our online service to access the data.
There are 22 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -61,35 +61,32 @@ ID | Type | Indicator | Confidence
9 | File | `/admin/new-content` | High
10 | File | `/admin/posts.php` | High
11 | File | `/admin/posts.php&action=delete` | High
12 | File | `/admin/run_ajax.php` | High
13 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
14 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
15 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
16 | File | `/ajax/set_sys_time/` | High
17 | File | `/api/programs/orgUnits?programs` | High
18 | File | `/application/controllers/Users.php` | High
19 | File | `/bcms/admin/?page=reports/daily_court_rental_report` | High
20 | File | `/bcms/admin/?page=service_transactions/manage_service_transaction` | High
21 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
22 | File | `/blog/blog.php` | High
23 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
24 | File | `/cgi-bin/kerbynet` | High
25 | File | `/cgi/get_param.cgi` | High
26 | File | `/checklogin.jsp` | High
27 | File | `/ci_hms/search` | High
28 | File | `/classes/Master.php?f=delete_schedule` | High
29 | File | `/cms/classes/Master.php?f=delete_service` | High
30 | File | `/company/account/safety/trade` | High
31 | File | `/ctpms/admin/?page=individuals/view_individual` | High
32 | File | `/ctpms/classes/Master.php?f=delete_img` | High
33 | File | `/dashboard/reports/logs/view` | High
34 | File | `/dashboard/snapshot/*?orgId=0` | High
35 | File | `/etc/ajenti/config.yml` | High
36 | File | `/fuel/sitevariables/delete/4` | High
37 | File | `/goform/AdvSetLanIp` | High
38 | ... | ... | ...
12 | File | `/admin/siteoptions.php&action=displaygoal&value=1&roleid=1` | High
13 | File | `/admin/uesrs.php&&action=delete&userid=4` | High
14 | File | `/admin/uesrs.php&action=type&userrole=Admin&userid=3` | High
15 | File | `/ajax/set_sys_time/` | High
16 | File | `/api/programs/orgUnits?programs` | High
17 | File | `/application/controllers/Users.php` | High
18 | File | `/bcms/admin/?page=reports/daily_court_rental_report` | High
19 | File | `/bcms/admin/?page=service_transactions/manage_service_transaction` | High
20 | File | `/bcms/classes/Master.php?f=delete_court_rental` | High
21 | File | `/cdsms/classes/Master.php?f=delete_enrollment` | High
22 | File | `/cgi/get_param.cgi` | High
23 | File | `/checklogin.jsp` | High
24 | File | `/ci_hms/search` | High
25 | File | `/ci_spms/admin/search/searching/` | High
26 | File | `/classes/Master.php?f=delete_schedule` | High
27 | File | `/cms/classes/Master.php?f=delete_service` | High
28 | File | `/company/account/safety/trade` | High
29 | File | `/ctpms/admin/?page=individuals/view_individual` | High
30 | File | `/ctpms/classes/Master.php?f=delete_img` | High
31 | File | `/dashboard/reports/logs/view` | High
32 | File | `/dashboard/snapshot/*?orgId=0` | High
33 | File | `/dotrace.asp` | Medium
34 | File | `/fuel/sitevariables/delete/4` | High
35 | ... | ... | ...
There are 327 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 295 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

15
actors/BlackEnergy/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [US](https://vuldb.com/?country.us)
* ...
There are 21 more country items available. Please use our online service to access the data.
There are 19 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -69,7 +69,7 @@ ID | Type | Indicator | Confidence
16 | File | `/index/jobfairol/show/` | High
17 | File | `/librarian/bookdetails.php` | High
18 | File | `/mgmt/tm/util/bash` | High
19 | File | `/monitoring` | Medium
19 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
20 | File | `/new` | Low
21 | File | `/proc/<PID>/mem` | High
22 | File | `/proc/<pid>/status` | High
@ -77,12 +77,13 @@ ID | Type | Indicator | Confidence
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
25 | File | `/secure/QueryComponent!Default.jspa` | High
26 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
27 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
28 | File | `/tmp` | Low
29 | File | `/uncpath/` | Medium
30 | ... | ... | ...
27 | File | `/spip.php` | Medium
28 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
29 | File | `/tmp` | Low
30 | File | `/uncpath/` | Medium
31 | ... | ... | ...
There are 252 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 265 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

90
actors/Brute Ratel C4/README.md Normal file
View File

@ -0,0 +1,90 @@
# Brute Ratel C4 - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Brute Ratel C4](https://vuldb.com/?actor.brute_ratel_c4). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.brute_ratel_c4](https://vuldb.com/?actor.brute_ratel_c4)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Brute Ratel C4:
* [US](https://vuldb.com/?country.us)
* [IE](https://vuldb.com/?country.ie)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 8 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Brute Ratel C4.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [3.110.56.219](https://vuldb.com/?ip.3.110.56.219) | ec2-3-110-56-219.ap-south-1.compute.amazonaws.com | - | Medium
2 | [3.133.7.69](https://vuldb.com/?ip.3.133.7.69) | ec2-3-133-7-69.us-east-2.compute.amazonaws.com | - | Medium
3 | [15.206.84.52](https://vuldb.com/?ip.15.206.84.52) | ec2-15-206-84-52.ap-south-1.compute.amazonaws.com | - | Medium
4 | [18.130.233.249](https://vuldb.com/?ip.18.130.233.249) | ec2-18-130-233-249.eu-west-2.compute.amazonaws.com | - | Medium
5 | [18.133.26.247](https://vuldb.com/?ip.18.133.26.247) | ec2-18-133-26-247.eu-west-2.compute.amazonaws.com | - | Medium
6 | [18.217.179.8](https://vuldb.com/?ip.18.217.179.8) | ec2-18-217-179-8.us-east-2.compute.amazonaws.com | - | Medium
7 | [18.236.92.31](https://vuldb.com/?ip.18.236.92.31) | ec2-18-236-92-31.us-west-2.compute.amazonaws.com | - | Medium
8 | [31.184.198.83](https://vuldb.com/?ip.31.184.198.83) | - | - | High
9 | [34.195.122.225](https://vuldb.com/?ip.34.195.122.225) | ec2-34-195-122-225.compute-1.amazonaws.com | - | Medium
10 | ... | ... | ... | ...
There are 35 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Brute Ratel C4_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 14 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Brute Ratel C4. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/admin/featured.php` | High
3 | File | `/admin/newsletter1.php` | High
4 | File | `/admin/renewaldue.php` | High
5 | File | `/admin/reports.php` | High
6 | File | `/admin/web_config.php` | High
7 | File | `/ajax/ImportCertificate` | High
8 | File | `/app/controller/Books.php` | High
9 | File | `/cgi-bin` | Medium
10 | File | `/config/service/host.go` | High
11 | File | `/data/sqldata` | High
12 | File | `/DataHandler/AM/AM_Handler.ashx` | High
13 | File | `/lan.asp` | Medium
14 | File | `/Pwrchute` | Medium
15 | ... | ... | ...
There are 116 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/409/brute-ratel-c4-brc4-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

165
actors/Bumblebee/README.md
View File

@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bumblebee:
* [VN](https://vuldb.com/?country.vn)
* [IT](https://vuldb.com/?country.it)
* [PL](https://vuldb.com/?country.pl)
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 2 more country items available. Please use our online service to access the data.
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -66,59 +66,77 @@ ID | IP address | Hostname | Campaign | Confidence
43 | [22.83.186.45](https://vuldb.com/?ip.22.83.186.45) | - | - | High
44 | [22.175.0.90](https://vuldb.com/?ip.22.175.0.90) | - | - | High
45 | [23.81.246.187](https://vuldb.com/?ip.23.81.246.187) | - | - | High
46 | [23.254.201.97](https://vuldb.com/?ip.23.254.201.97) | hwsrv-974106.hostwindsdns.com | - | High
47 | [23.254.217.222](https://vuldb.com/?ip.23.254.217.222) | hwsrv-976272.hostwindsdns.com | - | High
48 | [24.4.68.32](https://vuldb.com/?ip.24.4.68.32) | c-24-4-68-32.hsd1.ca.comcast.net | - | High
49 | [24.57.185.167](https://vuldb.com/?ip.24.57.185.167) | d24-57-185-167.home.cgocable.net | - | High
50 | [24.121.25.160](https://vuldb.com/?ip.24.121.25.160) | 24-121-25-160.sdoncmtk01.com.dyn.suddenlink.net | - | High
51 | [25.5.198.104](https://vuldb.com/?ip.25.5.198.104) | - | - | High
52 | [25.170.215.18](https://vuldb.com/?ip.25.170.215.18) | - | - | High
53 | [25.181.64.39](https://vuldb.com/?ip.25.181.64.39) | - | - | High
54 | [26.6.83.53](https://vuldb.com/?ip.26.6.83.53) | - | - | High
55 | [28.53.120.108](https://vuldb.com/?ip.28.53.120.108) | - | - | High
56 | [28.107.38.196](https://vuldb.com/?ip.28.107.38.196) | - | - | High
57 | [28.148.236.16](https://vuldb.com/?ip.28.148.236.16) | - | - | High
58 | [29.64.0.111](https://vuldb.com/?ip.29.64.0.111) | - | - | High
59 | [29.122.243.158](https://vuldb.com/?ip.29.122.243.158) | - | - | High
60 | [30.17.4.146](https://vuldb.com/?ip.30.17.4.146) | - | - | High
61 | [30.65.48.152](https://vuldb.com/?ip.30.65.48.152) | - | - | High
62 | [30.205.76.70](https://vuldb.com/?ip.30.205.76.70) | - | - | High
63 | [31.228.253.114](https://vuldb.com/?ip.31.228.253.114) | - | - | High
64 | [32.181.245.23](https://vuldb.com/?ip.32.181.245.23) | - | - | High
65 | [33.93.97.183](https://vuldb.com/?ip.33.93.97.183) | - | - | High
66 | [33.145.184.132](https://vuldb.com/?ip.33.145.184.132) | - | - | High
67 | [34.229.154.31](https://vuldb.com/?ip.34.229.154.31) | ec2-34-229-154-31.compute-1.amazonaws.com | - | Medium
68 | [35.120.155.220](https://vuldb.com/?ip.35.120.155.220) | - | - | High
69 | [36.110.58.103](https://vuldb.com/?ip.36.110.58.103) | 103.58.110.36.static.bjtelecom.net | - | High
70 | [37.64.220.2](https://vuldb.com/?ip.37.64.220.2) | 2.220.64.37.rev.sfr.net | - | High
71 | [37.72.174.23](https://vuldb.com/?ip.37.72.174.23) | 37-72-174-23.static.hvvc.us | - | High
72 | [37.120.198.248](https://vuldb.com/?ip.37.120.198.248) | - | - | High
73 | [38.12.57.131](https://vuldb.com/?ip.38.12.57.131) | - | - | High
74 | [39.57.152.217](https://vuldb.com/?ip.39.57.152.217) | - | - | High
75 | [40.72.17.141](https://vuldb.com/?ip.40.72.17.141) | - | - | High
76 | [41.28.188.77](https://vuldb.com/?ip.41.28.188.77) | vc-gp-s-41-28-188-77.umts.vodacom.co.za | - | High
77 | [41.56.181.200](https://vuldb.com/?ip.41.56.181.200) | - | - | High
78 | [45.3.236.177](https://vuldb.com/?ip.45.3.236.177) | 045-003-236-177.biz.spectrum.com | - | High
79 | [45.84.0.13](https://vuldb.com/?ip.45.84.0.13) | vm523902.stark-industries.solutions | - | High
80 | [45.138.172.246](https://vuldb.com/?ip.45.138.172.246) | - | - | High
81 | [45.142.214.120](https://vuldb.com/?ip.45.142.214.120) | vm516885.stark-industries.solutions | - | High
82 | [45.142.214.167](https://vuldb.com/?ip.45.142.214.167) | - | - | High
83 | [45.147.229.50](https://vuldb.com/?ip.45.147.229.50) | - | - | High
84 | [45.147.229.101](https://vuldb.com/?ip.45.147.229.101) | - | - | High
85 | [45.147.229.199](https://vuldb.com/?ip.45.147.229.199) | - | - | High
86 | [45.147.231.202](https://vuldb.com/?ip.45.147.231.202) | - | - | High
87 | [45.153.240.139](https://vuldb.com/?ip.45.153.240.139) | - | - | High
88 | [45.153.241.187](https://vuldb.com/?ip.45.153.241.187) | - | - | High
89 | [45.153.241.234](https://vuldb.com/?ip.45.153.241.234) | - | - | High
90 | [46.21.153.145](https://vuldb.com/?ip.46.21.153.145) | 145.153.21.46.static.swiftway.net | - | High
91 | [46.44.240.53](https://vuldb.com/?ip.46.44.240.53) | 46-44-240-53.ip.welcomeitalia.it | - | High
92 | [47.27.63.45](https://vuldb.com/?ip.47.27.63.45) | 047-027-063-045.res.spectrum.com | - | High
93 | [47.58.200.234](https://vuldb.com/?ip.47.58.200.234) | 47-58-200-234.red-acceso.airtel.net | - | High
94 | [48.165.175.199](https://vuldb.com/?ip.48.165.175.199) | - | - | High
95 | [48.209.106.172](https://vuldb.com/?ip.48.209.106.172) | - | - | High
96 | ... | ... | ... | ...
46 | [23.82.19.208](https://vuldb.com/?ip.23.82.19.208) | - | - | High
47 | [23.82.140.133](https://vuldb.com/?ip.23.82.140.133) | - | - | High
48 | [23.82.141.184](https://vuldb.com/?ip.23.82.141.184) | - | - | High
49 | [23.83.133.1](https://vuldb.com/?ip.23.83.133.1) | v327.er01.dal.ubiquity.io | - | High
50 | [23.83.133.182](https://vuldb.com/?ip.23.83.133.182) | - | - | High
51 | [23.83.133.216](https://vuldb.com/?ip.23.83.133.216) | - | - | High
52 | [23.83.134.110](https://vuldb.com/?ip.23.83.134.110) | - | - | High
53 | [23.83.134.136](https://vuldb.com/?ip.23.83.134.136) | - | - | High
54 | [23.106.160.39](https://vuldb.com/?ip.23.106.160.39) | - | - | High
55 | [23.106.160.120](https://vuldb.com/?ip.23.106.160.120) | - | - | High
56 | [23.106.215.123](https://vuldb.com/?ip.23.106.215.123) | - | - | High
57 | [23.108.57.13](https://vuldb.com/?ip.23.108.57.13) | - | - | High
58 | [23.227.198.217](https://vuldb.com/?ip.23.227.198.217) | 23-227-198-217.static.hvvc.us | - | High
59 | [23.254.201.97](https://vuldb.com/?ip.23.254.201.97) | hwsrv-974106.hostwindsdns.com | - | High
60 | [23.254.202.59](https://vuldb.com/?ip.23.254.202.59) | hwsrv-987701.hostwindsdns.com | - | High
61 | [23.254.217.20](https://vuldb.com/?ip.23.254.217.20) | hwsrv-984041.hostwindsdns.com | - | High
62 | [23.254.217.222](https://vuldb.com/?ip.23.254.217.222) | hwsrv-976272.hostwindsdns.com | - | High
63 | [23.254.227.144](https://vuldb.com/?ip.23.254.227.144) | hwsrv-982332.hostwindsdns.com | - | High
64 | [24.4.68.32](https://vuldb.com/?ip.24.4.68.32) | c-24-4-68-32.hsd1.ca.comcast.net | - | High
65 | [24.57.185.167](https://vuldb.com/?ip.24.57.185.167) | d24-57-185-167.home.cgocable.net | - | High
66 | [24.121.25.160](https://vuldb.com/?ip.24.121.25.160) | 24-121-25-160.sdoncmtk01.com.dyn.suddenlink.net | - | High
67 | [25.5.198.104](https://vuldb.com/?ip.25.5.198.104) | - | - | High
68 | [25.170.215.18](https://vuldb.com/?ip.25.170.215.18) | - | - | High
69 | [25.181.64.39](https://vuldb.com/?ip.25.181.64.39) | - | - | High
70 | [26.6.83.53](https://vuldb.com/?ip.26.6.83.53) | - | - | High
71 | [28.11.143.222](https://vuldb.com/?ip.28.11.143.222) | - | - | High
72 | [28.53.120.108](https://vuldb.com/?ip.28.53.120.108) | - | - | High
73 | [28.107.38.196](https://vuldb.com/?ip.28.107.38.196) | - | - | High
74 | [28.148.236.16](https://vuldb.com/?ip.28.148.236.16) | - | - | High
75 | [29.64.0.111](https://vuldb.com/?ip.29.64.0.111) | - | - | High
76 | [29.122.243.158](https://vuldb.com/?ip.29.122.243.158) | - | - | High
77 | [30.17.4.146](https://vuldb.com/?ip.30.17.4.146) | - | - | High
78 | [30.65.48.152](https://vuldb.com/?ip.30.65.48.152) | - | - | High
79 | [30.205.76.70](https://vuldb.com/?ip.30.205.76.70) | - | - | High
80 | [31.228.253.114](https://vuldb.com/?ip.31.228.253.114) | - | - | High
81 | [32.181.245.23](https://vuldb.com/?ip.32.181.245.23) | - | - | High
82 | [33.93.97.183](https://vuldb.com/?ip.33.93.97.183) | - | - | High
83 | [33.145.184.132](https://vuldb.com/?ip.33.145.184.132) | - | - | High
84 | [34.229.154.31](https://vuldb.com/?ip.34.229.154.31) | ec2-34-229-154-31.compute-1.amazonaws.com | - | Medium
85 | [35.120.155.220](https://vuldb.com/?ip.35.120.155.220) | - | - | High
86 | [36.110.58.103](https://vuldb.com/?ip.36.110.58.103) | 103.58.110.36.static.bjtelecom.net | - | High
87 | [37.64.220.2](https://vuldb.com/?ip.37.64.220.2) | 2.220.64.37.rev.sfr.net | - | High
88 | [37.72.174.9](https://vuldb.com/?ip.37.72.174.9) | emailmail.org.uk | - | High
89 | [37.72.174.23](https://vuldb.com/?ip.37.72.174.23) | 37-72-174-23.static.hvvc.us | - | High
90 | [37.120.198.248](https://vuldb.com/?ip.37.120.198.248) | - | - | High
91 | [38.12.57.131](https://vuldb.com/?ip.38.12.57.131) | - | - | High
92 | [39.57.152.217](https://vuldb.com/?ip.39.57.152.217) | - | - | High
93 | [40.72.17.141](https://vuldb.com/?ip.40.72.17.141) | - | - | High
94 | [41.28.188.77](https://vuldb.com/?ip.41.28.188.77) | vc-gp-s-41-28-188-77.umts.vodacom.co.za | - | High
95 | [41.56.181.200](https://vuldb.com/?ip.41.56.181.200) | - | - | High
96 | [45.3.236.177](https://vuldb.com/?ip.45.3.236.177) | 045-003-236-177.biz.spectrum.com | - | High
97 | [45.11.19.224](https://vuldb.com/?ip.45.11.19.224) | - | - | High
98 | [45.66.151.155](https://vuldb.com/?ip.45.66.151.155) | - | - | High
99 | [45.84.0.13](https://vuldb.com/?ip.45.84.0.13) | vm523902.stark-industries.solutions | - | High
100 | [45.138.172.246](https://vuldb.com/?ip.45.138.172.246) | - | - | High
101 | [45.140.146.30](https://vuldb.com/?ip.45.140.146.30) | vm542320.stark-industries.solutions | - | High
102 | [45.140.146.244](https://vuldb.com/?ip.45.140.146.244) | - | - | High
103 | [45.142.214.120](https://vuldb.com/?ip.45.142.214.120) | vm516885.stark-industries.solutions | - | High
104 | [45.142.214.167](https://vuldb.com/?ip.45.142.214.167) | - | - | High
105 | [45.147.229.23](https://vuldb.com/?ip.45.147.229.23) | - | - | High
106 | [45.147.229.50](https://vuldb.com/?ip.45.147.229.50) | - | - | High
107 | [45.147.229.101](https://vuldb.com/?ip.45.147.229.101) | - | - | High
108 | [45.147.229.177](https://vuldb.com/?ip.45.147.229.177) | - | - | High
109 | [45.147.229.199](https://vuldb.com/?ip.45.147.229.199) | - | - | High
110 | [45.147.231.107](https://vuldb.com/?ip.45.147.231.107) | - | - | High
111 | [45.147.231.202](https://vuldb.com/?ip.45.147.231.202) | - | - | High
112 | [45.153.240.139](https://vuldb.com/?ip.45.153.240.139) | - | - | High
113 | [45.153.241.187](https://vuldb.com/?ip.45.153.241.187) | - | - | High
114 | ... | ... | ... | ...
There are 382 more IOC items available. Please use our online service to access the data.
There are 450 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -127,12 +145,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 15 more TTP items available. Please use our online service to access the data.
There are 17 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -140,24 +158,29 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/app/options.py` | High
2 | File | `/auth/callback` | High
3 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
4 | File | `/dashboard/menu-list.php` | High
5 | File | `/dashboard/profile.php` | High
6 | File | `/dashboard/table-list.php` | High
7 | File | `/data/vendor/tcl` | High
8 | File | `/etc/lighttpd.d/ca.pem` | High
9 | File | `/ffos/classes/Master.php?f=save_category` | High
10 | File | `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` | High
11 | ... | ... | ...
1 | File | `.procmailrc` | Medium
2 | File | `/catcompany.php` | High
3 | File | `/edituser.php` | High
4 | File | `/modules/projects/vw_files.php` | High
5 | File | `/pages/permit/permit.php` | High
6 | File | `/php_action/createUser.php` | High
7 | File | `/products/view_product.php` | High
8 | File | `/sistema/flash/reboot` | High
9 | File | `/src/video/x11/SDL_x11yuv.c` | High
10 | File | `admin.cropcanvas.php` | High
11 | File | `admin/conf_users_edit.php` | High
12 | ... | ... | ...
There are 87 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 93 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/151/bumblebee-loader-iocs/
* https://1275.ru/ioc/250/bumblebee-malware-iocs-part-3/
* https://1275.ru/ioc/287/bumblebee-malware-iocs-part-4/
* https://1275.ru/ioc/347/bumblebee-loader-iocs-part-5/
* https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
* https://github.com/pr0xylife/Bumblebee/blob/main/Bumblebee_01.06.2022.txt
* https://github.com/pr0xylife/Bumblebee/blob/main/Bumblebee_02.06.2022.txt

30
actors/Caligula/README.md Normal file
View File

@ -0,0 +1,30 @@
# Caligula - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Caligula](https://vuldb.com/?actor.caligula). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.caligula](https://vuldb.com/?actor.caligula)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Caligula.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [45.95.55.24](https://vuldb.com/?ip.45.95.55.24) | 45.95.55.24.fly-hosting.net | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/448/caligula-botnet-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

71
actors/Candiru/README.md
View File

@ -61,43 +61,42 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High
2 | File | `/.dbus-keyrings` | High
3 | File | `/.vnc/sesman_${username}_passwd` | High
4 | File | `/acms/classes/Master.php?f=delete_cargo` | High
5 | File | `/addsrv` | Low
6 | File | `/admin.php/news/admin/topic/save` | High
7 | File | `/admin/comn/service/update.json` | High
8 | File | `/Admin/Views/FileEditor/` | High
9 | File | `/api/user/{ID}` | High
10 | File | `/article/add` | Medium
11 | File | `/cgi-bin/uploadWeiXinPic` | High
12 | File | `/controller/pay.class.php` | High
13 | File | `/ctpms/admin/?page=applications/view_application` | High
14 | File | `/dev/block/mmcblk0rpmb` | High
15 | File | `/dev/kmem` | Medium
16 | File | `/dev/shm` | Medium
17 | File | `/dev/snd/seq` | Medium
18 | File | `/device/device=140/tab=wifi/view` | High
19 | File | `/dl/dl_print.php` | High
20 | File | `/getcfg.php` | Medium
21 | File | `/goform/addressNat` | High
22 | File | `/goform/SetClientState` | High
23 | File | `/htdocs/admin/dict.php?id=3` | High
24 | File | `/include/menu_v.inc.php` | High
25 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
26 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
27 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
28 | File | `/librarian/bookdetails.php` | High
29 | File | `/login` | Low
30 | File | `/mngset/authset` | High
31 | File | `/module/module_frame/index.php` | High
32 | File | `/nova/bin/sniffer` | High
33 | File | `/ofcms/company-c-47` | High
34 | File | `/proc/*/cmdline"` | High
35 | File | `/proc/pid/syscall` | High
36 | File | `/product_list.php` | High
37 | ... | ... | ...
3 | File | `/acms/classes/Master.php?f=delete_cargo` | High
4 | File | `/addsrv` | Low
5 | File | `/admin.php/news/admin/topic/save` | High
6 | File | `/admin/comn/service/update.json` | High
7 | File | `/Admin/Views/FileEditor/` | High
8 | File | `/api/user/{ID}` | High
9 | File | `/article/add` | Medium
10 | File | `/cgi-bin/uploadWeiXinPic` | High
11 | File | `/controller/pay.class.php` | High
12 | File | `/ctpms/admin/?page=applications/view_application` | High
13 | File | `/dev/block/mmcblk0rpmb` | High
14 | File | `/dev/kmem` | Medium
15 | File | `/dev/shm` | Medium
16 | File | `/dev/snd/seq` | Medium
17 | File | `/device/device=140/tab=wifi/view` | High
18 | File | `/dl/dl_print.php` | High
19 | File | `/getcfg.php` | Medium
20 | File | `/goform/addressNat` | High
21 | File | `/goform/SetClientState` | High
22 | File | `/htdocs/admin/dict.php?id=3` | High
23 | File | `/include/menu_v.inc.php` | High
24 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
25 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
26 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
27 | File | `/librarian/bookdetails.php` | High
28 | File | `/login` | Low
29 | File | `/mngset/authset` | High
30 | File | `/module/module_frame/index.php` | High
31 | File | `/nova/bin/sniffer` | High
32 | File | `/ofcms/company-c-47` | High
33 | File | `/proc/*/cmdline"` | High
34 | File | `/proc/pid/syscall` | High
35 | File | `/product_list.php` | High
36 | ... | ... | ...
There are 313 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

4
actors/ChaChi/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [FR](https://vuldb.com/?country.fr)
* ...
There are 17 more country items available. Please use our online service to access the data.
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -84,7 +84,7 @@ ID | Type | Indicator | Confidence
30 | File | `admin/article_category.php?rec=update` | High
31 | ... | ... | ...
There are 260 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 262 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

46
actors/Cobalt Mirage/README.md Normal file
View File

@ -0,0 +1,46 @@
# Cobalt Mirage - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Cobalt Mirage](https://vuldb.com/?actor.cobalt_mirage). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cobalt_mirage](https://vuldb.com/?actor.cobalt_mirage)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Mirage:
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cobalt Mirage.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [107.173.231.114](https://vuldb.com/?ip.107.173.231.114) | 107-173-231-114-host.colocrossing.com | - | High
2 | [198.12.65.175](https://vuldb.com/?ip.198.12.65.175) | 198-12-65-175-host.colocrossing.com | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Cobalt Mirage_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1202 | CWE-78 | Command Injection | High
2 | T1505 | CWE-89 | SQL Injection | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/213/cobalt-mirage-apt-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

5
actors/Cobalt Strike/README.md
View File

@ -104,10 +104,9 @@ ID | Type | Indicator | Confidence
26 | File | `/index.php/?p=report` | High
27 | File | `/Items/*/RemoteImages/Download` | High
28 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
29 | File | `/out.php` | Medium
30 | ... | ... | ...
29 | ... | ... | ...
There are 253 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 247 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

77
actors/CoolWebSearch/README.md
View File

@ -8,12 +8,12 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CoolWebSearch:
* [ES](https://vuldb.com/?country.es)
* [US](https://vuldb.com/?country.us)
* [VN](https://vuldb.com/?country.vn)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 21 more country items available. Please use our online service to access the data.
There are 13 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -154,12 +154,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 19 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -167,39 +169,36 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/.ssh/authorized_keys` | High
2 | File | `/cgi-bin/luci/api/auth` | High
3 | File | `/cgi-bin/luci/api/diagnose` | High
4 | File | `/CMD_ACCOUNT_ADMIN` | High
5 | File | `/context/%2e/WEB-INF/web.xml` | High
6 | File | `/core/admin/categories.php` | High
7 | File | `/etc/groups` | Medium
8 | File | `/etc/sudoers` | Medium
9 | File | `/filemanager/php/connector.php` | High
10 | File | `/forum/away.php` | High
11 | File | `/mgmt/tm/util/bash` | High
12 | File | `/modules/profile/index.php` | High
13 | File | `/MTFWU` | Low
14 | File | `/new` | Low
15 | File | `/php/passport/index.php` | High
16 | File | `/proc/<pid>/status` | High
17 | File | `/public/plugins/` | High
18 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
19 | File | `/secure/QueryComponent!Default.jspa` | High
20 | File | `/server-info` | Medium
21 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
22 | File | `/tmp` | Low
23 | File | `/uncpath/` | Medium
24 | File | `/updown/upload.cgi` | High
25 | File | `/usr/bin/pkexec` | High
26 | File | `4.2.0.CP09` | Medium
27 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
28 | File | `AccountManagerService.java` | High
29 | File | `actions/CompanyDetailsSave.php` | High
30 | File | `ActivityManagerService.java` | High
31 | ... | ... | ...
1 | File | `//proc/kcore` | Medium
2 | File | `/Ap4RtpAtom.cpp` | High
3 | File | `/app/options.py` | High
4 | File | `/bcms/admin/?page=user/list` | High
5 | File | `/bsms/?page=manage_account` | High
6 | File | `/cgi-bin/login.cgi` | High
7 | File | `/cgi-bin/luci/api/auth` | High
8 | File | `/cgi-bin/luci/api/diagnose` | High
9 | File | `/ci_hms/massage_room/edit/1` | High
10 | File | `/dashboard/reports/logs/view` | High
11 | File | `/debug/pprof` | Medium
12 | File | `/etc/config/image_sign` | High
13 | File | `/etc/groups` | Medium
14 | File | `/etc/hosts` | Medium
15 | File | `/forum/away.php` | High
16 | File | `/fuel/index.php/fuel/logs/items` | High
17 | File | `/fuel/sitevariables/delete/4` | High
18 | File | `/ghost/preview` | High
19 | File | `/hprms/admin/doctors/manage_doctor.php` | High
20 | File | `/index/jobfairol/show/` | High
21 | File | `/librarian/bookdetails.php` | High
22 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
23 | File | `/mgmt/tm/util/bash` | High
24 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
25 | File | `/php/passport/index.php` | High
26 | File | `/proc/<PID>/mem` | High
27 | File | `/servlet/AdapterHTTP` | High
28 | ... | ... | ...
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 233 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

30
actors/CrateDepression/README.md Normal file
View File

@ -0,0 +1,30 @@
# CrateDepression - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CrateDepression](https://vuldb.com/?actor.cratedepression). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cratedepression](https://vuldb.com/?actor.cratedepression)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CrateDepression.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [64.227.12.57](https://vuldb.com/?ip.64.227.12.57) | - | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/240/cratedepression-malware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

30
actors/CredoMap/README.md Normal file
View File

@ -0,0 +1,30 @@
# CredoMap - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CredoMap](https://vuldb.com/?actor.credomap). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.credomap](https://vuldb.com/?actor.credomap)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CredoMap.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [69.16.243.33](https://vuldb.com/?ip.69.16.243.33) | host.tecnode.com | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/199/credomap_v2-stealer-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

59
actors/CrescentImp/README.md Normal file
View File

@ -0,0 +1,59 @@
# CrescentImp - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CrescentImp](https://vuldb.com/?actor.crescentimp). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.crescentimp](https://vuldb.com/?actor.crescentimp)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CrescentImp:
* [US](https://vuldb.com/?country.us)
* [IR](https://vuldb.com/?country.ir)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CrescentImp.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [87.236.161.43](https://vuldb.com/?ip.87.236.161.43) | 87-236-161-43.digiturunc.com | - | High
2 | [185.80.92.143](https://vuldb.com/?ip.185.80.92.143) | vps30215.alfahosting-vps.de | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _CrescentImp_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1505 | CWE-89 | SQL Injection | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CrescentImp. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/category_view.php` | High
2 | File | `breadcrumbs_create.php` | High
3 | File | `shopping_cart.php` | High
4 | ... | ... | ...
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/334/crescentimp-malware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

53
actors/CuteBoi/README.md Normal file
View File

@ -0,0 +1,53 @@
# CuteBoi - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [CuteBoi](https://vuldb.com/?actor.cuteboi). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cuteboi](https://vuldb.com/?actor.cuteboi)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CuteBoi:
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CuteBoi.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [130.162.52.80](https://vuldb.com/?ip.130.162.52.80) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _CuteBoi_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1505 | CWE-89 | SQL Injection | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by CuteBoi. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `read.php` | Medium
2 | Argument | `TID` | Low
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/427/cuteboi-company-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

91
actors/Cyclops Blink/README.md
View File

@ -4,69 +4,58 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.cyclops_blink](https://vuldb.com/?actor.cyclops_blink)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cyclops Blink:
* [FR](https://vuldb.com/?country.fr)
* [IT](https://vuldb.com/?country.it)
* [US](https://vuldb.com/?country.us)
* ...
There are 2 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Cyclops Blink.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [2.230.110.137](https://vuldb.com/?ip.2.230.110.137) | - | - | High
2 | [24.199.247.222](https://vuldb.com/?ip.24.199.247.222) | webmail.capefearclinic.org | - | High
3 | [37.71.147.186](https://vuldb.com/?ip.37.71.147.186) | 186.147.71.37.rev.sfr.net | - | High
4 | [37.99.163.162](https://vuldb.com/?ip.37.99.163.162) | 37.99.163-162.static.go.com.sa | - | High
5 | [50.255.126.65](https://vuldb.com/?ip.50.255.126.65) | 50-255-126-65-static.hfc.comcastbusiness.net | - | High
6 | ... | ... | ... | ...
1 | [1.9.85.247](https://vuldb.com/?ip.1.9.85.247) | - | - | High
2 | [1.9.85.248](https://vuldb.com/?ip.1.9.85.248) | - | - | High
3 | [1.9.85.249](https://vuldb.com/?ip.1.9.85.249) | - | - | High
4 | [1.9.85.252](https://vuldb.com/?ip.1.9.85.252) | - | - | High
5 | [1.9.85.253](https://vuldb.com/?ip.1.9.85.253) | - | - | High
6 | [1.9.85.254](https://vuldb.com/?ip.1.9.85.254) | - | - | High
7 | [2.192.0.94](https://vuldb.com/?ip.2.192.0.94) | - | - | High
8 | [2.192.1.120](https://vuldb.com/?ip.2.192.1.120) | - | - | High
9 | [2.192.6.144](https://vuldb.com/?ip.2.192.6.144) | - | - | High
10 | [2.192.7.244](https://vuldb.com/?ip.2.192.7.244) | - | - | High
11 | [2.192.67.0](https://vuldb.com/?ip.2.192.67.0) | - | - | High
12 | [2.192.71.115](https://vuldb.com/?ip.2.192.71.115) | - | - | High
13 | [2.192.74.124](https://vuldb.com/?ip.2.192.74.124) | - | - | High
14 | [2.229.24.16](https://vuldb.com/?ip.2.229.24.16) | 2-229-24-16.ip194.fastwebnet.it | - | High
15 | [2.229.32.106](https://vuldb.com/?ip.2.229.32.106) | 2-229-32-106.ip194.fastwebnet.it | - | High
16 | [2.230.110.137](https://vuldb.com/?ip.2.230.110.137) | - | - | High
17 | [12.34.226.34](https://vuldb.com/?ip.12.34.226.34) | - | - | High
18 | [12.172.90.242](https://vuldb.com/?ip.12.172.90.242) | - | - | High
19 | [12.191.39.162](https://vuldb.com/?ip.12.191.39.162) | - | - | High
20 | [12.191.39.163](https://vuldb.com/?ip.12.191.39.163) | - | - | High
21 | [12.191.39.164](https://vuldb.com/?ip.12.191.39.164) | - | - | High
22 | [12.191.39.165](https://vuldb.com/?ip.12.191.39.165) | - | - | High
23 | [12.191.39.166](https://vuldb.com/?ip.12.191.39.166) | - | - | High
24 | [24.39.220.218](https://vuldb.com/?ip.24.39.220.218) | rrcs-24-39-220-218.nys.biz.rr.com | - | High
25 | [24.96.94.11](https://vuldb.com/?ip.24.96.94.11) | static-24-96-94-11.knology.net | - | High
26 | [24.199.247.222](https://vuldb.com/?ip.24.199.247.222) | webmail.capefearclinic.org | - | High
27 | [24.227.240.210](https://vuldb.com/?ip.24.227.240.210) | rrcs-24-227-240-210.sw.biz.rr.com | - | High
28 | [24.227.240.211](https://vuldb.com/?ip.24.227.240.211) | rrcs-24-227-240-211.sw.biz.rr.com | - | High
29 | [37.26.183.94](https://vuldb.com/?ip.37.26.183.94) | 37.26.183.94.not.updated.openip-cs.net | - | High
30 | [37.71.147.186](https://vuldb.com/?ip.37.71.147.186) | 186.147.71.37.rev.sfr.net | - | High
31 | [37.99.163.162](https://vuldb.com/?ip.37.99.163.162) | 37.99.163-162.static.go.com.sa | - | High
32 | [37.99.163.163](https://vuldb.com/?ip.37.99.163.163) | - | - | High
33 | [37.99.163.164](https://vuldb.com/?ip.37.99.163.164) | mail.ftl.com.sa | - | High
34 | [37.99.163.165](https://vuldb.com/?ip.37.99.163.165) | 37.99.163-165.static.go.com.sa | - | High
35 | [37.99.163.166](https://vuldb.com/?ip.37.99.163.166) | 37.99.163-166.static.go.com.sa | - | High
36 | [41.142.240.197](https://vuldb.com/?ip.41.142.240.197) | - | - | High
37 | [50.192.49.210](https://vuldb.com/?ip.50.192.49.210) | 50-192-49-210-static.hfc.comcastbusiness.net | - | High
38 | ... | ... | ... | ...
There are 20 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Cyclops Blink_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22, CWE-425 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 14 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Cyclops Blink. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/doorgets/app/views/ajax/commentView.php` | High
2 | File | `/etc/passwd` | Medium
3 | File | `/tmp` | Low
4 | File | `AbstractController.php` | High
5 | File | `ActBar.ocx` | Medium
6 | File | `add_ons.php` | Medium
7 | File | `admin.comms.php` | High
8 | File | `admin.php` | Medium
9 | File | `admin/bad.php` | High
10 | ... | ... | ...
There are 71 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 150 more IOC items available. Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/45/cyclops-blink-botnet-ioc/
* https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
## Literature

77
actors/DarkCrystalRAT/README.md Normal file
View File

@ -0,0 +1,77 @@
# DarkCrystalRAT - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DarkCrystalRAT](https://vuldb.com/?actor.darkcrystalrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.darkcrystalrat](https://vuldb.com/?actor.darkcrystalrat)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DarkCrystalRAT:
* [US](https://vuldb.com/?country.us)
* [ES](https://vuldb.com/?country.es)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 7 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DarkCrystalRAT.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [31.7.58.82](https://vuldb.com/?ip.31.7.58.82) | no-rdns.offshorededicated.net | - | High
2 | [103.27.202.127](https://vuldb.com/?ip.103.27.202.127) | 103-27-202-127.static.bangmod-idc.com | - | High
3 | [203.96.191.70](https://vuldb.com/?ip.203.96.191.70) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DarkCrystalRAT_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 15 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by DarkCrystalRAT. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/backupsettings.conf` | High
2 | File | `/export` | Low
3 | File | `/horde/util/go.php` | High
4 | File | `/show_news.php` | High
5 | File | `/uncpath/` | Medium
6 | File | `adclick.php` | Medium
7 | File | `admin/dashboard.php` | High
8 | File | `admin/index.php` | High
9 | File | `admin/tools/dolibarr_export.php` | High
10 | File | `adv_remotelog.asp` | High
11 | ... | ... | ...
There are 85 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://cert.gov.ua/article/405538
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

8
actors/Daserf/README.md
View File

@ -34,12 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
3 | T1222 | CWE-275 | Permission Issues | High
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
3 | T1068 | CWE-264, CWE-269 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

46
actors/DeadBolt/README.md Normal file
View File

@ -0,0 +1,46 @@
# DeadBolt - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DeadBolt](https://vuldb.com/?actor.deadbolt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.deadbolt](https://vuldb.com/?actor.deadbolt)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DeadBolt:
* [SG](https://vuldb.com/?country.sg)
* [CN](https://vuldb.com/?country.cn)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DeadBolt.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [132.147.73.87](https://vuldb.com/?ip.132.147.73.87) | fnet87-f73-access.vqbn.com.sg | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _DeadBolt_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1055 | CWE-74 | Injection | High
2 | T1592 | CWE-200 | Configuration | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/238/deadbolt-ransomware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
actors/Dealply/README.md
View File

@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [IT](https://vuldb.com/?country.it)
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [FR](https://vuldb.com/?country.fr)
* ...
There are 5 more country items available. Please use our online service to access the data.
There are 6 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -76,7 +76,7 @@ ID | Type | Indicator | Confidence
21 | File | `/mtms/admin/?page=user/manage_user` | High
22 | ... | ... | ...
There are 182 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 181 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

4
actors/ESPecter/README.md
View File

@ -30,7 +30,9 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
1 | T1059 | CWE-94 | Cross Site Scripting | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
3 | T1202 | CWE-77 | Command Injection | High
## IOA - Indicator of Attack

68
actors/Earth Berberoka/README.md Normal file
View File

@ -0,0 +1,68 @@
# Earth Berberoka - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Earth Berberoka](https://vuldb.com/?actor.earth_berberoka). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.earth_berberoka](https://vuldb.com/?actor.earth_berberoka)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Earth Berberoka:
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Earth Berberoka.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [42.200.181.116](https://vuldb.com/?ip.42.200.181.116) | 42-200-181-116.static.imsbiz.com | - | High
2 | [45.76.199.119](https://vuldb.com/?ip.45.76.199.119) | 45.76.199.119.vultrusercontent.com | - | High
3 | [45.77.22.215](https://vuldb.com/?ip.45.77.22.215) | 45.77.22.215.vultrusercontent.com | - | High
4 | ... | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Earth Berberoka_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059 | CWE-94 | Cross Site Scripting | High
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
3 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Earth Berberoka. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/mgmt/tm/util/bash` | High
2 | File | `/uncpath/` | Medium
3 | File | `/usr/bin/at` | Medium
4 | ... | ... | ...
There are 10 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/156/earth-berberoka-apt-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

34
actors/Emotet/README.md
View File

@ -10,7 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [VN](https://vuldb.com/?country.vn)
* [ES](https://vuldb.com/?country.es)
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 3 more country items available. Please use our online service to access the data.
@ -446,11 +446,11 @@ ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 16 more TTP items available. Please use our online service to access the data.
There are 18 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -458,17 +458,23 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/addNotifyServlet` | High
2 | File | `/edituser.php` | High
3 | File | `/forum/away.php` | High
4 | File | `/index.php/?p=report` | High
5 | File | `/index.php?r=site%2Fsignup` | High
6 | File | `/nav_bar_action.php` | High
7 | File | `/pages/activity/activity.php` | High
8 | File | `/pages/permit/permit.php` | High
9 | ... | ... | ...
1 | File | `/admin/operations/packages.php` | High
2 | File | `/catcompany.php` | High
3 | File | `/ECT_Provider/` | High
4 | File | `/edituser.php` | High
5 | File | `/IISADMPWD` | Medium
6 | File | `/modules/projects/vw_files.php` | High
7 | File | `/pages/permit/permit.php` | High
8 | File | `/php_action/createUser.php` | High
9 | File | `/products/view_product.php` | High
10 | File | `/sistema/flash/reboot` | High
11 | File | `/src/video/x11/SDL_x11yuv.c` | High
12 | File | `/sys/ui/extend/varkind/custom.jsp` | High
13 | File | `adclick.php` | Medium
14 | File | `admin/conf_users_edit.php` | High
15 | ... | ... | ...
There are 70 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 117 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

20
actors/Exchange Marauder/README.md
View File

@ -40,12 +40,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-250, CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
There are 13 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -55,14 +55,14 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cgi-bin/luci/api/auth` | High
2 | File | `/filemanager/upload.php` | High
3 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
4 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
5 | File | `/wp-json/oembed/1.0/embed?url` | High
6 | File | `admin/modules/tools/ip_history_logs.php` | High
7 | File | `api_poller.php` | High
3 | File | `/resources//../` | High
4 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
5 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
6 | File | `/wp-json/oembed/1.0/embed?url` | High
7 | File | `admin/modules/tools/ip_history_logs.php` | High
8 | ... | ... | ...
There are 54 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 57 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

61
actors/FFDroider/README.md Normal file
View File

@ -0,0 +1,61 @@
# FFDroider - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FFDroider](https://vuldb.com/?actor.ffdroider). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ffdroider](https://vuldb.com/?actor.ffdroider)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FFDroider:
* [RU](https://vuldb.com/?country.ru)
* [AR](https://vuldb.com/?country.ar)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FFDroider.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [152.32.228.19](https://vuldb.com/?ip.152.32.228.19) | - | - | High
2 | [186.2.171.17](https://vuldb.com/?ip.186.2.171.17) | ddos-guard.net | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FFDroider_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
3 | T1552 | CWE-522 | ASP.NET Misconfiguration: Password in Configuration File | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FFDroider. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `cgi/config_user.cgi` | High
2 | File | `cloudinit/config/cc_set_passwords.py` | High
3 | File | `net/netfilter/nf_tables_api.c` | High
4 | ... | ... | ...
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/97/ffdroider-malware-ioc/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

7
actors/FIN7/README.md
View File

@ -20,7 +20,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [CN](https://vuldb.com/?country.cn)
* ...
There are 16 more country items available. Please use our online service to access the data.
There are 15 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -85,7 +85,8 @@ ID | Technique | Weakness | Description | Confidence
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 18 more TTP items available. Please use our online service to access the data.
@ -131,7 +132,7 @@ ID | Type | Indicator | Confidence
34 | File | `/proc/<PID>/mem` | High
35 | ... | ... | ...
There are 298 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 297 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

79
actors/FakeCrack/README.md Normal file
View File

@ -0,0 +1,79 @@
# FakeCrack - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FakeCrack](https://vuldb.com/?actor.fakecrack). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fakecrack](https://vuldb.com/?actor.fakecrack)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FakeCrack:
* [US](https://vuldb.com/?country.us)
* [TR](https://vuldb.com/?country.tr)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FakeCrack.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [37.221.67.219](https://vuldb.com/?ip.37.221.67.219) | - | - | High
2 | [45.135.134.211](https://vuldb.com/?ip.45.135.134.211) | mail.hhllk.cn | - | High
3 | [45.140.146.169](https://vuldb.com/?ip.45.140.146.169) | - | - | High
4 | ... | ... | ... | ...
There are 4 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FakeCrack_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 17 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FakeCrack. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/acms/classes/Master.php?f=delete_cargo` | High
2 | File | `/admin.php/news/admin/topic/save` | High
3 | File | `/admin/comn/service/update.json` | High
4 | File | `/api/files/` | Medium
5 | File | `/dev/shm` | Medium
6 | File | `/dl/dl_print.php` | High
7 | File | `/getcfg.php` | Medium
8 | File | `/ofcms/company-c-47` | High
9 | File | `/util/print.c` | High
10 | ... | ... | ...
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/324/fakecrack-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
actors/FamousSparrow/README.md
View File

@ -45,7 +45,7 @@ ID | Type | Indicator | Confidence
4 | File | `/system?action=ServiceAdmin` | High
5 | ... | ... | ...
There are 32 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

53
actors/FatalRAT/README.md Normal file
View File

@ -0,0 +1,53 @@
# FatalRAT - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FatalRAT](https://vuldb.com/?actor.fatalrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fatalrat](https://vuldb.com/?actor.fatalrat)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FatalRAT:
* [CN](https://vuldb.com/?country.cn)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of FatalRAT.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [144.48.243.79](https://vuldb.com/?ip.144.48.243.79) | - | - | High
2 | [156.226.173.202](https://vuldb.com/?ip.156.226.173.202) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _FatalRAT_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1608.002 | CWE-434 | Unrestricted Upload | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FatalRAT. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `web/jquery/uploader/uploadify.php` | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/66/fatalrat-backdoor-ioc/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

77
actors/Fileless/README.md Normal file
View File

@ -0,0 +1,77 @@
# Fileless - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Fileless](https://vuldb.com/?actor.fileless). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.fileless](https://vuldb.com/?actor.fileless)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Fileless:
* [IS](https://vuldb.com/?country.is)
* [US](https://vuldb.com/?country.us)
* [DE](https://vuldb.com/?country.de)
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Fileless.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [93.95.228.97](https://vuldb.com/?ip.93.95.228.97) | timestechnologies.org | - | High
2 | [162.0.224.144](https://vuldb.com/?ip.162.0.224.144) | people-role.quarantine-pnap-vlan51.web-hosting.com | - | High
3 | [178.79.176.1](https://vuldb.com/?ip.178.79.176.1) | gw-li345.linode.com | - | High
4 | ... | ... | ... | ...
There are 3 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Fileless_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 14 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Fileless. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/acms/classes/Master.php?f=delete_cargo` | High
2 | File | `/domains/list` | High
3 | File | `/sbin` | Low
4 | File | `/sbin/orthrus` | High
5 | File | `/sbin/rtspd` | Medium
6 | File | `/var/www/video/mp4ts` | High
7 | File | `admin/listMailConfiguration` | High
8 | ... | ... | ...
There are 61 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/180/fileless-malware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
actors/GALLIUM/README.md
View File

@ -87,7 +87,7 @@ ID | Type | Indicator | Confidence
9 | File | `/uncpath/` | Medium
10 | ... | ... | ...
There are 70 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 71 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

11
actors/GoMet/README.md
View File

@ -46,12 +46,13 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/dl_sendmail.php` | High
2 | File | `application/modules/admin/views/ecommerce/products.php` | High
3 | File | `base/ErrorHandler.php` | High
4 | File | `blog.php` | Medium
5 | ... | ... | ...
2 | File | `/spip.php` | Medium
3 | File | `application/modules/admin/views/ecommerce/products.php` | High
4 | File | `base/ErrorHandler.php` | High
5 | File | `blog.php` | Medium
6 | ... | ... | ...
There are 34 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 39 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

32
actors/GoldBackdoor/README.md Normal file
View File

@ -0,0 +1,32 @@
# GoldBackdoor - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GoldBackdoor](https://vuldb.com/?actor.goldbackdoor). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.goldbackdoor](https://vuldb.com/?actor.goldbackdoor)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of GoldBackdoor.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [13.107.42.12](https://vuldb.com/?ip.13.107.42.12) | 1drv.ms | - | High
2 | [131.107.255.255](https://vuldb.com/?ip.131.107.255.255) | dns.msftncsi.com | - | High
3 | [142.93.201.77](https://vuldb.com/?ip.142.93.201.77) | - | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/144/goldbackdoor-backdoor-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

8
actors/Gustuff/README.md
View File

@ -30,12 +30,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1059 | CWE-94 | Cross Site Scripting | High
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
There are 9 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

55
actors/Hancitor/README.md
View File

@ -80,35 +80,34 @@ ID | Type | Indicator | Confidence
6 | File | `/forum/away.php` | High
7 | File | `/images/` | Medium
8 | File | `/inc/extensions.php` | High
9 | File | `/inc/parser/xhtml.php` | High
10 | File | `/lists/index.php` | High
11 | File | `/login` | Low
12 | File | `/modules/profile/index.php` | High
13 | File | `/nova/bin/console` | High
14 | File | `/objects/getImageMP4.php` | High
15 | File | `/one_church/userregister.php` | High
16 | File | `/out.php` | Medium
17 | File | `/owa/auth/logon.aspx` | High
18 | File | `/public/plugins/` | High
19 | File | `/replication` | Medium
20 | File | `/req_password_user.php` | High
21 | File | `/SAP_Information_System/controllers/add_admin.php` | High
22 | File | `/SASWebReportStudio/logonAndRender.do` | High
23 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
24 | File | `/secure/admin/ViewInstrumentation.jspa` | High
25 | File | `/secure/QueryComponent!Default.jspa` | High
26 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
27 | File | `/trx_addons/v2/get/sc_layout` | High
28 | File | `/uncpath/` | Medium
29 | File | `/usr/syno/etc/mount.conf` | High
30 | File | `/v2/quantum/save-data-upload-big-file` | High
31 | File | `/WEB-INF/web.xml` | High
32 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
33 | File | `/wp-json/oembed/1.0/embed?url` | High
34 | File | `4.edu.php` | Medium
35 | ... | ... | ...
9 | File | `/lists/index.php` | High
10 | File | `/login` | Low
11 | File | `/modules/profile/index.php` | High
12 | File | `/nova/bin/console` | High
13 | File | `/objects/getImageMP4.php` | High
14 | File | `/one_church/userregister.php` | High
15 | File | `/out.php` | Medium
16 | File | `/owa/auth/logon.aspx` | High
17 | File | `/public/plugins/` | High
18 | File | `/replication` | Medium
19 | File | `/req_password_user.php` | High
20 | File | `/SAP_Information_System/controllers/add_admin.php` | High
21 | File | `/SASWebReportStudio/logonAndRender.do` | High
22 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
23 | File | `/secure/admin/ViewInstrumentation.jspa` | High
24 | File | `/secure/QueryComponent!Default.jspa` | High
25 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
26 | File | `/trx_addons/v2/get/sc_layout` | High
27 | File | `/uncpath/` | Medium
28 | File | `/usr/syno/etc/mount.conf` | High
29 | File | `/v2/quantum/save-data-upload-big-file` | High
30 | File | `/WEB-INF/web.xml` | High
31 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
32 | File | `/wp-json/oembed/1.0/embed?url` | High
33 | File | `4.edu.php` | Medium
34 | ... | ... | ...
There are 301 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 288 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

30
actors/HavanaCrypt/README.md Normal file
View File

@ -0,0 +1,30 @@
# HavanaCrypt - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [HavanaCrypt](https://vuldb.com/?actor.havanacrypt). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.havanacrypt](https://vuldb.com/?actor.havanacrypt)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of HavanaCrypt.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [20.227.128.33](https://vuldb.com/?ip.20.227.128.33) | - | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/437/havanacrypt-ransomware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

60
actors/Hermit/README.md Normal file
View File

@ -0,0 +1,60 @@
# Hermit - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hermit](https://vuldb.com/?actor.hermit). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.hermit](https://vuldb.com/?actor.hermit)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hermit:
* [IT](https://vuldb.com/?country.it)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hermit.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [2.228.150.86](https://vuldb.com/?ip.2.228.150.86) | 2-228-150-86.ip192.fastwebnet.it | - | High
2 | [2.229.68.182](https://vuldb.com/?ip.2.229.68.182) | 2-229-68-182.ip195.fastwebnet.it | - | High
3 | [45.148.30.122](https://vuldb.com/?ip.45.148.30.122) | - | - | High
4 | ... | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Hermit_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-80 | Cross Site Scripting | High
2 | T1592 | CWE-200 | Configuration | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Hermit. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/template.php` | High
2 | Argument | `Password` | Medium
3 | Argument | `title` | Low
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/380/hermit-spyware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

9
actors/Inception/README.md
View File

@ -14,8 +14,8 @@ The following _campaigns_ are known and can be associated with Inception:
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Inception:
* [ES](https://vuldb.com/?country.es)
* [AR](https://vuldb.com/?country.ar)
* [ES](https://vuldb.com/?country.es)
* [PL](https://vuldb.com/?country.pl)
* ...
@ -92,9 +92,12 @@ ID | Type | Indicator | Confidence
35 | File | `/mcategory.php` | High
36 | File | `/modules/tasks/gantt.php` | High
37 | File | `/odfs/classes/Master.php?f=delete_team` | High
38 | ... | ... | ...
38 | File | `/ofrs/admin/requests/take_action.php` | High
39 | File | `/otps/classes/Master.php` | High
40 | File | `/pms/admin/actions/view_action.php` | High
41 | ... | ... | ...
There are 325 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 354 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

30
actors/Jester/README.md Normal file
View File

@ -0,0 +1,30 @@
# Jester - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Jester](https://vuldb.com/?actor.jester). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.jester](https://vuldb.com/?actor.jester)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Jester.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [157.112.183.47](https://vuldb.com/?ip.157.112.183.47) | sv5206.xserver.jp | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/198/jester-stealer-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

99
actors/Kwampirs/README.md
View File

@ -24,7 +24,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [NZ](https://vuldb.com/?country.nz)
* ...
There are 9 more country items available. Please use our online service to access the data.
There are 16 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -137,12 +137,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ... | ...
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-24 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
There are 17 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -153,51 +154,49 @@ ID | Type | Indicator | Confidence
1 | File | `.htaccess` | Medium
2 | File | `/#/CampaignManager/users` | High
3 | File | `/admin/admin_login.php` | High
4 | File | `/admin/login.php` | High
5 | File | `/bin/sh` | Low
6 | File | `/cgi-bin/supervisor/CloudSetup.cgi` | High
7 | File | `/Content/Template/root/reverse-shell.aspx` | High
8 | File | `/data/vendor/tcl` | High
9 | File | `/debug/pprof` | Medium
10 | File | `/dev/tty` | Medium
11 | File | `/doorgets/app/requests/user/modulecategoryRequest.php` | High
12 | File | `/gaia-job-admin/user/add` | High
13 | File | `/goforms/rlminfo` | High
14 | File | `/HNAP1` | Low
15 | File | `/login` | Low
16 | File | `/login.html` | Medium
17 | File | `/magnoliaPublic/travel/members/login.html` | High
18 | File | `/member/index/login.html` | High
19 | File | `/mgmt/tm/util/bash` | High
20 | File | `/ocwbs/admin/?page=user/manage_user` | High
21 | File | `/ofrs/admin/?page=user/manage_user` | High
22 | File | `/product.php` | Medium
23 | File | `/rdms/admin/?page=user/manage_user` | High
24 | File | `/requests.php` | High
25 | File | `/saml/login` | Medium
26 | File | `/ScadaBR/login.htm` | High
27 | File | `/uncpath/` | Medium
28 | File | `/upload` | Low
29 | File | `/var/adm/btmp` | High
30 | File | `/vloggers_merch/?p=view_product` | High
31 | File | `/wp-admin/admin-ajax.php` | High
32 | File | `/wp-json` | Medium
33 | File | `5.2.9\syscrb.exe` | High
34 | File | `account/login.php` | High
35 | File | `ad/login.asp` | Medium
36 | File | `admin.inc.php` | High
37 | File | `admin/admin_ping.php` | High
38 | File | `admin/conf_users_edit.php` | High
39 | File | `admin/index.php` | High
40 | File | `admin/login.asp` | High
41 | File | `admin/login.php` | High
42 | File | `admin/nos/login` | High
43 | File | `admin/viewtheatre.php` | High
44 | File | `agenda.php3` | Medium
45 | File | `ajaxp.php` | Medium
46 | ... | ... | ...
4 | File | `/api/user/{ID}` | High
5 | File | `/app/options.py` | High
6 | File | `/ci_spms/admin/category` | High
7 | File | `/ci_spms/admin/search/searching/` | High
8 | File | `/classes/Master.php?f=delete_train` | High
9 | File | `/Content/Template/root/reverse-shell.aspx` | High
10 | File | `/dashboard/menu-list.php` | High
11 | File | `/data/vendor/tcl` | High
12 | File | `/debug/pprof` | Medium
13 | File | `/dev/tty` | Medium
14 | File | `/ffos/classes/Master.php?f=save_category` | High
15 | File | `/gaia-job-admin/user/add` | High
16 | File | `/goforms/rlminfo` | High
17 | File | `/HNAP1` | Low
18 | File | `/Items/*/RemoteImages/Download` | High
19 | File | `/login` | Low
20 | File | `/member/index/login.html` | High
21 | File | `/mgmt/tm/util/bash` | High
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
23 | File | `/ofrs/admin/?page=user/manage_user` | High
24 | File | `/p1/p2/:name` | Medium
25 | File | `/product.php` | Medium
26 | File | `/rdms/admin/?page=user/manage_user` | High
27 | File | `/requests.php` | High
28 | File | `/saml/login` | Medium
29 | File | `/ScadaBR/login.htm` | High
30 | File | `/spip.php` | Medium
31 | File | `/uncpath/` | Medium
32 | File | `/upload` | Low
33 | File | `/var/adm/btmp` | High
34 | File | `/vloggers_merch/?p=view_product` | High
35 | File | `/wp-admin/admin-ajax.php` | High
36 | File | `account/login.php` | High
37 | File | `ad/login.asp` | Medium
38 | File | `admin.inc.php` | High
39 | File | `admin.php` | Medium
40 | File | `admin/admin_ping.php` | High
41 | File | `admin/conf_users_edit.php` | High
42 | File | `admin/index.php` | High
43 | File | `admin/login.php` | High
44 | ... | ... | ...
There are 399 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 377 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

281
actors/Lazarus/README.md
View File

@ -22,10 +22,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [VN](https://vuldb.com/?country.vn)
* [IN](https://vuldb.com/?country.in)
* [GB](https://vuldb.com/?country.gb)
* ...
There are 4 more country items available. Please use our online service to access the data.
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
@ -99,128 +96,129 @@ ID | IP address | Hostname | Campaign | Confidence
64 | [5.200.191.104](https://vuldb.com/?ip.5.200.191.104) | - | Hidden Cobra | High
65 | [5.200.198.10](https://vuldb.com/?ip.5.200.198.10) | - | Hidden Cobra | High
66 | [5.200.202.99](https://vuldb.com/?ip.5.200.202.99) | - | Hidden Cobra | High
67 | [14.102.46.3](https://vuldb.com/?ip.14.102.46.3) | - | Volgmer | High
68 | [14.139.125.214](https://vuldb.com/?ip.14.139.125.214) | - | Volgmer | High
69 | [14.140.123.179](https://vuldb.com/?ip.14.140.123.179) | 14.140.123.179.static-pune-vsnl.net.in | Hidden Cobra | High
70 | [14.141.27.100](https://vuldb.com/?ip.14.141.27.100) | 14.141.26.100.static-Mumbai.vsnl.net.in | Hidden Cobra | High
71 | [14.141.129.116](https://vuldb.com/?ip.14.141.129.116) | 14.141.129.116.static-Delhi.vsnl.net.in | Volgmer | High
72 | [14.149.149.211](https://vuldb.com/?ip.14.149.149.211) | - | Hidden Cobra | High
73 | [21.252.107.198](https://vuldb.com/?ip.21.252.107.198) | - | Hoplight | High
74 | [23.81.246.131](https://vuldb.com/?ip.23.81.246.131) | - | South Korea | High
75 | [23.152.0.232](https://vuldb.com/?ip.23.152.0.232) | betrp-basisto.seemband.com | - | High
76 | [26.165.218.44](https://vuldb.com/?ip.26.165.218.44) | - | Hoplight | High
77 | [27.96.110.130](https://vuldb.com/?ip.27.96.110.130) | 130.110.96.27.static.m1net.com.sg | Hidden Cobra | High
78 | [27.114.187.37](https://vuldb.com/?ip.27.114.187.37) | - | Volgmer | High
79 | [27.123.221.66](https://vuldb.com/?ip.27.123.221.66) | 66-221.fiber.net.id | Fallchill | High
80 | [27.125.35.229](https://vuldb.com/?ip.27.125.35.229) | - | Hidden Cobra | High
81 | [31.47.47.130](https://vuldb.com/?ip.31.47.47.130) | - | Hidden Cobra | High
82 | [31.54.73.156](https://vuldb.com/?ip.31.54.73.156) | host31-54-73-156.range31-54.btcentralplus.com | Hidden Cobra | High
83 | [31.54.74.176](https://vuldb.com/?ip.31.54.74.176) | host31-54-74-176.range31-54.btcentralplus.com | Hidden Cobra | High
84 | [31.146.82.22](https://vuldb.com/?ip.31.146.82.22) | 31-146-82-22.dsl.utg.ge | Volgmer | High
85 | [31.146.136.6](https://vuldb.com/?ip.31.146.136.6) | 31-146-136-6.dsl.utg.ge | Hidden Cobra | High
86 | [31.168.203.44](https://vuldb.com/?ip.31.168.203.44) | bzq-203-168-31-44.red.bezeqint.net | Hidden Cobra | High
87 | [36.71.90.4](https://vuldb.com/?ip.36.71.90.4) | - | Fallchill | High
88 | [37.34.240.177](https://vuldb.com/?ip.37.34.240.177) | - | Hidden Cobra | High
89 | [37.48.106.69](https://vuldb.com/?ip.37.48.106.69) | high-convey.blockother.com | Hidden Cobra | High
90 | [37.71.50.2](https://vuldb.com/?ip.37.71.50.2) | 2.50.71.37.rev.sfr.net | Hidden Cobra | High
91 | [37.75.0.98](https://vuldb.com/?ip.37.75.0.98) | - | Hidden Cobra | High
92 | [37.75.2.203](https://vuldb.com/?ip.37.75.2.203) | - | Hidden Cobra | High
93 | [37.75.10.194](https://vuldb.com/?ip.37.75.10.194) | mail.kplus.com.tr | Hidden Cobra | High
94 | [37.75.11.162](https://vuldb.com/?ip.37.75.11.162) | 37-75-11-162.rdns.saglayici.net | Hidden Cobra | High
95 | [37.98.114.90](https://vuldb.com/?ip.37.98.114.90) | 90.mobinnet.net | Volgmer | High
96 | [37.104.24.220](https://vuldb.com/?ip.37.104.24.220) | - | Hidden Cobra | High
97 | [37.104.50.144](https://vuldb.com/?ip.37.104.50.144) | - | Hidden Cobra | High
98 | [37.104.67.33](https://vuldb.com/?ip.37.104.67.33) | - | Hidden Cobra | High
99 | [37.105.234.200](https://vuldb.com/?ip.37.105.234.200) | - | Hidden Cobra | High
100 | [37.106.115.3](https://vuldb.com/?ip.37.106.115.3) | - | Hidden Cobra | High
101 | [37.143.29.10](https://vuldb.com/?ip.37.143.29.10) | - | Hidden Cobra | High
102 | [37.148.209.156](https://vuldb.com/?ip.37.148.209.156) | 37-148-209-156.cizgi.net.tr | Hidden Cobra | High
103 | [37.216.67.155](https://vuldb.com/?ip.37.216.67.155) | - | Volgmer | High
104 | [37.216.213.70](https://vuldb.com/?ip.37.216.213.70) | - | Hidden Cobra | High
105 | [37.235.21.166](https://vuldb.com/?ip.37.235.21.166) | - | Volgmer | High
106 | [37.238.135.70](https://vuldb.com/?ip.37.238.135.70) | - | - | High
107 | [38.132.124.161](https://vuldb.com/?ip.38.132.124.161) | - | TraderTraitor | High
108 | [41.57.108.68](https://vuldb.com/?ip.41.57.108.68) | - | Hidden Cobra | High
109 | [41.67.136.38](https://vuldb.com/?ip.41.67.136.38) | netcomafrica.com | Hidden Cobra | High
110 | [41.67.136.39](https://vuldb.com/?ip.41.67.136.39) | netcomafrica.com | Hidden Cobra | High
111 | [41.72.99.5](https://vuldb.com/?ip.41.72.99.5) | - | Hidden Cobra | High
112 | [41.72.101.138](https://vuldb.com/?ip.41.72.101.138) | - | Hidden Cobra | High
113 | [41.74.166.253](https://vuldb.com/?ip.41.74.166.253) | - | Hidden Cobra | High
114 | [41.92.208.194](https://vuldb.com/?ip.41.92.208.194) | - | Fallchill | High
115 | [41.92.208.196](https://vuldb.com/?ip.41.92.208.196) | - | Fallchill | High
116 | [41.92.208.197](https://vuldb.com/?ip.41.92.208.197) | - | Fallchill | High
117 | [41.110.179.197](https://vuldb.com/?ip.41.110.179.197) | - | Hidden Cobra | High
118 | [41.128.226.60](https://vuldb.com/?ip.41.128.226.60) | - | Hidden Cobra | High
119 | [41.131.49.228](https://vuldb.com/?ip.41.131.49.228) | host-41-131-49-228.static.link.com.eg | Hidden Cobra | High
120 | [41.131.164.156](https://vuldb.com/?ip.41.131.164.156) | - | Hidden Cobra | High
121 | [41.134.208.234](https://vuldb.com/?ip.41.134.208.234) | 41-134-208-234.dsl.mweb.co.za | Hidden Cobra | High
122 | [41.182.252.56](https://vuldb.com/?ip.41.182.252.56) | ADSL-41-182-252-56.ipb.na | Hidden Cobra | High
123 | [41.205.139.34](https://vuldb.com/?ip.41.205.139.34) | ADSL-41-205-139-34.ipb.na | Hidden Cobra | High
124 | [41.208.106.68](https://vuldb.com/?ip.41.208.106.68) | owa.altaqnya.com.ly | Hidden Cobra | High
125 | [41.208.106.70](https://vuldb.com/?ip.41.208.106.70) | dc1.Mail.dsmhlc.ly | Hidden Cobra | High
126 | [41.215.250.40](https://vuldb.com/?ip.41.215.250.40) | - | Hidden Cobra | High
127 | [41.223.30.20](https://vuldb.com/?ip.41.223.30.20) | host30-20.creolink.com | Hidden Cobra | High
128 | [41.224.254.90](https://vuldb.com/?ip.41.224.254.90) | - | Hidden Cobra | High
129 | [43.249.216.6](https://vuldb.com/?ip.43.249.216.6) | - | Volgmer | High
130 | [45.33.2.79](https://vuldb.com/?ip.45.33.2.79) | li956-79.members.linode.com | AppleJeus | High
131 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | AppleJeus | High
132 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | AppleJeus | High
133 | [45.79.19.196](https://vuldb.com/?ip.45.79.19.196) | li1118-196.members.linode.com | AppleJeus | High
134 | [45.118.34.215](https://vuldb.com/?ip.45.118.34.215) | - | Volgmer | High
135 | [45.120.61.145](https://vuldb.com/?ip.45.120.61.145) | - | Hidden Cobra | High
136 | [45.124.169.36](https://vuldb.com/?ip.45.124.169.36) | - | Volgmer | High
137 | [45.199.63.220](https://vuldb.com/?ip.45.199.63.220) | - | AppleJeus | High
138 | [46.16.62.238](https://vuldb.com/?ip.46.16.62.238) | fnadh-35.srv.cat | TraderTraitor | High
139 | [46.19.101.186](https://vuldb.com/?ip.46.19.101.186) | ip-46-19-101-186.gnc.net | Hidden Cobra | High
140 | [46.21.147.161](https://vuldb.com/?ip.46.21.147.161) | 46-21-147-161.static.hvvc.us | - | High
141 | [46.52.131.102](https://vuldb.com/?ip.46.52.131.102) | - | Hidden Cobra | High
142 | [46.121.242.180](https://vuldb.com/?ip.46.121.242.180) | 46-121-242-180.static.012.net.il | Hidden Cobra | High
143 | [46.174.116.60](https://vuldb.com/?ip.46.174.116.60) | - | Hidden Cobra | High
144 | [46.174.116.87](https://vuldb.com/?ip.46.174.116.87) | - | Hidden Cobra | High
145 | [46.174.116.90](https://vuldb.com/?ip.46.174.116.90) | - | Hidden Cobra | High
146 | [46.174.116.99](https://vuldb.com/?ip.46.174.116.99) | - | Hidden Cobra | High
147 | [46.174.116.221](https://vuldb.com/?ip.46.174.116.221) | - | Hidden Cobra | High
148 | [46.174.116.231](https://vuldb.com/?ip.46.174.116.231) | - | Hidden Cobra | High
149 | [46.174.116.234](https://vuldb.com/?ip.46.174.116.234) | - | Hidden Cobra | High
150 | [46.174.117.15](https://vuldb.com/?ip.46.174.117.15) | - | Hidden Cobra | High
151 | [46.174.117.32](https://vuldb.com/?ip.46.174.117.32) | - | Hidden Cobra | High
152 | [46.174.117.36](https://vuldb.com/?ip.46.174.117.36) | - | Hidden Cobra | High
153 | [46.174.117.42](https://vuldb.com/?ip.46.174.117.42) | - | Hidden Cobra | High
154 | [46.174.117.44](https://vuldb.com/?ip.46.174.117.44) | - | Hidden Cobra | High
155 | [46.174.117.50](https://vuldb.com/?ip.46.174.117.50) | - | Hidden Cobra | High
156 | [46.174.117.61](https://vuldb.com/?ip.46.174.117.61) | - | Hidden Cobra | High
157 | [46.174.117.77](https://vuldb.com/?ip.46.174.117.77) | - | Hidden Cobra | High
158 | [46.174.117.80](https://vuldb.com/?ip.46.174.117.80) | - | Hidden Cobra | High
159 | [46.174.117.97](https://vuldb.com/?ip.46.174.117.97) | - | Hidden Cobra | High
160 | [46.174.117.98](https://vuldb.com/?ip.46.174.117.98) | - | Hidden Cobra | High
161 | [46.174.117.103](https://vuldb.com/?ip.46.174.117.103) | - | Hidden Cobra | High
162 | [46.174.117.116](https://vuldb.com/?ip.46.174.117.116) | - | Hidden Cobra | High
163 | [46.174.117.121](https://vuldb.com/?ip.46.174.117.121) | - | Hidden Cobra | High
164 | [46.174.117.129](https://vuldb.com/?ip.46.174.117.129) | - | Hidden Cobra | High
165 | [46.174.117.134](https://vuldb.com/?ip.46.174.117.134) | - | Hidden Cobra | High
166 | [46.174.117.153](https://vuldb.com/?ip.46.174.117.153) | - | Hidden Cobra | High
167 | [46.174.117.164](https://vuldb.com/?ip.46.174.117.164) | - | Hidden Cobra | High
168 | [46.218.127.110](https://vuldb.com/?ip.46.218.127.110) | reverse.completel.fr | Hidden Cobra | High
169 | [47.206.4.145](https://vuldb.com/?ip.47.206.4.145) | static-47-206-4-145.srst.fl.frontiernet.net | Hoplight | High
170 | [49.206.1.61](https://vuldb.com/?ip.49.206.1.61) | 49.206.1.61.actcorp.in | Hidden Cobra | High
171 | [49.247.9.177](https://vuldb.com/?ip.49.247.9.177) | - | - | High
172 | [50.62.168.157](https://vuldb.com/?ip.50.62.168.157) | p3nwvpweb145.shr.prod.phx3.secureserver.net | Fallchill | High
173 | [50.87.144.227](https://vuldb.com/?ip.50.87.144.227) | somethingaboutmarketing.com | - | High
174 | [51.235.1.216](https://vuldb.com/?ip.51.235.1.216) | - | Hidden Cobra | High
175 | [51.235.13.162](https://vuldb.com/?ip.51.235.13.162) | - | Hidden Cobra | High
176 | [51.235.17.133](https://vuldb.com/?ip.51.235.17.133) | - | Hidden Cobra | High
177 | [51.235.19.202](https://vuldb.com/?ip.51.235.19.202) | - | Hidden Cobra | High
178 | [51.235.33.226](https://vuldb.com/?ip.51.235.33.226) | - | Hidden Cobra | High
179 | [51.235.49.202](https://vuldb.com/?ip.51.235.49.202) | - | Hidden Cobra | High
180 | [52.79.118.195](https://vuldb.com/?ip.52.79.118.195) | ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com | Chemical Sector | Medium
181 | [54.64.30.175](https://vuldb.com/?ip.54.64.30.175) | vega.mh-tec.co.jp | - | High
182 | [58.82.155.98](https://vuldb.com/?ip.58.82.155.98) | 98.155.82.58.static-corp.jastel.co.th | Volgmer | High
183 | [58.185.197.210](https://vuldb.com/?ip.58.185.197.210) | - | Volgmer | High
184 | [59.8.194.228](https://vuldb.com/?ip.59.8.194.228) | - | - | High
185 | [59.90.93.97](https://vuldb.com/?ip.59.90.93.97) | static.bb.knl.59.90.93.97.bsnl.in | Typeframe | High
186 | ... | ... | ... | ...
67 | [13.88.245.250](https://vuldb.com/?ip.13.88.245.250) | - | - | High
68 | [14.102.46.3](https://vuldb.com/?ip.14.102.46.3) | - | Volgmer | High
69 | [14.139.125.214](https://vuldb.com/?ip.14.139.125.214) | - | Volgmer | High
70 | [14.140.123.179](https://vuldb.com/?ip.14.140.123.179) | 14.140.123.179.static-pune-vsnl.net.in | Hidden Cobra | High
71 | [14.141.27.100](https://vuldb.com/?ip.14.141.27.100) | 14.141.26.100.static-Mumbai.vsnl.net.in | Hidden Cobra | High
72 | [14.141.129.116](https://vuldb.com/?ip.14.141.129.116) | 14.141.129.116.static-Delhi.vsnl.net.in | Volgmer | High
73 | [14.149.149.211](https://vuldb.com/?ip.14.149.149.211) | - | Hidden Cobra | High
74 | [21.252.107.198](https://vuldb.com/?ip.21.252.107.198) | - | Hoplight | High
75 | [23.81.246.131](https://vuldb.com/?ip.23.81.246.131) | - | South Korea | High
76 | [23.152.0.232](https://vuldb.com/?ip.23.152.0.232) | betrp-basisto.seemband.com | - | High
77 | [26.165.218.44](https://vuldb.com/?ip.26.165.218.44) | - | Hoplight | High
78 | [27.96.110.130](https://vuldb.com/?ip.27.96.110.130) | 130.110.96.27.static.m1net.com.sg | Hidden Cobra | High
79 | [27.114.187.37](https://vuldb.com/?ip.27.114.187.37) | - | Volgmer | High
80 | [27.123.221.66](https://vuldb.com/?ip.27.123.221.66) | 66-221.fiber.net.id | Fallchill | High
81 | [27.125.35.229](https://vuldb.com/?ip.27.125.35.229) | - | Hidden Cobra | High
82 | [31.47.47.130](https://vuldb.com/?ip.31.47.47.130) | - | Hidden Cobra | High
83 | [31.54.73.156](https://vuldb.com/?ip.31.54.73.156) | host31-54-73-156.range31-54.btcentralplus.com | Hidden Cobra | High
84 | [31.54.74.176](https://vuldb.com/?ip.31.54.74.176) | host31-54-74-176.range31-54.btcentralplus.com | Hidden Cobra | High
85 | [31.146.82.22](https://vuldb.com/?ip.31.146.82.22) | 31-146-82-22.dsl.utg.ge | Volgmer | High
86 | [31.146.136.6](https://vuldb.com/?ip.31.146.136.6) | 31-146-136-6.dsl.utg.ge | Hidden Cobra | High
87 | [31.168.203.44](https://vuldb.com/?ip.31.168.203.44) | bzq-203-168-31-44.red.bezeqint.net | Hidden Cobra | High
88 | [36.71.90.4](https://vuldb.com/?ip.36.71.90.4) | - | Fallchill | High
89 | [37.34.240.177](https://vuldb.com/?ip.37.34.240.177) | - | Hidden Cobra | High
90 | [37.48.106.69](https://vuldb.com/?ip.37.48.106.69) | high-convey.blockother.com | Hidden Cobra | High
91 | [37.71.50.2](https://vuldb.com/?ip.37.71.50.2) | 2.50.71.37.rev.sfr.net | Hidden Cobra | High
92 | [37.75.0.98](https://vuldb.com/?ip.37.75.0.98) | - | Hidden Cobra | High
93 | [37.75.2.203](https://vuldb.com/?ip.37.75.2.203) | - | Hidden Cobra | High
94 | [37.75.10.194](https://vuldb.com/?ip.37.75.10.194) | mail.kplus.com.tr | Hidden Cobra | High
95 | [37.75.11.162](https://vuldb.com/?ip.37.75.11.162) | 37-75-11-162.rdns.saglayici.net | Hidden Cobra | High
96 | [37.98.114.90](https://vuldb.com/?ip.37.98.114.90) | 90.mobinnet.net | Volgmer | High
97 | [37.104.24.220](https://vuldb.com/?ip.37.104.24.220) | - | Hidden Cobra | High
98 | [37.104.50.144](https://vuldb.com/?ip.37.104.50.144) | - | Hidden Cobra | High
99 | [37.104.67.33](https://vuldb.com/?ip.37.104.67.33) | - | Hidden Cobra | High
100 | [37.105.234.200](https://vuldb.com/?ip.37.105.234.200) | - | Hidden Cobra | High
101 | [37.106.115.3](https://vuldb.com/?ip.37.106.115.3) | - | Hidden Cobra | High
102 | [37.143.29.10](https://vuldb.com/?ip.37.143.29.10) | - | Hidden Cobra | High
103 | [37.148.209.156](https://vuldb.com/?ip.37.148.209.156) | 37-148-209-156.cizgi.net.tr | Hidden Cobra | High
104 | [37.216.67.155](https://vuldb.com/?ip.37.216.67.155) | - | Volgmer | High
105 | [37.216.213.70](https://vuldb.com/?ip.37.216.213.70) | - | Hidden Cobra | High
106 | [37.235.21.166](https://vuldb.com/?ip.37.235.21.166) | - | Volgmer | High
107 | [37.238.135.70](https://vuldb.com/?ip.37.238.135.70) | - | - | High
108 | [38.132.124.161](https://vuldb.com/?ip.38.132.124.161) | - | TraderTraitor | High
109 | [41.57.108.68](https://vuldb.com/?ip.41.57.108.68) | - | Hidden Cobra | High
110 | [41.67.136.38](https://vuldb.com/?ip.41.67.136.38) | netcomafrica.com | Hidden Cobra | High
111 | [41.67.136.39](https://vuldb.com/?ip.41.67.136.39) | netcomafrica.com | Hidden Cobra | High
112 | [41.72.99.5](https://vuldb.com/?ip.41.72.99.5) | - | Hidden Cobra | High
113 | [41.72.101.138](https://vuldb.com/?ip.41.72.101.138) | - | Hidden Cobra | High
114 | [41.74.166.253](https://vuldb.com/?ip.41.74.166.253) | - | Hidden Cobra | High
115 | [41.92.208.194](https://vuldb.com/?ip.41.92.208.194) | - | Fallchill | High
116 | [41.92.208.196](https://vuldb.com/?ip.41.92.208.196) | - | Fallchill | High
117 | [41.92.208.197](https://vuldb.com/?ip.41.92.208.197) | - | Fallchill | High
118 | [41.110.179.197](https://vuldb.com/?ip.41.110.179.197) | - | Hidden Cobra | High
119 | [41.128.226.60](https://vuldb.com/?ip.41.128.226.60) | - | Hidden Cobra | High
120 | [41.131.49.228](https://vuldb.com/?ip.41.131.49.228) | host-41-131-49-228.static.link.com.eg | Hidden Cobra | High
121 | [41.131.164.156](https://vuldb.com/?ip.41.131.164.156) | - | Hidden Cobra | High
122 | [41.134.208.234](https://vuldb.com/?ip.41.134.208.234) | 41-134-208-234.dsl.mweb.co.za | Hidden Cobra | High
123 | [41.182.252.56](https://vuldb.com/?ip.41.182.252.56) | ADSL-41-182-252-56.ipb.na | Hidden Cobra | High
124 | [41.205.139.34](https://vuldb.com/?ip.41.205.139.34) | ADSL-41-205-139-34.ipb.na | Hidden Cobra | High
125 | [41.208.106.68](https://vuldb.com/?ip.41.208.106.68) | owa.altaqnya.com.ly | Hidden Cobra | High
126 | [41.208.106.70](https://vuldb.com/?ip.41.208.106.70) | dc1.Mail.dsmhlc.ly | Hidden Cobra | High
127 | [41.215.250.40](https://vuldb.com/?ip.41.215.250.40) | - | Hidden Cobra | High
128 | [41.223.30.20](https://vuldb.com/?ip.41.223.30.20) | host30-20.creolink.com | Hidden Cobra | High
129 | [41.224.254.90](https://vuldb.com/?ip.41.224.254.90) | - | Hidden Cobra | High
130 | [43.249.216.6](https://vuldb.com/?ip.43.249.216.6) | - | Volgmer | High
131 | [45.33.2.79](https://vuldb.com/?ip.45.33.2.79) | li956-79.members.linode.com | AppleJeus | High
132 | [45.33.23.183](https://vuldb.com/?ip.45.33.23.183) | li977-183.members.linode.com | AppleJeus | High
133 | [45.56.79.23](https://vuldb.com/?ip.45.56.79.23) | li929-23.members.linode.com | AppleJeus | High
134 | [45.79.19.196](https://vuldb.com/?ip.45.79.19.196) | li1118-196.members.linode.com | AppleJeus | High
135 | [45.118.34.215](https://vuldb.com/?ip.45.118.34.215) | - | Volgmer | High
136 | [45.120.61.145](https://vuldb.com/?ip.45.120.61.145) | - | Hidden Cobra | High
137 | [45.124.169.36](https://vuldb.com/?ip.45.124.169.36) | - | Volgmer | High
138 | [45.199.63.220](https://vuldb.com/?ip.45.199.63.220) | - | AppleJeus | High
139 | [46.16.62.238](https://vuldb.com/?ip.46.16.62.238) | fnadh-35.srv.cat | TraderTraitor | High
140 | [46.19.101.186](https://vuldb.com/?ip.46.19.101.186) | ip-46-19-101-186.gnc.net | Hidden Cobra | High
141 | [46.21.147.161](https://vuldb.com/?ip.46.21.147.161) | 46-21-147-161.static.hvvc.us | - | High
142 | [46.52.131.102](https://vuldb.com/?ip.46.52.131.102) | - | Hidden Cobra | High
143 | [46.121.242.180](https://vuldb.com/?ip.46.121.242.180) | 46-121-242-180.static.012.net.il | Hidden Cobra | High
144 | [46.174.116.60](https://vuldb.com/?ip.46.174.116.60) | - | Hidden Cobra | High
145 | [46.174.116.87](https://vuldb.com/?ip.46.174.116.87) | - | Hidden Cobra | High
146 | [46.174.116.90](https://vuldb.com/?ip.46.174.116.90) | - | Hidden Cobra | High
147 | [46.174.116.99](https://vuldb.com/?ip.46.174.116.99) | - | Hidden Cobra | High
148 | [46.174.116.221](https://vuldb.com/?ip.46.174.116.221) | - | Hidden Cobra | High
149 | [46.174.116.231](https://vuldb.com/?ip.46.174.116.231) | - | Hidden Cobra | High
150 | [46.174.116.234](https://vuldb.com/?ip.46.174.116.234) | - | Hidden Cobra | High
151 | [46.174.117.15](https://vuldb.com/?ip.46.174.117.15) | - | Hidden Cobra | High
152 | [46.174.117.32](https://vuldb.com/?ip.46.174.117.32) | - | Hidden Cobra | High
153 | [46.174.117.36](https://vuldb.com/?ip.46.174.117.36) | - | Hidden Cobra | High
154 | [46.174.117.42](https://vuldb.com/?ip.46.174.117.42) | - | Hidden Cobra | High
155 | [46.174.117.44](https://vuldb.com/?ip.46.174.117.44) | - | Hidden Cobra | High
156 | [46.174.117.50](https://vuldb.com/?ip.46.174.117.50) | - | Hidden Cobra | High
157 | [46.174.117.61](https://vuldb.com/?ip.46.174.117.61) | - | Hidden Cobra | High
158 | [46.174.117.77](https://vuldb.com/?ip.46.174.117.77) | - | Hidden Cobra | High
159 | [46.174.117.80](https://vuldb.com/?ip.46.174.117.80) | - | Hidden Cobra | High
160 | [46.174.117.97](https://vuldb.com/?ip.46.174.117.97) | - | Hidden Cobra | High
161 | [46.174.117.98](https://vuldb.com/?ip.46.174.117.98) | - | Hidden Cobra | High
162 | [46.174.117.103](https://vuldb.com/?ip.46.174.117.103) | - | Hidden Cobra | High
163 | [46.174.117.116](https://vuldb.com/?ip.46.174.117.116) | - | Hidden Cobra | High
164 | [46.174.117.121](https://vuldb.com/?ip.46.174.117.121) | - | Hidden Cobra | High
165 | [46.174.117.129](https://vuldb.com/?ip.46.174.117.129) | - | Hidden Cobra | High
166 | [46.174.117.134](https://vuldb.com/?ip.46.174.117.134) | - | Hidden Cobra | High
167 | [46.174.117.153](https://vuldb.com/?ip.46.174.117.153) | - | Hidden Cobra | High
168 | [46.174.117.164](https://vuldb.com/?ip.46.174.117.164) | - | Hidden Cobra | High
169 | [46.218.127.110](https://vuldb.com/?ip.46.218.127.110) | reverse.completel.fr | Hidden Cobra | High
170 | [47.206.4.145](https://vuldb.com/?ip.47.206.4.145) | static-47-206-4-145.srst.fl.frontiernet.net | Hoplight | High
171 | [49.206.1.61](https://vuldb.com/?ip.49.206.1.61) | 49.206.1.61.actcorp.in | Hidden Cobra | High
172 | [49.247.9.177](https://vuldb.com/?ip.49.247.9.177) | - | - | High
173 | [50.62.168.157](https://vuldb.com/?ip.50.62.168.157) | p3nwvpweb145.shr.prod.phx3.secureserver.net | Fallchill | High
174 | [50.87.144.227](https://vuldb.com/?ip.50.87.144.227) | somethingaboutmarketing.com | - | High
175 | [51.235.1.216](https://vuldb.com/?ip.51.235.1.216) | - | Hidden Cobra | High
176 | [51.235.13.162](https://vuldb.com/?ip.51.235.13.162) | - | Hidden Cobra | High
177 | [51.235.17.133](https://vuldb.com/?ip.51.235.17.133) | - | Hidden Cobra | High
178 | [51.235.19.202](https://vuldb.com/?ip.51.235.19.202) | - | Hidden Cobra | High
179 | [51.235.33.226](https://vuldb.com/?ip.51.235.33.226) | - | Hidden Cobra | High
180 | [51.235.49.202](https://vuldb.com/?ip.51.235.49.202) | - | Hidden Cobra | High
181 | [52.79.118.195](https://vuldb.com/?ip.52.79.118.195) | ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com | Chemical Sector | Medium
182 | [54.64.30.175](https://vuldb.com/?ip.54.64.30.175) | vega.mh-tec.co.jp | - | High
183 | [58.82.155.98](https://vuldb.com/?ip.58.82.155.98) | 98.155.82.58.static-corp.jastel.co.th | Volgmer | High
184 | [58.185.197.210](https://vuldb.com/?ip.58.185.197.210) | - | Volgmer | High
185 | [59.8.194.228](https://vuldb.com/?ip.59.8.194.228) | - | - | High
186 | [59.90.93.97](https://vuldb.com/?ip.59.90.93.97) | static.bb.knl.59.90.93.97.bsnl.in | Typeframe | High
187 | ... | ... | ... | ...
There are 741 more IOC items available. Please use our online service to access the data.
There are 742 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -228,10 +226,10 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79 | Cross Site Scripting | High
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 17 more TTP items available. Please use our online service to access the data.
@ -242,26 +240,23 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/addNotifyServlet` | High
2 | File | `/admin/js` | Medium
3 | File | `/api/plugin/uninstall` | High
4 | File | `/api/plugin/upload` | High
5 | File | `/cgi-bin/ExportAllSettings.sh` | High
6 | File | `/etc/init.d/sshd_service` | High
7 | File | `/etc/tomcat8/Catalina/attack` | High
8 | File | `/index.php/?p=report` | High
9 | File | `/index.php?r=site%2Fsignup` | High
10 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
11 | File | `/nav_bar_action.php` | High
12 | File | `/ossn/administrator/com_installer` | High
13 | ... | ... | ...
1 | File | `/edituser.php` | High
2 | File | `/pages/permit/permit.php` | High
3 | File | `/php_action/createUser.php` | High
4 | File | `/products/view_product.php` | High
5 | File | `/sistema/flash/reboot` | High
6 | File | `/src/video/x11/SDL_x11yuv.c` | High
7 | File | `/wp-admin/admin-ajax.php` | High
8 | ... | ... | ...
There are 98 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 56 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/189/lazarus-apt-iocs/
* https://1275.ru/ioc/237/lazarus-apt-iocs-part-2/
* https://asec.ahnlab.com/en/33801/
* https://asec.ahnlab.com/en/34461/
* https://github.com/blackorbird/APT_REPORT/tree/master/lazarus

26
actors/LinuxMoose/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [CN](https://vuldb.com/?country.cn)
* ...
There are 12 more country items available. Please use our online service to access the data.
There are 11 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -74,20 +74,20 @@ ID | Type | Indicator | Confidence
14 | File | `/fuel/index.php/fuel/logs/items` | High
15 | File | `/fuel/sitevariables/delete/4` | High
16 | File | `/hprms/admin/doctors/manage_doctor.php` | High
17 | File | `/include/chart_generator.php` | High
18 | File | `/index/jobfairol/show/` | High
19 | File | `/librarian/bookdetails.php` | High
20 | File | `/mgmt/tm/util/bash` | High
21 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
22 | File | `/plugin/LiveChat/getChat.json.php` | High
23 | File | `/proc/<PID>/mem` | High
24 | File | `/public/plugins/` | High
25 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
26 | File | `/secure/QueryComponent!Default.jspa` | High
27 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
17 | File | `/index/jobfairol/show/` | High
18 | File | `/librarian/bookdetails.php` | High
19 | File | `/mgmt/tm/util/bash` | High
20 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
21 | File | `/plugin/LiveChat/getChat.json.php` | High
22 | File | `/proc/<PID>/mem` | High
23 | File | `/public/plugins/` | High
24 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
25 | File | `/simple_chat_bot/admin/?page=user/manage_user` | High
26 | File | `/tmp` | Low
27 | File | `/tmp/zarafa-vacation-*` | High
28 | ... | ... | ...
There are 234 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 236 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

70
actors/LokiLocker/README.md Normal file
View File

@ -0,0 +1,70 @@
# LokiLocker - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiLocker](https://vuldb.com/?actor.lokilocker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.lokilocker](https://vuldb.com/?actor.lokilocker)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiLocker:
* [CO](https://vuldb.com/?country.co)
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of LokiLocker.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [91.223.82.6](https://vuldb.com/?ip.91.223.82.6) | pink.warez-host.com | - | High
2 | [194.226.139.3](https://vuldb.com/?ip.194.226.139.3) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _LokiLocker_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1059 | CWE-94 | Cross Site Scripting | High
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiLocker. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/Tools/tools_admin.htm` | High
2 | File | `adm/krgourl.php` | High
3 | File | `admin.php` | Medium
4 | File | `administers` | Medium
5 | File | `catchsegv` | Medium
6 | File | `classified.php` | High
7 | File | `coders/mat.c` | Medium
8 | File | `default.asp` | Medium
9 | File | `drivers/char/lp.c` | High
10 | ... | ... | ...
There are 73 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/42/lokilocker-ransomware-ioc/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

14
actors/MATA/README.md
View File

@ -52,15 +52,15 @@ ID | Type | Indicator | Confidence
2 | File | `/forum/away.php` | High
3 | File | `/out.php` | Medium
4 | File | `/phppath/php` | Medium
5 | File | `/systemrw/` | Medium
6 | File | `adclick.php` | Medium
7 | File | `application/modules/admin/views/ecommerce/products.php` | High
8 | File | `base/ErrorHandler.php` | High
9 | File | `blog.php` | Medium
10 | File | `category.php` | Medium
5 | File | `/spip.php` | Medium
6 | File | `/systemrw/` | Medium
7 | File | `adclick.php` | Medium
8 | File | `application/modules/admin/views/ecommerce/products.php` | High
9 | File | `base/ErrorHandler.php` | High
10 | File | `blog.php` | Medium
11 | ... | ... | ...
There are 80 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 88 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

66
actors/Magniber/README.md Normal file
View File

@ -0,0 +1,66 @@
# Magniber - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Magniber](https://vuldb.com/?actor.magniber). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.magniber](https://vuldb.com/?actor.magniber)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Magniber:
* [US](https://vuldb.com/?country.us)
* [IR](https://vuldb.com/?country.ir)
* [TR](https://vuldb.com/?country.tr)
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Magniber.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [92.222.121.30](https://vuldb.com/?ip.92.222.121.30) | ip30.ip-92-222-121.eu | - | High
2 | [94.23.165.192](https://vuldb.com/?ip.94.23.165.192) | ip192.ip-94-23-165.eu | - | High
3 | [149.202.112.72](https://vuldb.com/?ip.149.202.112.72) | ip72.ip-149-202-112.eu | - | High
4 | ... | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Magniber_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1202 | CWE-78 | Command Injection | High
2 | T1505 | CWE-89 | SQL Injection | High
3 | T1592 | CWE-200 | Configuration | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Magniber. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `data/gbconfiguration.dat` | High
2 | File | `shopprojectlogin.asp` | High
3 | Argument | `strpemail` | Medium
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/163/magniber-ransomware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

35
actors/MakeMoney/README.md Normal file
View File

@ -0,0 +1,35 @@
# MakeMoney - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MakeMoney](https://vuldb.com/?actor.makemoney). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.makemoney](https://vuldb.com/?actor.makemoney)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of MakeMoney.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [185.215.113.121](https://vuldb.com/?ip.185.215.113.121) | - | - | High
2 | [185.220.33.3](https://vuldb.com/?ip.185.220.33.3) | vps23002.vpsville.ru | - | High
3 | [185.220.35.26](https://vuldb.com/?ip.185.220.35.26) | vps09026.vpsville.ru | - | High
4 | ... | ... | ... | ...
There are 3 more IOC items available. Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/333/makemoney-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

30
actors/Manjusaka/README.md Normal file
View File

@ -0,0 +1,30 @@
# Manjusaka - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Manjusaka](https://vuldb.com/?actor.manjusaka). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.manjusaka](https://vuldb.com/?actor.manjusaka)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Manjusaka.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [39.104.90.45](https://vuldb.com/?ip.39.104.90.45) | - | - | High
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

37
actors/Matanbuchus/README.md
View File

@ -4,12 +4,22 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.matanbuchus](https://vuldb.com/?actor.matanbuchus)
## Campaigns
The following _campaigns_ are known and can be associated with Matanbuchus:
* Cobalt Strike
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Matanbuchus:
* [US](https://vuldb.com/?country.us)
* [TT](https://vuldb.com/?country.tt)
* [CO](https://vuldb.com/?country.co)
* [IT](https://vuldb.com/?country.it)
* ...
There are 5 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -17,7 +27,12 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [213.226.114.15](https://vuldb.com/?ip.213.226.114.15) | - | - | High
1 | [44.208.127.245](https://vuldb.com/?ip.44.208.127.245) | ec2-44-208-127-245.compute-1.amazonaws.com | Cobalt Strike | Medium
2 | [185.217.1.23](https://vuldb.com/?ip.185.217.1.23) | - | Cobalt Strike | High
3 | [190.123.44.220](https://vuldb.com/?ip.190.123.44.220) | - | Cobalt Strike | High
4 | ... | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -25,12 +40,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
3 | T1548.002 | CWE-285 | Improper Authorization | High
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1059 | CWE-94 | Cross Site Scripting | High
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -38,14 +53,18 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `AdminBaseController.class.php` | High
2 | File | `include/ajax.draft.php` | High
3 | Argument | `request` | Low
1 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
2 | File | `/etc/shadow` | Medium
3 | File | `/uncpath/` | Medium
4 | ... | ... | ...
There are 19 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://circleid.com/posts/20220721-matanbuchus-with-cobalt-strike-not-your-favorite-combo
* https://github.com/executemalware/Malware-IOCs/blob/main/2022-06-16%20Matanbuchus%20IOCs
## Literature

65
actors/MedusaLocker/README.md
View File

@ -9,7 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MedusaLocker:
* [US](https://vuldb.com/?country.us)
* [DE](https://vuldb.com/?country.de)
* [PT](https://vuldb.com/?country.pt)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 11 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -32,14 +36,14 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 22 more TTP items available. Please use our online service to access the data.
There are 21 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -47,39 +51,28 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/action/import_https_cert_file/` | High
2 | File | `/action/remove/` | High
3 | File | `/admin/featured.php` | High
4 | File | `/admin/scheprofile.cgi` | High
5 | File | `/admin/showbad.php` | High
6 | File | `/admin/ztliuyan_sendmail.php` | High
7 | File | `/ajax/config_rollback/` | High
8 | File | `/alarm_pi/alarmService.php` | High
9 | File | `/cgi-bin/webproc` | High
10 | File | `/ci_hms/massage_room/edit/1` | High
11 | File | `/ci_hms/search` | High
12 | File | `/company` | Medium
13 | File | `/company/service/increment/add/im` | High
14 | File | `/dashboard/blocks/stacks/view_details/` | High
15 | File | `/dashboard/reports/logs/view` | High
16 | File | `/dashboard/snapshot/*?orgId=0` | High
17 | File | `/dashboard/system/express/entities/forms/save_control/[GUID]` | High
18 | File | `/dl/dl_sendmail.php` | High
19 | File | `/dl/dl_sendsms.php` | High
20 | File | `/home/campus/campus_job` | High
21 | File | `/home/job/index` | High
22 | File | `/IISADMPWD` | Medium
23 | File | `/images/background/1.php` | High
24 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
25 | File | `/job` | Low
26 | File | `/linkedcontent/editfolder.php` | High
27 | File | `/loginsave.php` | High
28 | File | `/mobilebroker/ServiceToBroker.svc/Json/Connect` | High
29 | File | `/modules/mindmap/index.php` | High
30 | File | `/odfs/posts/view_post.php` | High
31 | ... | ... | ...
1 | File | `.python-version` | High
2 | File | `/ajax/remove_sniffer_raw_log/` | High
3 | File | `/api/sys_username_passwd.cmd` | High
4 | File | `/auth/callback` | High
5 | File | `/bin/posix/src/ports/POSIX/OpENer` | High
6 | File | `/bmis/pages/resident/resident.php` | High
7 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
8 | File | `/cgi-bin/nightled.cgi` | High
9 | File | `/cgi-bin/nobody` | High
10 | File | `/ci_spms/admin/category` | High
11 | File | `/conf/` | Low
12 | File | `/dashboard/menu-list.php` | High
13 | File | `/dashboard/profile.php` | High
14 | File | `/dashboard/table-list.php` | High
15 | File | `/dev/pts/` | Medium
16 | File | `/doping.asp` | Medium
17 | File | `/dotrace.asp` | Medium
18 | File | `/editbrand.php` | High
19 | File | `/etc/lighttpd.d/ca.pem` | High
20 | ... | ... | ...
There are 259 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 167 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

42
actors/Middle East Unknown/README.md
View File

@ -9,11 +9,11 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Middle East Unknown:
* [ES](https://vuldb.com/?country.es)
* [IT](https://vuldb.com/?country.it)
* [PT](https://vuldb.com/?country.pt)
* [AR](https://vuldb.com/?country.ar)
* ...
There are 8 more country items available. Please use our online service to access the data.
There are 7 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -47,8 +47,8 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-294, CWE-319 | Authentication Bypass by Capture-replay | High
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
@ -75,7 +75,7 @@ ID | Type | Indicator | Confidence
11 | File | `/admin/scheprofile.cgi` | High
12 | File | `/admin/vca/license/license_tok.cgi` | High
13 | File | `/AJAX/ajaxget` | High
14 | File | `/base/SysEveMenuAuthPointMapper.xml` | High
14 | File | `/api/plugin/uninstall` | High
15 | File | `/bcms/admin/courts/manage_court.php` | High
16 | File | `/bcms/classes/Master.php?f=save_court_rental` | High
17 | File | `/car-rental-management-system/admin/manage_booking.php` | High
@ -84,20 +84,26 @@ ID | Type | Indicator | Confidence
20 | File | `/cgi-bin/readfile.tcl` | High
21 | File | `/cgi-bin/touchlist_sync.cgi` | High
22 | File | `/classes/Users.php?f=save` | High
23 | File | `/cms/classes/Master.php?f=delete_client` | High
24 | File | `/config` | Low
25 | File | `/defaultui/player/modern.html` | High
26 | File | `/ffos/admin/categories/manage_category.php` | High
27 | File | `/ffos/admin/menus/view_menu.php` | High
28 | File | `/gaia-job-admin/user/add` | High
29 | File | `/goform/aspForm` | High
30 | File | `/goform/setNetworkLan` | High
31 | File | `/goform/SetSysTimeCfg` | High
32 | File | `/html/Solar_Ftp.php` | High
33 | File | `/isms/admin/stocks/view_stock.php` | High
34 | ... | ... | ...
23 | File | `/defaultui/player/modern.html` | High
24 | File | `/etc/quagga` | Medium
25 | File | `/ffos/admin/categories/manage_category.php` | High
26 | File | `/ffos/admin/menus/view_menu.php` | High
27 | File | `/gaia-job-admin/user/add` | High
28 | File | `/goform/aspForm` | High
29 | File | `/includes/db_connect.php` | High
30 | File | `/isms/admin/stocks/view_stock.php` | High
31 | File | `/lists/admin/` | High
32 | File | `/login.php` | Medium
33 | File | `/orrs/admin/trains/manage_train.php` | High
34 | File | `/otps/classes/Master.php?f=delete_team` | High
35 | File | `/pages/permit/permit.php` | High
36 | File | `/pdfalto/src/pdfalto.cc` | High
37 | File | `/pms/admin/crimes/manage_crime.php` | High
38 | File | `/psrs/admin/?page=products/manage_product` | High
39 | File | `/roomtype-details.php` | High
40 | ... | ... | ...
There are 286 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 343 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

281
actors/Mirai/README.md
View File

@ -21,7 +21,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [CN](https://vuldb.com/?country.cn)
* ...
There are 1 more country items available. Please use our online service to access the data.
There are 2 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -29,116 +29,138 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [1.69.18.104](https://vuldb.com/?ip.1.69.18.104) | - | - | High
2 | [1.246.222.93](https://vuldb.com/?ip.1.246.222.93) | - | - | High
3 | [1.246.223.83](https://vuldb.com/?ip.1.246.223.83) | - | - | High
4 | [2.21.153.176](https://vuldb.com/?ip.2.21.153.176) | a2-21-153-176.deploy.static.akamaitechnologies.com | - | High
5 | [2.56.56.78](https://vuldb.com/?ip.2.56.56.78) | - | - | High
6 | [2.56.57.167](https://vuldb.com/?ip.2.56.57.167) | - | - | High
7 | [2.56.57.187](https://vuldb.com/?ip.2.56.57.187) | - | - | High
8 | [2.56.57.238](https://vuldb.com/?ip.2.56.57.238) | - | - | High
9 | [2.56.59.10](https://vuldb.com/?ip.2.56.59.10) | - | - | High
10 | [2.56.59.58](https://vuldb.com/?ip.2.56.59.58) | - | - | High
11 | [2.56.59.83](https://vuldb.com/?ip.2.56.59.83) | - | - | High
12 | [2.56.59.176](https://vuldb.com/?ip.2.56.59.176) | - | - | High
13 | [2.56.59.225](https://vuldb.com/?ip.2.56.59.225) | - | - | High
14 | [2.58.149.17](https://vuldb.com/?ip.2.58.149.17) | - | - | High
15 | [2.58.149.116](https://vuldb.com/?ip.2.58.149.116) | - | - | High
16 | [2.58.149.186](https://vuldb.com/?ip.2.58.149.186) | - | - | High
17 | [2.239.84.105](https://vuldb.com/?ip.2.239.84.105) | 2-239-84-105.ip248.fastwebnet.it | - | High
18 | [5.2.69.50](https://vuldb.com/?ip.5.2.69.50) | - | - | High
19 | [5.2.75.132](https://vuldb.com/?ip.5.2.75.132) | - | - | High
20 | [5.61.50.236](https://vuldb.com/?ip.5.61.50.236) | mail.novonet.org | - | High
21 | [5.181.80.103](https://vuldb.com/?ip.5.181.80.103) | ip-80-103-bullethost.net | - | High
22 | [5.182.210.145](https://vuldb.com/?ip.5.182.210.145) | - | - | High
23 | [5.182.211.5](https://vuldb.com/?ip.5.182.211.5) | - | - | High
24 | [5.188.76.60](https://vuldb.com/?ip.5.188.76.60) | - | - | High
25 | [12.203.33.13](https://vuldb.com/?ip.12.203.33.13) | - | - | High
26 | [13.70.188.178](https://vuldb.com/?ip.13.70.188.178) | - | - | High
27 | [14.42.109.60](https://vuldb.com/?ip.14.42.109.60) | - | - | High
28 | [14.198.46.139](https://vuldb.com/?ip.14.198.46.139) | 014198046139.ctinets.com | - | High
29 | [15.185.242.46](https://vuldb.com/?ip.15.185.242.46) | ec2-15-185-242-46.me-south-1.compute.amazonaws.com | - | Medium
30 | [15.204.7.101](https://vuldb.com/?ip.15.204.7.101) | ip101.ip-15-204-7.us | - | High
31 | [18.172.150.9](https://vuldb.com/?ip.18.172.150.9) | server-18-172-150-9.lhr50.r.cloudfront.net | - | High
32 | [18.184.201.19](https://vuldb.com/?ip.18.184.201.19) | ec2-18-184-201-19.eu-central-1.compute.amazonaws.com | - | Medium
33 | [18.210.126.40](https://vuldb.com/?ip.18.210.126.40) | ec2-18-210-126-40.compute-1.amazonaws.com | - | Medium
34 | [18.253.232.0](https://vuldb.com/?ip.18.253.232.0) | ec2-18-253-232-0.us-gov-east-1.compute.amazonaws.com | - | Medium
35 | [20.205.9.191](https://vuldb.com/?ip.20.205.9.191) | - | - | High
36 | [23.34.155.162](https://vuldb.com/?ip.23.34.155.162) | a23-34-155-162.deploy.static.akamaitechnologies.com | - | High
37 | [23.48.162.198](https://vuldb.com/?ip.23.48.162.198) | a23-48-162-198.deploy.static.akamaitechnologies.com | - | High
38 | [23.72.35.209](https://vuldb.com/?ip.23.72.35.209) | a23-72-35-209.deploy.static.akamaitechnologies.com | - | High
39 | [23.94.28.76](https://vuldb.com/?ip.23.94.28.76) | 23-94-28-76-host.colocrossing.com | - | High
40 | [23.94.36.134](https://vuldb.com/?ip.23.94.36.134) | 23-94-36-134-host.colocrossing.com | - | High
41 | [23.94.50.159](https://vuldb.com/?ip.23.94.50.159) | 23-94-50-159-host.colocrossing.com | - | High
42 | [23.96.101.205](https://vuldb.com/?ip.23.96.101.205) | - | - | High
43 | [23.128.248.12](https://vuldb.com/?ip.23.128.248.12) | tor-exit03.stormycloud.org | - | High
44 | [23.128.248.24](https://vuldb.com/?ip.23.128.248.24) | tor-exit15.stormycloud.org | - | High
45 | [23.160.193.123](https://vuldb.com/?ip.23.160.193.123) | unknown.ip-xfer.net | - | High
46 | [23.195.45.48](https://vuldb.com/?ip.23.195.45.48) | a23-195-45-48.deploy.static.akamaitechnologies.com | - | High
47 | [23.197.224.108](https://vuldb.com/?ip.23.197.224.108) | a23-197-224-108.deploy.static.akamaitechnologies.com | - | High
48 | [23.204.208.68](https://vuldb.com/?ip.23.204.208.68) | a23-204-208-68.deploy.static.akamaitechnologies.com | - | High
49 | [23.211.7.69](https://vuldb.com/?ip.23.211.7.69) | a23-211-7-69.deploy.static.akamaitechnologies.com | - | High
50 | [23.227.146.106](https://vuldb.com/?ip.23.227.146.106) | - | - | High
51 | [23.254.247.214](https://vuldb.com/?ip.23.254.247.214) | hwsrv-840463.hostwindsdns.com | - | High
52 | [24.123.252.154](https://vuldb.com/?ip.24.123.252.154) | rrcs-24-123-252-154.central.biz.rr.com | - | High
53 | [27.37.239.164](https://vuldb.com/?ip.27.37.239.164) | - | - | High
54 | [27.50.57.147](https://vuldb.com/?ip.27.50.57.147) | - | - | High
55 | [27.105.131.171](https://vuldb.com/?ip.27.105.131.171) | 27-105-131-171-FIX-TXG.dynamic.so-net.net.tw | - | High
56 | [31.7.58.162](https://vuldb.com/?ip.31.7.58.162) | r | - | High
57 | [31.44.185.235](https://vuldb.com/?ip.31.44.185.235) | - | - | High
58 | [31.210.20.111](https://vuldb.com/?ip.31.210.20.111) | - | - | High
59 | [31.220.43.69](https://vuldb.com/?ip.31.220.43.69) | - | - | High
60 | [34.80.131.135](https://vuldb.com/?ip.34.80.131.135) | 135.131.80.34.bc.googleusercontent.com | - | Medium
61 | [35.80.216.15](https://vuldb.com/?ip.35.80.216.15) | ec2-35-80-216-15.us-west-2.compute.amazonaws.com | - | Medium
62 | [35.85.181.9](https://vuldb.com/?ip.35.85.181.9) | ec2-35-85-181-9.us-west-2.compute.amazonaws.com | - | Medium
63 | [35.166.106.142](https://vuldb.com/?ip.35.166.106.142) | ec2-35-166-106-142.us-west-2.compute.amazonaws.com | - | Medium
64 | [35.225.213.190](https://vuldb.com/?ip.35.225.213.190) | 190.213.225.35.bc.googleusercontent.com | - | Medium
65 | [36.79.62.31](https://vuldb.com/?ip.36.79.62.31) | - | - | High
66 | [36.89.18.133](https://vuldb.com/?ip.36.89.18.133) | - | - | High
67 | [37.0.8.11](https://vuldb.com/?ip.37.0.8.11) | - | - | High
68 | [37.0.8.85](https://vuldb.com/?ip.37.0.8.85) | - | - | High
69 | [37.0.8.111](https://vuldb.com/?ip.37.0.8.111) | - | - | High
70 | [37.0.8.123](https://vuldb.com/?ip.37.0.8.123) | - | - | High
71 | [37.0.8.157](https://vuldb.com/?ip.37.0.8.157) | - | - | High
72 | [37.0.8.158](https://vuldb.com/?ip.37.0.8.158) | - | - | High
73 | [37.0.11.130](https://vuldb.com/?ip.37.0.11.130) | - | - | High
74 | [37.49.230.128](https://vuldb.com/?ip.37.49.230.128) | - | - | High
75 | [37.139.11.231](https://vuldb.com/?ip.37.139.11.231) | - | - | High
76 | [37.187.18.212](https://vuldb.com/?ip.37.187.18.212) | ns3110317.ip-37-187-18.eu | - | High
77 | [37.187.143.65](https://vuldb.com/?ip.37.187.143.65) | ns414234.ip-37-187-143.eu | - | High
78 | [37.187.255.93](https://vuldb.com/?ip.37.187.255.93) | ns373958.ip-37-187-255.eu | - | High
79 | [37.252.96.62](https://vuldb.com/?ip.37.252.96.62) | foxman.net | - | High
80 | [38.7.64.166](https://vuldb.com/?ip.38.7.64.166) | - | - | High
81 | [38.54.16.10](https://vuldb.com/?ip.38.54.16.10) | - | - | High
82 | [38.54.208.217](https://vuldb.com/?ip.38.54.208.217) | - | - | High
83 | [38.55.219.137](https://vuldb.com/?ip.38.55.219.137) | - | - | High
84 | [40.90.250.107](https://vuldb.com/?ip.40.90.250.107) | - | - | High
85 | [40.140.15.8](https://vuldb.com/?ip.40.140.15.8) | h8.15.140.40.ip.windstream.net | - | High
86 | [41.143.56.7](https://vuldb.com/?ip.41.143.56.7) | - | - | High
87 | [41.215.220.238](https://vuldb.com/?ip.41.215.220.238) | bl2.41.215.220.238.dynamic.dsl.cvmultimedia.cv | - | High
88 | [41.216.189.11](https://vuldb.com/?ip.41.216.189.11) | - | - | High
89 | [43.156.17.183](https://vuldb.com/?ip.43.156.17.183) | - | - | High
90 | [43.228.65.13](https://vuldb.com/?ip.43.228.65.13) | - | - | High
91 | [45.61.136.130](https://vuldb.com/?ip.45.61.136.130) | - | DDoS Ukraine | High
92 | [45.61.184.4](https://vuldb.com/?ip.45.61.184.4) | cryptoin.club | - | High
93 | [45.61.186.13](https://vuldb.com/?ip.45.61.186.13) | - | DDoS Ukraine | High
94 | [45.61.187.136](https://vuldb.com/?ip.45.61.187.136) | - | - | High
95 | [45.63.93.202](https://vuldb.com/?ip.45.63.93.202) | 45.63.93.202.vultrusercontent.com | - | High
96 | [45.76.147.47](https://vuldb.com/?ip.45.76.147.47) | 45.76.147.47.vultrusercontent.com | - | High
97 | [45.79.21.252](https://vuldb.com/?ip.45.79.21.252) | mail.mrdigital.com | - | High
98 | [45.85.190.69](https://vuldb.com/?ip.45.85.190.69) | igum.navic.shop | - | High
99 | [45.86.86.50](https://vuldb.com/?ip.45.86.86.50) | mfoxx.co.uk | - | High
100 | [45.88.40.116](https://vuldb.com/?ip.45.88.40.116) | service.akxtto.cn | - | High
101 | [45.88.181.46](https://vuldb.com/?ip.45.88.181.46) | pelko.incifios.org.uk | - | High
102 | [45.95.55.17](https://vuldb.com/?ip.45.95.55.17) | 45.95.55.17.fly-hosting.net | - | High
103 | [45.95.55.23](https://vuldb.com/?ip.45.95.55.23) | 45.95.55.23.fly-hosting.net | - | High
104 | [45.95.55.27](https://vuldb.com/?ip.45.95.55.27) | 45.95.55.27.fly-hosting.net | - | High
105 | [45.95.169.100](https://vuldb.com/?ip.45.95.169.100) | antoniagavve.live | - | High
106 | [45.95.169.139](https://vuldb.com/?ip.45.95.169.139) | - | - | High
107 | [45.95.169.143](https://vuldb.com/?ip.45.95.169.143) | - | - | High
108 | ... | ... | ... | ...
1 | [1.49.153.168](https://vuldb.com/?ip.1.49.153.168) | - | - | High
2 | [1.69.18.104](https://vuldb.com/?ip.1.69.18.104) | - | - | High
3 | [1.246.222.93](https://vuldb.com/?ip.1.246.222.93) | - | - | High
4 | [1.246.223.83](https://vuldb.com/?ip.1.246.223.83) | - | - | High
5 | [2.21.153.176](https://vuldb.com/?ip.2.21.153.176) | a2-21-153-176.deploy.static.akamaitechnologies.com | - | High
6 | [2.56.56.78](https://vuldb.com/?ip.2.56.56.78) | - | - | High
7 | [2.56.57.167](https://vuldb.com/?ip.2.56.57.167) | - | - | High
8 | [2.56.57.187](https://vuldb.com/?ip.2.56.57.187) | - | - | High
9 | [2.56.57.238](https://vuldb.com/?ip.2.56.57.238) | - | - | High
10 | [2.56.59.10](https://vuldb.com/?ip.2.56.59.10) | - | - | High
11 | [2.56.59.58](https://vuldb.com/?ip.2.56.59.58) | - | - | High
12 | [2.56.59.83](https://vuldb.com/?ip.2.56.59.83) | - | - | High
13 | [2.56.59.176](https://vuldb.com/?ip.2.56.59.176) | - | - | High
14 | [2.56.59.196](https://vuldb.com/?ip.2.56.59.196) | - | - | High
15 | [2.56.59.225](https://vuldb.com/?ip.2.56.59.225) | - | - | High
16 | [2.57.122.154](https://vuldb.com/?ip.2.57.122.154) | mail.vsb-ocommunitysde.club | - | High
17 | [2.58.149.17](https://vuldb.com/?ip.2.58.149.17) | - | - | High
18 | [2.58.149.116](https://vuldb.com/?ip.2.58.149.116) | - | - | High
19 | [2.58.149.186](https://vuldb.com/?ip.2.58.149.186) | - | - | High
20 | [2.239.84.105](https://vuldb.com/?ip.2.239.84.105) | 2-239-84-105.ip248.fastwebnet.it | - | High
21 | [5.2.69.50](https://vuldb.com/?ip.5.2.69.50) | - | - | High
22 | [5.2.75.132](https://vuldb.com/?ip.5.2.75.132) | - | - | High
23 | [5.61.50.236](https://vuldb.com/?ip.5.61.50.236) | mail.novonet.org | - | High
24 | [5.181.80.103](https://vuldb.com/?ip.5.181.80.103) | ip-80-103-bullethost.net | - | High
25 | [5.182.210.145](https://vuldb.com/?ip.5.182.210.145) | - | - | High
26 | [5.182.211.5](https://vuldb.com/?ip.5.182.211.5) | - | - | High
27 | [5.188.76.60](https://vuldb.com/?ip.5.188.76.60) | - | - | High
28 | [12.203.33.13](https://vuldb.com/?ip.12.203.33.13) | - | - | High
29 | [13.70.188.178](https://vuldb.com/?ip.13.70.188.178) | - | - | High
30 | [14.42.109.60](https://vuldb.com/?ip.14.42.109.60) | - | - | High
31 | [14.198.46.139](https://vuldb.com/?ip.14.198.46.139) | 014198046139.ctinets.com | - | High
32 | [15.185.242.46](https://vuldb.com/?ip.15.185.242.46) | ec2-15-185-242-46.me-south-1.compute.amazonaws.com | - | Medium
33 | [15.204.7.101](https://vuldb.com/?ip.15.204.7.101) | ip101.ip-15-204-7.us | - | High
34 | [18.172.150.9](https://vuldb.com/?ip.18.172.150.9) | server-18-172-150-9.lhr50.r.cloudfront.net | - | High
35 | [18.184.201.19](https://vuldb.com/?ip.18.184.201.19) | ec2-18-184-201-19.eu-central-1.compute.amazonaws.com | - | Medium
36 | [18.210.126.40](https://vuldb.com/?ip.18.210.126.40) | ec2-18-210-126-40.compute-1.amazonaws.com | - | Medium
37 | [18.253.232.0](https://vuldb.com/?ip.18.253.232.0) | ec2-18-253-232-0.us-gov-east-1.compute.amazonaws.com | - | Medium
38 | [20.205.9.191](https://vuldb.com/?ip.20.205.9.191) | - | - | High
39 | [23.34.155.162](https://vuldb.com/?ip.23.34.155.162) | a23-34-155-162.deploy.static.akamaitechnologies.com | - | High
40 | [23.48.162.198](https://vuldb.com/?ip.23.48.162.198) | a23-48-162-198.deploy.static.akamaitechnologies.com | - | High
41 | [23.72.35.209](https://vuldb.com/?ip.23.72.35.209) | a23-72-35-209.deploy.static.akamaitechnologies.com | - | High
42 | [23.94.28.76](https://vuldb.com/?ip.23.94.28.76) | 23-94-28-76-host.colocrossing.com | - | High
43 | [23.94.36.134](https://vuldb.com/?ip.23.94.36.134) | 23-94-36-134-host.colocrossing.com | - | High
44 | [23.94.50.159](https://vuldb.com/?ip.23.94.50.159) | 23-94-50-159-host.colocrossing.com | - | High
45 | [23.96.101.205](https://vuldb.com/?ip.23.96.101.205) | - | - | High
46 | [23.128.248.12](https://vuldb.com/?ip.23.128.248.12) | tor-exit03.stormycloud.org | - | High
47 | [23.128.248.24](https://vuldb.com/?ip.23.128.248.24) | tor-exit15.stormycloud.org | - | High
48 | [23.160.193.123](https://vuldb.com/?ip.23.160.193.123) | unknown.ip-xfer.net | - | High
49 | [23.195.45.48](https://vuldb.com/?ip.23.195.45.48) | a23-195-45-48.deploy.static.akamaitechnologies.com | - | High
50 | [23.197.224.108](https://vuldb.com/?ip.23.197.224.108) | a23-197-224-108.deploy.static.akamaitechnologies.com | - | High
51 | [23.204.208.68](https://vuldb.com/?ip.23.204.208.68) | a23-204-208-68.deploy.static.akamaitechnologies.com | - | High
52 | [23.211.7.69](https://vuldb.com/?ip.23.211.7.69) | a23-211-7-69.deploy.static.akamaitechnologies.com | - | High
53 | [23.227.146.106](https://vuldb.com/?ip.23.227.146.106) | - | - | High
54 | [23.254.247.214](https://vuldb.com/?ip.23.254.247.214) | hwsrv-840463.hostwindsdns.com | - | High
55 | [24.123.252.154](https://vuldb.com/?ip.24.123.252.154) | rrcs-24-123-252-154.central.biz.rr.com | - | High
56 | [27.37.239.164](https://vuldb.com/?ip.27.37.239.164) | - | - | High
57 | [27.45.36.193](https://vuldb.com/?ip.27.45.36.193) | - | - | High
58 | [27.50.57.147](https://vuldb.com/?ip.27.50.57.147) | - | - | High
59 | [27.54.123.94](https://vuldb.com/?ip.27.54.123.94) | - | - | High
60 | [27.105.131.171](https://vuldb.com/?ip.27.105.131.171) | 27-105-131-171-FIX-TXG.dynamic.so-net.net.tw | - | High
61 | [27.215.77.102](https://vuldb.com/?ip.27.215.77.102) | - | - | High
62 | [27.215.122.51](https://vuldb.com/?ip.27.215.122.51) | - | - | High
63 | [31.7.58.162](https://vuldb.com/?ip.31.7.58.162) | r | - | High
64 | [31.7.62.22](https://vuldb.com/?ip.31.7.62.22) | mail.mackage-outlet.com | - | High
65 | [31.44.185.235](https://vuldb.com/?ip.31.44.185.235) | - | - | High
66 | [31.210.20.111](https://vuldb.com/?ip.31.210.20.111) | - | - | High
67 | [31.220.43.69](https://vuldb.com/?ip.31.220.43.69) | - | - | High
68 | [34.80.131.135](https://vuldb.com/?ip.34.80.131.135) | 135.131.80.34.bc.googleusercontent.com | - | Medium
69 | [35.80.216.15](https://vuldb.com/?ip.35.80.216.15) | ec2-35-80-216-15.us-west-2.compute.amazonaws.com | - | Medium
70 | [35.85.181.9](https://vuldb.com/?ip.35.85.181.9) | ec2-35-85-181-9.us-west-2.compute.amazonaws.com | - | Medium
71 | [35.166.106.142](https://vuldb.com/?ip.35.166.106.142) | ec2-35-166-106-142.us-west-2.compute.amazonaws.com | - | Medium
72 | [35.225.213.190](https://vuldb.com/?ip.35.225.213.190) | 190.213.225.35.bc.googleusercontent.com | - | Medium
73 | [36.79.62.31](https://vuldb.com/?ip.36.79.62.31) | - | - | High
74 | [36.89.18.133](https://vuldb.com/?ip.36.89.18.133) | - | - | High
75 | [36.89.18.195](https://vuldb.com/?ip.36.89.18.195) | - | - | High
76 | [36.248.133.18](https://vuldb.com/?ip.36.248.133.18) | - | - | High
77 | [37.0.8.11](https://vuldb.com/?ip.37.0.8.11) | - | - | High
78 | [37.0.8.85](https://vuldb.com/?ip.37.0.8.85) | - | - | High
79 | [37.0.8.111](https://vuldb.com/?ip.37.0.8.111) | - | - | High
80 | [37.0.8.123](https://vuldb.com/?ip.37.0.8.123) | - | - | High
81 | [37.0.8.157](https://vuldb.com/?ip.37.0.8.157) | - | - | High
82 | [37.0.8.158](https://vuldb.com/?ip.37.0.8.158) | - | - | High
83 | [37.0.11.130](https://vuldb.com/?ip.37.0.11.130) | - | - | High
84 | [37.49.230.128](https://vuldb.com/?ip.37.49.230.128) | - | - | High
85 | [37.139.11.231](https://vuldb.com/?ip.37.139.11.231) | - | - | High
86 | [37.187.18.212](https://vuldb.com/?ip.37.187.18.212) | ns3110317.ip-37-187-18.eu | - | High
87 | [37.187.143.65](https://vuldb.com/?ip.37.187.143.65) | ns414234.ip-37-187-143.eu | - | High
88 | [37.187.255.93](https://vuldb.com/?ip.37.187.255.93) | ns373958.ip-37-187-255.eu | - | High
89 | [37.252.96.62](https://vuldb.com/?ip.37.252.96.62) | foxman.net | - | High
90 | [38.7.64.166](https://vuldb.com/?ip.38.7.64.166) | - | - | High
91 | [38.54.16.10](https://vuldb.com/?ip.38.54.16.10) | - | - | High
92 | [38.54.208.217](https://vuldb.com/?ip.38.54.208.217) | - | - | High
93 | [38.55.219.137](https://vuldb.com/?ip.38.55.219.137) | - | - | High
94 | [40.90.250.107](https://vuldb.com/?ip.40.90.250.107) | - | - | High
95 | [40.140.15.8](https://vuldb.com/?ip.40.140.15.8) | h8.15.140.40.ip.windstream.net | - | High
96 | [41.39.34.110](https://vuldb.com/?ip.41.39.34.110) | host-41.39.34.110.tedata.net | - | High
97 | [41.143.56.7](https://vuldb.com/?ip.41.143.56.7) | - | - | High
98 | [41.215.220.238](https://vuldb.com/?ip.41.215.220.238) | bl2.41.215.220.238.dynamic.dsl.cvmultimedia.cv | - | High
99 | [41.216.182.131](https://vuldb.com/?ip.41.216.182.131) | magnamhvoqa.timefaucet.de | - | High
100 | [41.216.189.11](https://vuldb.com/?ip.41.216.189.11) | - | - | High
101 | [42.228.78.68](https://vuldb.com/?ip.42.228.78.68) | hn.kd.ny.adsl | - | High
102 | [43.156.17.183](https://vuldb.com/?ip.43.156.17.183) | - | - | High
103 | [43.228.65.13](https://vuldb.com/?ip.43.228.65.13) | - | - | High
104 | [45.12.2.72](https://vuldb.com/?ip.45.12.2.72) | contact13.marketeast.link | - | High
105 | [45.61.136.130](https://vuldb.com/?ip.45.61.136.130) | - | DDoS Ukraine | High
106 | [45.61.184.4](https://vuldb.com/?ip.45.61.184.4) | cryptoin.club | - | High
107 | [45.61.186.13](https://vuldb.com/?ip.45.61.186.13) | - | DDoS Ukraine | High
108 | [45.61.187.136](https://vuldb.com/?ip.45.61.187.136) | - | - | High
109 | [45.63.93.202](https://vuldb.com/?ip.45.63.93.202) | 45.63.93.202.vultrusercontent.com | - | High
110 | [45.76.147.47](https://vuldb.com/?ip.45.76.147.47) | 45.76.147.47.vultrusercontent.com | - | High
111 | [45.79.21.252](https://vuldb.com/?ip.45.79.21.252) | mail.mrdigital.com | - | High
112 | [45.79.126.62](https://vuldb.com/?ip.45.79.126.62) | 45-79-126-62.ip.linodeusercontent.com | - | High
113 | [45.85.190.69](https://vuldb.com/?ip.45.85.190.69) | igum.navic.shop | - | High
114 | [45.86.86.50](https://vuldb.com/?ip.45.86.86.50) | mfoxx.co.uk | - | High
115 | [45.87.42.123](https://vuldb.com/?ip.45.87.42.123) | hosted-by.triple.nl | - | High
116 | [45.88.40.116](https://vuldb.com/?ip.45.88.40.116) | service.akxtto.cn | - | High
117 | [45.88.181.46](https://vuldb.com/?ip.45.88.181.46) | pelko.incifios.org.uk | - | High
118 | [45.95.55.17](https://vuldb.com/?ip.45.95.55.17) | 45.95.55.17.fly-hosting.net | - | High
119 | [45.95.55.23](https://vuldb.com/?ip.45.95.55.23) | 45.95.55.23.fly-hosting.net | - | High
120 | [45.95.55.27](https://vuldb.com/?ip.45.95.55.27) | 45.95.55.27.fly-hosting.net | - | High
121 | [45.95.55.38](https://vuldb.com/?ip.45.95.55.38) | 45.95.55.38.fly-hosting.net | - | High
122 | [45.95.169.100](https://vuldb.com/?ip.45.95.169.100) | antoniagavve.live | - | High
123 | [45.95.169.139](https://vuldb.com/?ip.45.95.169.139) | - | - | High
124 | [45.95.169.143](https://vuldb.com/?ip.45.95.169.143) | - | - | High
125 | [45.124.84.135](https://vuldb.com/?ip.45.124.84.135) | sv-84135.bkns.vn | - | High
126 | [45.124.84.253](https://vuldb.com/?ip.45.124.84.253) | sv-84253.bkns.vn | - | High
127 | [45.133.1.9](https://vuldb.com/?ip.45.133.1.9) | - | - | High
128 | [45.133.1.89](https://vuldb.com/?ip.45.133.1.89) | - | - | High
129 | [45.134.174.234](https://vuldb.com/?ip.45.134.174.234) | dedicated.vsys.host | - | High
130 | ... | ... | ... | ...
There are 428 more IOC items available. Please use our online service to access the data.
There are 517 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -146,10 +168,10 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 17 more TTP items available. Please use our online service to access the data.
@ -160,23 +182,23 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/addNotifyServlet` | High
2 | File | `/admin/js` | Medium
3 | File | `/cgi-bin/ExportAllSettings.sh` | High
4 | File | `/debug/pprof` | Medium
1 | File | `/admin/inc/include.php` | High
2 | File | `/admin/operations/packages.php` | High
3 | File | `/alarm_pi/alarmService.php` | High
4 | File | `/catcompany.php` | High
5 | File | `/edituser.php` | High
6 | File | `/etc/init.d/sshd_service` | High
7 | File | `/forum/away.php` | High
8 | File | `/index.php/?p=report` | High
9 | File | `/index.php?r=site%2Fsignup` | High
10 | File | `/nav_bar_action.php` | High
11 | File | `/pages/activity/activity.php` | High
12 | File | `/pages/permit/permit.php` | High
13 | File | `/php_action/createUser.php` | High
14 | File | `/src/video/x11/SDL_x11yuv.c` | High
6 | File | `/modules/projects/vw_files.php` | High
7 | File | `/pages/permit/permit.php` | High
8 | File | `/php_action/createUser.php` | High
9 | File | `/products/view_product.php` | High
10 | File | `/sistema/flash/reboot` | High
11 | File | `/src/video/x11/SDL_x11yuv.c` | High
12 | File | `/sys/ui/extend/varkind/custom.jsp` | High
13 | File | `admin/conf_users_edit.php` | High
14 | File | `amf.c` | Low
15 | ... | ... | ...
There are 117 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 123 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
@ -199,6 +221,7 @@ The following list contains _external sources_ which discuss the actor and the a
* https://1275.ru/ioc/318/gs-035-mirai-botnet-iocs/
* https://1275.ru/ioc/325/gs-037-mirai-botnet-iocs/
* https://1275.ru/ioc/332/gs-038-mirai-botnet-iocs/
* https://1275.ru/ioc/338/gs-040-mirai-botnet-iocs/
* https://1275.ru/ioc/340/gs-042-mirai-botnet-iocs/
* https://1275.ru/ioc/346/gs-047-mirai-botnet-iocs/
* https://1275.ru/ioc/350/gs-048-mirai-botnet-iocs/
@ -217,6 +240,8 @@ The following list contains _external sources_ which discuss the actor and the a
* https://1275.ru/ioc/429/gs-069-mirai-botnet-iocs/
* https://1275.ru/ioc/490/gs-071-mirai-botnet-iocs/
* https://1275.ru/ioc/494/gs-072-mirai-botnet-iocs/
* https://1275.ru/ioc/502/gs-073-mirai-botnet-iocs/
* https://1275.ru/ioc/515/gs-074-mirai-botnet-iocs/
* https://blog.cyble.com/2022/04/12/springshell-remote-code-execution-vulnerability/
* https://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/
* https://blog.netlab.360.com/emptiness-a-new-evolving-botnet/

12
actors/Monokle/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [US](https://vuldb.com/?country.us)
* ...
There are 7 more country items available. Please use our online service to access the data.
There are 8 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -35,12 +35,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
There are 14 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -57,7 +57,7 @@ ID | Type | Indicator | Confidence
7 | File | `ActivityPicker.java` | High
8 | ... | ... | ...
There are 52 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 53 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

3
actors/Muhstik/README.md
View File

@ -45,7 +45,7 @@ ID | IP address | Hostname | Campaign | Confidence
14 | [51.254.219.134](https://vuldb.com/?ip.51.254.219.134) | 134.ip-51-254-219.eu | CVE-2018-7600 / CVE-2017-10271 | High
15 | ... | ... | ... | ...
There are 56 more IOC items available. Please use our online service to access the data.
There are 58 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -97,6 +97,7 @@ There are 180 more IOA items available (file, library, argument, input value, pa
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/68/muhstik-botnet-ioc/
* https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/
* https://blog.netlab.360.com/wei-xie-kuai-xun-log4jlou-dong-yi-jing-bei-yong-lai-zu-jian-botnet-zhen-dui-linuxshe-bei/
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-indicators-of-compromise-to-date/

78
actors/Mylobot/README.md
View File

@ -54,47 +54,47 @@ ID | Type | Indicator | Confidence
2 | File | `/../conf/config.properties` | High
3 | File | `/addnews.html` | High
4 | File | `/admin/` | Low
5 | File | `/api/2.0/rest/aggregator/xml` | High
6 | File | `/api/blade-log/api/list` | High
7 | File | `/cgi-bin/webviewer_login_page` | High
8 | File | `/Config/SaveUploadedHotspotLogoFile` | High
9 | File | `/core/vendor/meenie/javascript-packer/example-inline.php` | High
10 | File | `/etc/config/rpcd` | High
11 | File | `/exponent_constants.php` | High
12 | File | `/forum/away.php` | High
13 | File | `/goform/formLogin` | High
14 | File | `/hub/api/user` | High
15 | File | `/mfaslmf/nolicense` | High
16 | File | `/opt/bin/cli` | Medium
17 | File | `/plain` | Low
18 | File | `/proc` | Low
19 | File | `/proc/ioports` | High
20 | File | `/products/details.asp` | High
21 | File | `/public/plugins/` | High
22 | File | `/RestAPI` | Medium
23 | File | `/tmp` | Low
24 | File | `/uncpath/` | Medium
25 | File | `/User/saveUser` | High
26 | File | `/ViewUserHover.jspa` | High
27 | File | `/WEB-INF/web.xml` | High
28 | File | `/wp-admin/admin-ajax.php` | High
29 | File | `/wp-json/wc/v3/webhooks` | High
30 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
31 | File | `abc-pcie.c` | Medium
32 | File | `accountmanagement.php` | High
33 | File | `addentry.php` | Medium
34 | File | `adherents/subscription/info.php` | High
35 | File | `admin.joomlaflashfun.php` | High
36 | File | `admin.joomlaradiov5.php` | High
37 | File | `admin.panoramic.php` | High
38 | File | `admin.php` | Medium
39 | File | `admin/change-password.php` | High
40 | File | `admin/index.php` | High
41 | File | `admin/killsource` | High
42 | File | `admin/scripts/FileUploader/php.php` | High
5 | File | `/admin/inquiries/view_details.php` | High
6 | File | `/api/2.0/rest/aggregator/xml` | High
7 | File | `/api/blade-log/api/list` | High
8 | File | `/cgi-bin/webviewer_login_page` | High
9 | File | `/Config/SaveUploadedHotspotLogoFile` | High
10 | File | `/core/vendor/meenie/javascript-packer/example-inline.php` | High
11 | File | `/etc/config/rpcd` | High
12 | File | `/exponent_constants.php` | High
13 | File | `/forum/away.php` | High
14 | File | `/goform/formLogin` | High
15 | File | `/hub/api/user` | High
16 | File | `/mfaslmf/nolicense` | High
17 | File | `/mhds/clinic/view_details.php` | High
18 | File | `/opt/bin/cli` | Medium
19 | File | `/plain` | Low
20 | File | `/proc` | Low
21 | File | `/proc/ioports` | High
22 | File | `/products/details.asp` | High
23 | File | `/public/plugins/` | High
24 | File | `/RestAPI` | Medium
25 | File | `/tmp` | Low
26 | File | `/uncpath/` | Medium
27 | File | `/User/saveUser` | High
28 | File | `/ViewUserHover.jspa` | High
29 | File | `/WEB-INF/web.xml` | High
30 | File | `/wp-admin/admin-ajax.php` | High
31 | File | `/wp-json/wc/v3/webhooks` | High
32 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
33 | File | `abc-pcie.c` | Medium
34 | File | `accountmanagement.php` | High
35 | File | `addentry.php` | Medium
36 | File | `adherents/subscription/info.php` | High
37 | File | `admin.joomlaflashfun.php` | High
38 | File | `admin.joomlaradiov5.php` | High
39 | File | `admin.panoramic.php` | High
40 | File | `admin.php` | Medium
41 | File | `admin/change-password.php` | High
42 | File | `admin/index.php` | High
43 | ... | ... | ...
There are 370 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 374 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

69
actors/NDSW/README.md Normal file
View File

@ -0,0 +1,69 @@
# NDSW - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NDSW](https://vuldb.com/?actor.ndsw). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.ndsw](https://vuldb.com/?actor.ndsw)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with NDSW:
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* [FR](https://vuldb.com/?country.fr)
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of NDSW.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [109.234.35.249](https://vuldb.com/?ip.109.234.35.249) | v1020533.hosted-by-vdsina.ru | - | High
2 | [179.43.169.30](https://vuldb.com/?ip.179.43.169.30) | - | - | High
3 | [188.120.239.154](https://vuldb.com/?ip.188.120.239.154) | cy22.ru | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _NDSW_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1059 | CWE-94 | Cross Site Scripting | High
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by NDSW. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `blog.php` | Medium
2 | File | `comments/feed` | High
3 | File | `data/gbconfiguration.dat` | High
4 | ... | ... | ...
There are 17 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/370/ndsw-ndsx-malware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
actors/NSO Group/README.md
View File

@ -98,7 +98,7 @@ ID | Type | Indicator | Confidence
32 | File | `admin/scripts/FileUploader/php.php` | High
33 | ... | ... | ...
There are 282 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 286 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

60
actors/Nerbian/README.md Normal file
View File

@ -0,0 +1,60 @@
# Nerbian - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nerbian](https://vuldb.com/?actor.nerbian). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nerbian](https://vuldb.com/?actor.nerbian)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nerbian:
* [US](https://vuldb.com/?country.us)
* [FR](https://vuldb.com/?country.fr)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Nerbian.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [185.121.139.249](https://vuldb.com/?ip.185.121.139.249) | 249.139.121.185.baremetal.zare.com | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nerbian_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
3 | T1202 | CWE-78 | Command Injection | High
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nerbian. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `ecrire/exec/plonger.php` | High
2 | File | `Filesystem.php` | High
3 | File | `username/password` | High
4 | ... | ... | ...
There are 1 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/202/nerbian-rat-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

62
actors/Nokoyawa/README.md Normal file
View File

@ -0,0 +1,62 @@
# Nokoyawa - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nokoyawa](https://vuldb.com/?actor.nokoyawa). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.nokoyawa](https://vuldb.com/?actor.nokoyawa)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nokoyawa:
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Nokoyawa.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [185.150.117.186](https://vuldb.com/?ip.185.150.117.186) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Nokoyawa_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1055 | CWE-74 | Injection | High
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
3 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nokoyawa. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `admin/import/class-import-settings.php` | High
2 | File | `class-s2-list-table.php` | High
3 | File | `wp-admin/edit.php?post_type=forum` | High
4 | ... | ... | ...
There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/269/nokoyawa-ransomware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

70
actors/PYSA/README.md
View File

@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [FR](https://vuldb.com/?country.fr)
* ...
There are 8 more country items available. Please use our online service to access the data.
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -26,7 +26,7 @@ ID | IP address | Hostname | Campaign | Confidence
3 | [185.220.100.240](https://vuldb.com/?ip.185.220.100.240) | tor-exit-13.zbau.f3netze.de | - | High
4 | ... | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
There are 9 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -41,7 +41,7 @@ ID | Technique | Weakness | Description | Confidence
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 21 more TTP items available. Please use our online service to access the data.
There are 19 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -50,45 +50,45 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `//proc/kcore` | Medium
2 | File | `/admin/?page=system_info/contact_info` | High
3 | File | `/admin/featured.php` | High
4 | File | `/ajax/config_rollback/` | High
5 | File | `/Ap4RtpAtom.cpp` | High
6 | File | `/api/part_categories` | High
2 | File | `/admin/featured.php` | High
3 | File | `/ajax/config_rollback/` | High
4 | File | `/Ap4RtpAtom.cpp` | High
5 | File | `/api/part_categories` | High
6 | File | `/api/plugin/uninstall` | High
7 | File | `/auditLogAction.do` | High
8 | File | `/cgi-bin` | Medium
9 | File | `/cgi-bin/webproc` | High
10 | File | `/churchcrm/WhyCameEditor.php` | High
11 | File | `/ci_spms/admin/category` | High
12 | File | `/dashboard/menu-list.php` | High
13 | File | `/dms/admin/reports/daily_collection_report.php` | High
14 | File | `/editbrand.php` | High
15 | File | `/etc/cron.daily/upstart` | High
16 | File | `/etc/lighttpd.d/ca.pem` | High
17 | File | `/fuel/sitevariables/delete/4` | High
18 | File | `/goform/aspForm` | High
19 | File | `/goform/WanParameterSetting` | High
20 | File | `/IISADMPWD` | Medium
21 | File | `/index.php?page=search/rentals` | High
22 | File | `/Items/*/RemoteImages/Download` | High
23 | File | `/job` | Low
24 | File | `/linkedcontent/editfolder.php` | High
25 | File | `/mgmt/tm/util/bash` | High
26 | File | `/mhds/clinic/view_details.php` | High
27 | File | `/officials/officials.php` | High
28 | File | `/ofrs/admin/?page=reports` | High
29 | File | `/PC/WebService.asmx` | High
30 | File | `/pms/admin/actions/view_action.php` | High
31 | File | `/pms/admin/cells/manage_cell.php` | High
32 | File | `/pms/admin/inmates/manage_inmate.php` | High
33 | ... | ... | ...
8 | File | `/bmis/pages/resident/resident.php` | High
9 | File | `/cgi-bin` | Medium
10 | File | `/cgi-bin/ExportAllSettings.sh` | High
11 | File | `/cgi-bin/webproc` | High
12 | File | `/churchcrm/WhyCameEditor.php` | High
13 | File | `/ci_spms/admin/category` | High
14 | File | `/dashboard/menu-list.php` | High
15 | File | `/doping.asp` | Medium
16 | File | `/dotrace.asp` | Medium
17 | File | `/editbrand.php` | High
18 | File | `/etc/cron.daily/upstart` | High
19 | File | `/etc/lighttpd.d/ca.pem` | High
20 | File | `/fuel/sitevariables/delete/4` | High
21 | File | `/goform/aspForm` | High
22 | File | `/goform/WanParameterSetting` | High
23 | File | `/IISADMPWD` | Medium
24 | File | `/index.php` | Medium
25 | File | `/index.php?page=search/rentals` | High
26 | File | `/job` | Low
27 | File | `/linkedcontent/editfolder.php` | High
28 | File | `/mhds/clinic/view_details.php` | High
29 | File | `/movie.php` | Medium
30 | File | `/officials/officials.php` | High
31 | File | `/ofrs/admin/?page=reports` | High
32 | ... | ... | ...
There are 284 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 270 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/120/pysa-ransomware-iocs/
* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
## Literature

10
actors/Panda/README.md
View File

@ -34,12 +34,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 3 more TTP items available. Please use our online service to access the data.
There are 11 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -62,7 +62,7 @@ ID | Type | Indicator | Confidence
13 | File | `/SASWebReportStudio/logonAndRender.do` | High
14 | ... | ... | ...
There are 106 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 108 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

97
actors/Parrot/README.md Normal file
View File

@ -0,0 +1,97 @@
# Parrot - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Parrot](https://vuldb.com/?actor.parrot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.parrot](https://vuldb.com/?actor.parrot)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Parrot:
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 8 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Parrot.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [5.180.136.119](https://vuldb.com/?ip.5.180.136.119) | free.ihor-hosting.ru | - | High
2 | [15.76.172.110](https://vuldb.com/?ip.15.76.172.110) | - | - | High
3 | [45.76.172.113](https://vuldb.com/?ip.45.76.172.113) | 45.76.172.113.vultrusercontent.com | - | High
4 | ... | ... | ... | ...
There are 11 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Parrot_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 18 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Parrot. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/addsrv` | Low
2 | File | `/Admin/Views/FileEditor/` | High
3 | File | `/article/add` | Medium
4 | File | `/controller/pay.class.php` | High
5 | File | `/dev/kmem` | Medium
6 | File | `/dev/snd/seq` | Medium
7 | File | `/device/device=140/tab=wifi/view` | High
8 | File | `/EXCU_SHELL` | Medium
9 | File | `/forum/away.php` | High
10 | File | `/gena.cgi` | Medium
11 | File | `/goform/SetClientState` | High
12 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
13 | File | `/jpg/image.jpg` | High
14 | File | `/out.php` | Medium
15 | File | `/product_list.php` | High
16 | File | `/rapi/read_url` | High
17 | File | `/rrps/classes/Master.php?f=delete_category` | High
18 | File | `/rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application` | High
19 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
20 | File | `/see_more_details.php` | High
21 | File | `/src/core/controllers/cm.php` | High
22 | File | `/transmission/web/` | High
23 | File | `/uncpath/` | Medium
24 | File | `/usr/local` | Medium
25 | File | `/usr/sbin/sendmail` | High
26 | File | `/weibo/publishdata` | High
27 | ... | ... | ...
There are 230 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/89/parrot-tds-ioc/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

61
actors/Patchwork/README.md
View File

@ -140,37 +140,38 @@ ID | Type | Indicator | Confidence
16 | File | `/data/remove` | Medium
17 | File | `/ffos/classes/Master.php?f=save_category` | High
18 | File | `/goforms/rlminfo` | High
19 | File | `/htdocs/cgibin` | High
20 | File | `/Items/*/RemoteImages/Download` | High
21 | File | `/login` | Low
22 | File | `/navigate/navigate_download.php` | High
23 | File | `/ocwbs/admin/?page=user/manage_user` | High
24 | File | `/ofrs/admin/?page=user/manage_user` | High
25 | File | `/owa/auth/logon.aspx` | High
26 | File | `/password.html` | High
27 | File | `/proc/ioports` | High
28 | File | `/property-list/property_view.php` | High
29 | File | `/ptms/classes/Users.php` | High
30 | File | `/rest/api/2/search` | High
31 | File | `/s/` | Low
32 | File | `/scripts/cpan_config` | High
33 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
34 | File | `/services/system/setup.json` | High
35 | File | `/spip.php` | Medium
36 | File | `/uncpath/` | Medium
37 | File | `/vloggers_merch/?p=view_product` | High
38 | File | `/web/MCmsAction.java` | High
39 | File | `/webconsole/APIController` | High
40 | File | `/websocket/exec` | High
41 | File | `/wp-admin/admin-ajax.php` | High
42 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
43 | File | `/wp-json` | Medium
44 | File | `/wp-json/oembed/1.0/embed?url` | High
45 | File | `/_next` | Low
46 | File | `4.edu.php\conn\function.php` | High
47 | ... | ... | ...
19 | File | `/Items/*/RemoteImages/Download` | High
20 | File | `/login` | Low
21 | File | `/navigate/navigate_download.php` | High
22 | File | `/ocwbs/admin/?page=user/manage_user` | High
23 | File | `/ofrs/admin/?page=user/manage_user` | High
24 | File | `/owa/auth/logon.aspx` | High
25 | File | `/password.html` | High
26 | File | `/proc/ioports` | High
27 | File | `/property-list/property_view.php` | High
28 | File | `/ptms/classes/Users.php` | High
29 | File | `/rest/api/2/search` | High
30 | File | `/s/` | Low
31 | File | `/scripts/cpan_config` | High
32 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
33 | File | `/services/system/setup.json` | High
34 | File | `/spip.php` | Medium
35 | File | `/uncpath/` | Medium
36 | File | `/vloggers_merch/?p=view_product` | High
37 | File | `/web/MCmsAction.java` | High
38 | File | `/webconsole/APIController` | High
39 | File | `/websocket/exec` | High
40 | File | `/wp-admin/admin-ajax.php` | High
41 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
42 | File | `/wp-json` | Medium
43 | File | `/wp-json/oembed/1.0/embed?url` | High
44 | File | `/_next` | Low
45 | File | `4.edu.php\conn\function.php` | High
46 | File | `about.php` | Medium
47 | File | `acl.c` | Low
48 | ... | ... | ...
There are 412 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 413 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

107
actors/PingPull/README.md Normal file
View File

@ -0,0 +1,107 @@
# PingPull - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PingPull](https://vuldb.com/?actor.pingpull). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.pingpull](https://vuldb.com/?actor.pingpull)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PingPull:
* [CN](https://vuldb.com/?country.cn)
* [US](https://vuldb.com/?country.us)
* [HK](https://vuldb.com/?country.hk)
* ...
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PingPull.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [2.58.242.229](https://vuldb.com/?ip.2.58.242.229) | 242-58-2-229.hostinginside.com | - | High
2 | [2.58.242.230](https://vuldb.com/?ip.2.58.242.230) | 242-58-2-230.hostinginside.com | - | High
3 | [2.58.242.231](https://vuldb.com/?ip.2.58.242.231) | 242-58-2-231.hostinginside.com | - | High
4 | [2.58.242.232](https://vuldb.com/?ip.2.58.242.232) | 242-58-2-232.hostinginside.com | - | High
5 | [2.58.242.235](https://vuldb.com/?ip.2.58.242.235) | 242-58-2-235.hostinginside.com | - | High
6 | [2.58.242.236](https://vuldb.com/?ip.2.58.242.236) | 242-58-2-236.hostinginside.com | - | High
7 | [5.8.71.97](https://vuldb.com/?ip.5.8.71.97) | vps.hostry.com | - | High
8 | [5.181.25.55](https://vuldb.com/?ip.5.181.25.55) | contato.instagram05.polarbor.solutions | - | High
9 | [5.188.33.237](https://vuldb.com/?ip.5.188.33.237) | core3.icons8.com | - | High
10 | [37.61.229.104](https://vuldb.com/?ip.37.61.229.104) | theodore974.example.com | - | High
11 | [37.61.229.106](https://vuldb.com/?ip.37.61.229.106) | www.asterip.net | - | High
12 | [43.254.218.43](https://vuldb.com/?ip.43.254.218.43) | - | - | High
13 | [43.254.218.57](https://vuldb.com/?ip.43.254.218.57) | - | - | High
14 | [43.254.218.98](https://vuldb.com/?ip.43.254.218.98) | - | - | High
15 | [43.254.218.104](https://vuldb.com/?ip.43.254.218.104) | - | - | High
16 | [43.254.218.114](https://vuldb.com/?ip.43.254.218.114) | - | - | High
17 | [45.14.66.230](https://vuldb.com/?ip.45.14.66.230) | 45.14.66.230.static.xtom.com | - | High
18 | [45.76.113.163](https://vuldb.com/?ip.45.76.113.163) | 45.76.113.163.vultrusercontent.com | - | High
19 | [45.116.13.153](https://vuldb.com/?ip.45.116.13.153) | 45.116.13.153.static.xtom.hk | - | High
20 | [45.121.50.230](https://vuldb.com/?ip.45.121.50.230) | - | - | High
21 | [45.128.221.61](https://vuldb.com/?ip.45.128.221.61) | - | - | High
22 | [45.128.221.66](https://vuldb.com/?ip.45.128.221.66) | - | - | High
23 | [45.128.221.169](https://vuldb.com/?ip.45.128.221.169) | - | - | High
24 | [45.128.221.172](https://vuldb.com/?ip.45.128.221.172) | - | - | High
25 | [45.128.221.182](https://vuldb.com/?ip.45.128.221.182) | - | - | High
26 | [45.128.221.186](https://vuldb.com/?ip.45.128.221.186) | - | - | High
27 | ... | ... | ... | ...
There are 103 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _PingPull_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-294 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-88, CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 17 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PingPull. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/api/trackedEntityInstances` | High
2 | File | `/cgi-bin/portal` | High
3 | File | `/cgi-bin/wapopen` | High
4 | File | `/download` | Medium
5 | File | `/etc/shadow` | Medium
6 | File | `/inc/extensions.php` | High
7 | File | `/Items/*/RemoteImages/Download` | High
8 | File | `/mifs/c/i/reg/reg.html` | High
9 | File | `/nova/bin/console` | High
10 | File | `/out.php` | Medium
11 | File | `/owa/auth/logon.aspx` | High
12 | File | `/req_password_user.php` | High
13 | File | `/secure/QueryComponent!Default.jspa` | High
14 | File | `/service/upload` | High
15 | ... | ... | ...
There are 121 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/342/pingpull-trojan-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

1
actors/PoshC2/README.md
View File

@ -25,6 +25,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1505 | CWE-89 | SQL Injection | High
## IOA - Indicator of Attack

45
actors/Prophet Spider/README.md
View File

@ -16,6 +16,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [US](https://vuldb.com/?country.us)
* [PT](https://vuldb.com/?country.pt)
* [TR](https://vuldb.com/?country.tr)
## IOC - Indicator of Compromise
@ -49,7 +50,7 @@ ID | Technique | Weakness | Description | Confidence
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 21 more TTP items available. Please use our online service to access the data.
There are 20 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -59,27 +60,29 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin` | Low
2 | File | `/api/plugin/uninstall` | High
3 | File | `/assets/partials/_handleLogin.php` | High
4 | File | `/cgi-bin/ExportAllSettings.sh` | High
5 | File | `/context.json` | High
6 | File | `/ecrire` | Low
7 | File | `/edituser.php` | High
8 | File | `/login.php` | Medium
9 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
10 | File | `/pages/activity/activity.php` | High
11 | File | `/pages/permit/permit.php` | High
12 | File | `/php_action/createUser.php` | High
13 | File | `/req_password_user.php` | High
14 | File | `/show_news.php` | High
15 | File | `/sistema/flash/reboot` | High
16 | File | `/smarthome/devicecontrol` | High
17 | File | `/src/video/x11/SDL_x11yuv.c` | High
18 | File | `/wordpress-gallery-transformation/gallery.php` | High
19 | File | `adm.cgi` | Low
20 | File | `admin.php` | Medium
21 | ... | ... | ...
3 | File | `/artist-display.php` | High
4 | File | `/assets/partials/_handleLogin.php` | High
5 | File | `/cgi-bin/ExportAllSettings.sh` | High
6 | File | `/context.json` | High
7 | File | `/ecrire` | Low
8 | File | `/editbrand.php` | High
9 | File | `/edituser.php` | High
10 | File | `/login.php` | Medium
11 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
12 | File | `/movie.php` | Medium
13 | File | `/pages/activity/activity.php` | High
14 | File | `/pages/permit/permit.php` | High
15 | File | `/php_action/createUser.php` | High
16 | File | `/req_password_user.php` | High
17 | File | `/show_news.php` | High
18 | File | `/sistema/flash/reboot` | High
19 | File | `/smarthome/devicecontrol` | High
20 | File | `/src/video/x11/SDL_x11yuv.c` | High
21 | File | `/wordpress-gallery-transformation/gallery.php` | High
22 | File | `adm.cgi` | Low
23 | ... | ... | ...
There are 170 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 194 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

8
actors/Purple Fox/README.md
View File

@ -10,6 +10,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [CN](https://vuldb.com/?country.cn)
* [KZ](https://vuldb.com/?country.kz)
* [RU](https://vuldb.com/?country.ru)
## IOC - Indicator of Compromise
@ -30,7 +31,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
1 | T1059 | CWE-94 | Cross Site Scripting | High
2 | T1059.007 | CWE-79 | Cross Site Scripting | High
3 | T1068 | CWE-269 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

84
actors/Raspberry Robin/README.md Normal file
View File

@ -0,0 +1,84 @@
# Raspberry Robin - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Raspberry Robin](https://vuldb.com/?actor.raspberry_robin). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.raspberry_robin](https://vuldb.com/?actor.raspberry_robin)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Raspberry Robin:
* [US](https://vuldb.com/?country.us)
* [ES](https://vuldb.com/?country.es)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Raspberry Robin.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [37.223.74.108](https://vuldb.com/?ip.37.223.74.108) | - | - | High
2 | [46.11.6.104](https://vuldb.com/?ip.46.11.6.104) | - | - | High
3 | [46.11.83.236](https://vuldb.com/?ip.46.11.83.236) | - | - | High
4 | [46.11.88.157](https://vuldb.com/?ip.46.11.88.157) | - | - | High
5 | [46.11.88.251](https://vuldb.com/?ip.46.11.88.251) | - | - | High
6 | [46.217.252.5](https://vuldb.com/?ip.46.217.252.5) | - | - | High
7 | [46.217.252.172](https://vuldb.com/?ip.46.217.252.172) | - | - | High
8 | [46.246.235.240](https://vuldb.com/?ip.46.246.235.240) | 46.246.235.240.dsl.dyn.forthnet.gr | - | High
9 | [47.62.21.60](https://vuldb.com/?ip.47.62.21.60) | 47-62-21-60.red-acceso.airtel.net | - | High
10 | [47.62.80.170](https://vuldb.com/?ip.47.62.80.170) | 47-62-80-170.red-acceso.airtel.net | - | High
11 | [62.117.214.168](https://vuldb.com/?ip.62.117.214.168) | 62.117.214.168.dyn.user.ono.com | - | High
12 | [77.0.14.225](https://vuldb.com/?ip.77.0.14.225) | dynamic-077-000-014-225.77.0.pool.telefonica.de | - | High
13 | [77.0.54.234](https://vuldb.com/?ip.77.0.54.234) | dynamic-077-000-054-234.77.0.pool.telefonica.de | - | High
14 | ... | ... | ... | ...
There are 50 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Raspberry Robin_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 14 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Raspberry Robin. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/.env` | Low
3 | File | `/server-info` | Medium
4 | File | `/usr/bin/pkexec` | High
5 | ... | ... | ...
There are 32 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/191/raspberry-robin-worm-iocs/
* https://1275.ru/ioc/365/raspberry-robin-worm-iocs-part-2/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

30
actors/Rozena/README.md Normal file
View File

@ -0,0 +1,30 @@
# Rozena - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Rozena](https://vuldb.com/?actor.rozena). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.rozena](https://vuldb.com/?actor.rozena)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Rozena.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [18.231.121.185](https://vuldb.com/?ip.18.231.121.185) | ec2-18-231-121-185.sa-east-1.compute.amazonaws.com | - | Medium
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/435/rozena-backdoor-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

68
actors/SYK/README.md Normal file
View File

@ -0,0 +1,68 @@
# SYK - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SYK](https://vuldb.com/?actor.syk). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.syk](https://vuldb.com/?actor.syk)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SYK:
* [US](https://vuldb.com/?country.us)
* [IT](https://vuldb.com/?country.it)
* [ES](https://vuldb.com/?country.es)
* ...
There are 5 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SYK.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [185.19.85.163](https://vuldb.com/?ip.185.19.85.163) | - | - | High
2 | [185.140.53.174](https://vuldb.com/?ip.185.140.53.174) | - | - | High
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _SYK_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1055 | CWE-74 | Injection | High
2 | T1059 | CWE-94 | Cross Site Scripting | High
3 | T1059.007 | CWE-79 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 9 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SYK. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/syslog` | High
2 | File | `/see_more_details.php` | High
3 | File | `admin/admin_users.php` | High
4 | ... | ... | ...
There are 24 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/229/syk-crypter-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

64
actors/Sage/README.md
View File

@ -4,12 +4,6 @@ These _indicators_ were reported, collected, and generated during the [VulDB CTI
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sage](https://vuldb.com/?actor.sage)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sage:
* [US](https://vuldb.com/?country.us)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Sage.
@ -37,11 +31,11 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1059 | CWE-94 | Cross Site Scripting | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 9 more TTP items available. Please use our online service to access the data.
There are 11 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -49,21 +43,47 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/inquiries/view_details.php` | High
2 | File | `/tmp/zarafa-vacation-*` | High
3 | File | `apl_42.c` | Medium
4 | File | `arch/arm/p2m.c` | High
5 | File | `arch/powerpc/kernel/process.c` | High
6 | File | `arch/x86/mm/guest_walk.c` | High
7 | File | `auth.c` | Low
8 | File | `block/qcow.c` | Medium
9 | File | `cgi-bin/webproc` | High
10 | File | `cgi_main.c` | Medium
11 | File | `class.phpmailer.php` | High
12 | File | `content/content.systempreferences.php` | High
13 | ... | ... | ...
1 | File | `/admin/inc/include.php` | High
2 | File | `/auth/callback` | High
3 | File | `/modules/admin/vw_usr_roles.php` | High
4 | File | `/modules/public/calendar.php` | High
5 | File | `/profiles/` | Medium
6 | File | `/resolv/nss_dns/dns-host.c` | High
7 | File | `/util/print.c` | High
8 | File | `account.asp` | Medium
9 | File | `accounts/inc/include.php` | High
10 | File | `add.php` | Low
11 | File | `add_comment.php` | High
12 | File | `add_contents.htm` | High
13 | File | `add_review.htm` | High
14 | File | `admin/BunchDetail.do` | High
15 | File | `admin/main.php` | High
16 | File | `advertiser.php` | High
17 | File | `arch/powerpc/kernel/process.c` | High
18 | File | `arch/s390/include/asm/mmu_context.h` | High
19 | File | `arch/x86/mm/tlb.c` | High
20 | File | `attachment_send.php` | High
21 | File | `audit/class.audit.php` | High
22 | File | `badlogin.php` | Medium
23 | File | `browse.php` | Medium
24 | File | `browsecats.php` | High
25 | File | `C:\mingw64\bin\git.exe` | High
26 | File | `cart.php` | Medium
27 | File | `category.php` | Medium
28 | File | `cdf.c` | Low
29 | File | `check.php` | Medium
30 | File | `closeup.php` | Medium
31 | File | `comments.php` | Medium
32 | File | `compiler/pipeline.cc` | High
33 | File | `conf/revize.xml` | High
34 | File | `config.php` | Medium
35 | File | `contact.htm` | Medium
36 | File | `containing` | Medium
37 | File | `content.php` | Medium
38 | File | `contents.php` | Medium
39 | ... | ... | ...
There are 100 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 334 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/Sandworm Team/README.md
View File

@ -92,7 +92,7 @@ ID | Type | Indicator | Confidence
30 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
31 | ... | ... | ...
There are 262 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 263 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/Shadowcrew/README.md
View File

@ -757,7 +757,7 @@ ID | Technique | Weakness | Description | Confidence
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
6 | ... | ... | ... | ...
There are 19 more TTP items available. Please use our online service to access the data.
There are 18 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

64
actors/SideWinder/README.md
View File

@ -72,40 +72,40 @@ ID | Type | Indicator | Confidence
7 | File | `/dashboard/reports/logs/view` | High
8 | File | `/dashboard/system/express/entities/forms/save_control/[GUID]` | High
9 | File | `/dev/cuse` | Medium
10 | File | `/download` | Medium
11 | File | `/etc/config/rpcd` | High
12 | File | `/EXCU_SHELL` | Medium
13 | File | `/export` | Low
14 | File | `/forum/away.php` | High
15 | File | `/gena.cgi` | Medium
16 | File | `/goform/webSettingProfileSecurity` | High
17 | File | `/login` | Low
18 | File | `/mgmt/tm/util/bash` | High
19 | File | `/MIME/INBOX-MM-1/` | High
20 | File | `/ms/file/uploadTemplate.do` | High
21 | File | `/netflow/jspui/editProfile.jsp` | High
22 | File | `/novel-admin/src/main/java/com/java2nb/common/controller/FileController.java` | High
23 | File | `/ofrs/admin/?page=requests/view_request` | High
24 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
25 | File | `/out.php` | Medium
26 | File | `/php/ajax.php` | High
27 | File | `/public/login.htm` | High
28 | File | `/rapi/read_url` | High
29 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
30 | File | `/see_more_details.php` | High
31 | File | `/service/v1/createUser` | High
32 | File | `/setSystemAdmin` | High
33 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
34 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
35 | File | `/uncpath/` | Medium
36 | File | `/user/dls_download.php` | High
37 | File | `/vicidial/user_stats.php` | High
38 | File | `/vloggers_merch/admin/?page=orders/view_order` | High
39 | File | `/wp-admin/admin-ajax.php` | High
40 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
10 | File | `/etc/config/rpcd` | High
11 | File | `/EXCU_SHELL` | Medium
12 | File | `/export` | Low
13 | File | `/forum/away.php` | High
14 | File | `/gena.cgi` | Medium
15 | File | `/goform/webSettingProfileSecurity` | High
16 | File | `/login` | Low
17 | File | `/mgmt/tm/util/bash` | High
18 | File | `/MIME/INBOX-MM-1/` | High
19 | File | `/ms/file/uploadTemplate.do` | High
20 | File | `/netflow/jspui/editProfile.jsp` | High
21 | File | `/novel-admin/src/main/java/com/java2nb/common/controller/FileController.java` | High
22 | File | `/ofrs/admin/?page=requests/view_request` | High
23 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
24 | File | `/out.php` | Medium
25 | File | `/php/ajax.php` | High
26 | File | `/public/login.htm` | High
27 | File | `/rapi/read_url` | High
28 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
29 | File | `/see_more_details.php` | High
30 | File | `/service/v1/createUser` | High
31 | File | `/setSystemAdmin` | High
32 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
33 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
34 | File | `/uncpath/` | Medium
35 | File | `/user/dls_download.php` | High
36 | File | `/vicidial/user_stats.php` | High
37 | File | `/vloggers_merch/admin/?page=orders/view_order` | High
38 | File | `/wp-admin/admin-ajax.php` | High
39 | File | `/wp-admin/admin-post.php?es_skip=1&option_name` | High
40 | File | `/wp-content/plugins/updraftplus/admin.php` | High
41 | ... | ... | ...
There are 358 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 355 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/SilverFish/README.md
View File

@ -103,7 +103,7 @@ ID | Type | Indicator | Confidence
40 | File | `Array.prototype.concat` | High
41 | ... | ... | ...
There are 351 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 352 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

2
actors/Smominru/README.md
View File

@ -60,7 +60,7 @@ ID | Type | Indicator | Confidence
9 | File | `addentry.php` | Medium
10 | ... | ... | ...
There are 77 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 78 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

90
actors/SolarMarker/README.md Normal file
View File

@ -0,0 +1,90 @@
# SolarMarker - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [SolarMarker](https://vuldb.com/?actor.solarmarker). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.solarmarker](https://vuldb.com/?actor.solarmarker)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SolarMarker:
* [US](https://vuldb.com/?country.us)
* [FR](https://vuldb.com/?country.fr)
* [GB](https://vuldb.com/?country.gb)
* ...
There are 23 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SolarMarker.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [37.120.233.92](https://vuldb.com/?ip.37.120.233.92) | no-rdns.m247.com | - | High
2 | [37.120.237.251](https://vuldb.com/?ip.37.120.237.251) | - | - | High
3 | [45.42.201.248](https://vuldb.com/?ip.45.42.201.248) | - | - | High
4 | ... | ... | ... | ...
There are 7 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _SolarMarker_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 16 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by SolarMarker. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.htaccess` | Medium
2 | File | `/cloud_config/router_post/register` | High
3 | File | `/etc/gsissh/sshd_config` | High
4 | File | `/forms/nslookupHandler` | High
5 | File | `/include/chart_generator.php` | High
6 | File | `/log_download.cgi` | High
7 | File | `/mgmt/tm/util/bash` | High
8 | File | `/news.dtl.php` | High
9 | File | `/p1/p2/:name` | Medium
10 | File | `/ptms/?page=user` | High
11 | File | `/setup/finish` | High
12 | File | `/uncpath/` | Medium
13 | File | `/upload/file.php` | High
14 | File | `/usr/bin/pkexec` | High
15 | File | `/wolfcms/?/admin/user/add` | High
16 | File | `/wp-admin` | Medium
17 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
18 | File | `/wp-json/wc/v3/webhooks` | High
19 | File | `5.2.9\syscrb.exe` | High
20 | File | `adclick.php` | Medium
21 | ... | ... | ...
There are 175 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/184/solarmarker-malware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

77
actors/Space Pirates/README.md Normal file
View File

@ -0,0 +1,77 @@
# Space Pirates - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Space Pirates](https://vuldb.com/?actor.space_pirates). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.space_pirates](https://vuldb.com/?actor.space_pirates)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Space Pirates:
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [JP](https://vuldb.com/?country.jp)
* ...
There are 2 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Space Pirates.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [45.76.145.22](https://vuldb.com/?ip.45.76.145.22) | 45.76.145.22.vultrusercontent.com | - | High
2 | [45.77.16.91](https://vuldb.com/?ip.45.77.16.91) | 45.77.16.91.vultrusercontent.com | - | High
3 | [47.108.89.169](https://vuldb.com/?ip.47.108.89.169) | - | - | High
4 | [103.27.109.234](https://vuldb.com/?ip.103.27.109.234) | - | - | High
5 | ... | ... | ... | ...
There are 14 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Space Pirates_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Space Pirates. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/controller/Index.php` | High
2 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
3 | File | `/includes/rrdtool.inc.php` | High
4 | File | `/srv/www/htdocs` | High
5 | File | `api_poller.php` | High
6 | File | `articleview.php` | High
7 | File | `authent.php4` | Medium
8 | ... | ... | ...
There are 57 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/224/space-pirates-p1rat-apt-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

77
actors/StrikeSuit Gif/README.md Normal file
View File

@ -0,0 +1,77 @@
# StrikeSuit Gif - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [StrikeSuit Gif](https://vuldb.com/?actor.strikesuit_gif). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.strikesuit_gif](https://vuldb.com/?actor.strikesuit_gif)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with StrikeSuit Gif:
* [US](https://vuldb.com/?country.us)
* [TR](https://vuldb.com/?country.tr)
* [RU](https://vuldb.com/?country.ru)
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of StrikeSuit Gif.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [23.227.196.210](https://vuldb.com/?ip.23.227.196.210) | 23-227-196-210.static.hvvc.us | - | High
2 | [80.255.3.87](https://vuldb.com/?ip.80.255.3.87) | 0zr0.netdoincr.com | - | High
3 | [86.105.18.241](https://vuldb.com/?ip.86.105.18.241) | - | - | High
4 | ... | ... | ... | ...
There are 3 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _StrikeSuit Gif_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | ... | ... | ... | ...
There are 13 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by StrikeSuit Gif. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cgi-bin/cgiServer.exx` | High
2 | File | `/event/runquery.do` | High
3 | File | `/system/ws/v11/ss/email` | High
4 | File | `add_vhost.php` | High
5 | File | `adv2.php?action=modify` | High
6 | File | `agent.cfg` | Medium
7 | File | `arch/x86/include/asm/fpu/internal.h` | High
8 | File | `asm/float.c` | Medium
9 | ... | ... | ...
There are 70 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/185/strikesuit-gif-malware-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

5
actors/Swisyn/README.md
View File

@ -71,9 +71,10 @@ ID | Type | Indicator | Confidence
13 | File | `/fantasticblog/single.php` | High
14 | File | `/goform/aspForm` | High
15 | File | `/jpg/image.jpg` | High
16 | ... | ... | ...
16 | File | `/Main_AdmStatus_Content.asp` | High
17 | ... | ... | ...
There are 127 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 135 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

72
actors/Sysrv/README.md Normal file
View File

@ -0,0 +1,72 @@
# Sysrv - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sysrv](https://vuldb.com/?actor.sysrv). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.sysrv](https://vuldb.com/?actor.sysrv)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Sysrv:
* [US](https://vuldb.com/?country.us)
* [CN](https://vuldb.com/?country.cn)
* [SI](https://vuldb.com/?country.si)
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Sysrv.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [31.42.177.123](https://vuldb.com/?ip.31.42.177.123) | scalemany.com | - | High
2 | [31.210.20.120](https://vuldb.com/?ip.31.210.20.120) | - | - | High
3 | [31.210.20.181](https://vuldb.com/?ip.31.210.20.181) | - | - | High
4 | ... | ... | ... | ...
There are 5 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _Sysrv_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | ... | ... | ... | ...
There are 13 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Sysrv. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/contenttemp` | High
2 | File | `/member/picture/album` | High
3 | File | `/products/details.asp` | High
4 | File | `/services/details.asp` | High
5 | File | `admin.php` | Medium
6 | File | `comersus_optreviewreadexec.asp` | High
7 | ... | ... | ...
There are 48 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/218/sysrv-botnet-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

7
actors/ToddyCat/README.md
View File

@ -31,7 +31,12 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1059 | CWE-94 | Cross Site Scripting | High
3 | T1068 | CWE-284 | Execution with Unnecessary Privileges | High
4 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack

46
actors/Tovkater/README.md
View File

@ -10,10 +10,10 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
* [US](https://vuldb.com/?country.us)
* [RU](https://vuldb.com/?country.ru)
* [IR](https://vuldb.com/?country.ir)
* [GB](https://vuldb.com/?country.gb)
* ...
There are 2 more country items available. Please use our online service to access the data.
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -22,7 +22,13 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [5.149.255.178](https://vuldb.com/?ip.5.149.255.178) | - | - | High
2 | [185.80.54.18](https://vuldb.com/?ip.185.80.54.18) | specific.hornycone.com | - | High
2 | [13.107.21.200](https://vuldb.com/?ip.13.107.21.200) | - | - | High
3 | [34.107.221.82](https://vuldb.com/?ip.34.107.221.82) | 82.221.107.34.bc.googleusercontent.com | - | Medium
4 | [34.213.158.239](https://vuldb.com/?ip.34.213.158.239) | ec2-34-213-158-239.us-west-2.compute.amazonaws.com | - | Medium
5 | [34.214.44.170](https://vuldb.com/?ip.34.214.44.170) | ec2-34-214-44-170.us-west-2.compute.amazonaws.com | - | Medium
6 | ... | ... | ... | ...
There are 21 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -30,12 +36,13 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High
2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
3 | T1211 | CWE-358 | 7PK Security Features | High
4 | ... | ... | ... | ...
1 | T1006 | CWE-22 | Pathname Traversal | High
2 | T1055 | CWE-74 | Injection | High
3 | T1059 | CWE-94 | Cross Site Scripting | High
4 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
There are 14 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -43,18 +50,31 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/api/json/admin/getmailserversettings` | High
2 | File | `administrative` | High
3 | File | `sc.exe` | Low
4 | ... | ... | ...
1 | File | `/admin/` | Low
2 | File | `/admin/account/changepassword` | High
3 | File | `/admin/users.php` | High
4 | File | `/api/json/admin/getmailserversettings` | High
5 | File | `/artist.php` | Medium
6 | File | `/bin/su` | Low
7 | File | `/data/system/users/0/settings_secure.xml` | High
8 | File | `/dev/mem` | Medium
9 | File | `/dev/urandom` | Medium
10 | File | `/etc/dt` | Low
11 | File | `/etc/password` | High
12 | File | `/show_group_members.php` | High
13 | File | `/usr/etc/rpc.passwd` | High
14 | File | `/WEB-INF/web.xml` | High
15 | ... | ... | ...
There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 121 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2018/08/threat-roundup-0810-0817.html
* https://blog.talosintelligence.com/2019/04/threat-roundup-0405-0412.html
* https://blog.talosintelligence.com/2020/12/threat-roundup-1211-1218.html
## Literature

85
actors/TraderTraitor/README.md Normal file
View File

@ -0,0 +1,85 @@
# TraderTraitor - Cyber Threat Intelligence
These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TraderTraitor](https://vuldb.com/?actor.tradertraitor). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.tradertraitor](https://vuldb.com/?actor.tradertraitor)
## Countries
These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TraderTraitor:
* [US](https://vuldb.com/?country.us)
* [DE](https://vuldb.com/?country.de)
* [CN](https://vuldb.com/?country.cn)
* ...
There are 8 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of TraderTraitor.
ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [38.132.124.161](https://vuldb.com/?ip.38.132.124.161) | - | - | High
2 | [45.14.227.58](https://vuldb.com/?ip.45.14.227.58) | static.pwxs.net | - | High
3 | [46.16.62.238](https://vuldb.com/?ip.46.16.62.238) | fnadh-35.srv.cat | - | High
4 | ... | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
_Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK techniques used by _TraderTraitor_. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
5 | ... | ... | ... | ...
There are 15 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TraderTraitor. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/countrymanagement.php` | High
2 | File | `/admin/newsletter1.php` | High
3 | File | `/admin/payment.php` | High
4 | File | `/doc/packages` | High
5 | File | `/forum/away.php` | High
6 | File | `/getcfg.php` | Medium
7 | File | `/login` | Low
8 | File | `/newsDia.php` | Medium
9 | File | `/product_list.php` | High
10 | File | `/rom-0` | Low
11 | File | `/scas/admin/` | Medium
12 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
13 | File | `/var/log/nginx` | High
14 | File | `/web/entry/en/address/adrsSetUserWizard.cgi` | High
15 | File | `adclick.php` | Medium
16 | ... | ... | ...
There are 130 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References
The following list contains _external sources_ which discuss the actor and the associated activities:
* https://1275.ru/ioc/126/tradertraitor-iocs/
## Literature
The following _articles_ explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

38
actors/TrickBot/README.md
View File

@ -225,7 +225,7 @@ _Tactics, techniques, and procedures_ (TTP) summarize the suspected MITRE ATT&CK
ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1006 | CWE-21, CWE-22, CWE-23, CWE-425 | Pathname Traversal | High
1 | T1006 | CWE-21, CWE-22, CWE-23 | Pathname Traversal | High
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | High
3 | T1055 | CWE-74 | Injection | High
4 | T1059 | CWE-94 | Cross Site Scripting | High
@ -239,27 +239,23 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.python-version` | High
2 | File | `/addNotifyServlet` | High
3 | File | `/admin/curltest.cgi` | High
4 | File | `/admin/js` | Medium
5 | File | `/admin/vca/bia/addacph.cgi` | High
6 | File | `/api/plugin/uninstall` | High
7 | File | `/api/plugin/upload` | High
8 | File | `/cgi-bin/ExportAllSettings.sh` | High
9 | File | `/cgi-bin/mesh.cgi?page=upgrade` | High
10 | File | `/cgi-bin/nightled.cgi` | High
11 | File | `/cgi-bin/touchlist_sync.cgi` | High
12 | File | `/dashboard/profile.php` | High
13 | File | `/donor-wall` | Medium
14 | File | `/edituser.php` | High
15 | File | `/etc/init.d/sshd_service` | High
16 | File | `/forum/away.php` | High
17 | File | `/index.php` | Medium
18 | File | `/index.php/?p=report` | High
19 | ... | ... | ...
1 | File | `/addNotifyServlet` | High
2 | File | `/admin/js` | Medium
3 | File | `/admin/operations/packages.php` | High
4 | File | `/api/plugin/uninstall` | High
5 | File | `/api/plugin/upload` | High
6 | File | `/cgi-bin/ExportAllSettings.sh` | High
7 | File | `/edituser.php` | High
8 | File | `/etc/init.d/sshd_service` | High
9 | File | `/index.php/?p=report` | High
10 | File | `/index.php?r=site%2Fsignup` | High
11 | File | `/modules/caddyhttp/rewrite/rewrite.go` | High
12 | File | `/nav_bar_action.php` | High
13 | File | `/pages/activity/activity.php` | High
14 | File | `/pages/permit/permit.php` | High
15 | ... | ... | ...
There are 151 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
There are 121 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
## References

Some files were not shown because too many files have changed in this diff Show More