Update

actors/APT32/README.md

@@ -46,7 +46,7 @@ There are 48 more IOC items available. Please use our online service to access t
 
 ## TTP - Tactics, Techniques, Procedures
 
-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by APT32. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _APT32_. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@@ -55,7 +55,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...
 
-There are 7 more TTP items available. Please use our online service to access the data.
+There are 6 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -74,19 +74,20 @@ ID | Type | Indicator | Confidence
 9 | File | `/goform/setmac` | High
 10 | File | `/log_download.cgi` | High
 11 | File | `/manager?action=getlogcat` | High
-12 | File | `/password.html` | High
-13 | File | `/system/ws/v11/ss/email` | High
-14 | File | `/uncpath/` | Medium
-15 | File | `add_vhost.php` | High
-16 | File | `admin/images.aspx` | High
-17 | File | `admin/index.php` | High
-18 | File | `adv2.php?action=modify` | High
-19 | File | `agent.cfg` | Medium
-20 | File | `arch/x86/include/asm/fpu/internal.h` | High
-21 | File | `asm/float.c` | Medium
-22 | ... | ... | ...
+12 | File | `/pages/systemcall.php?command={COMMAND}` | High
+13 | File | `/password.html` | High
+14 | File | `/system/ws/v11/ss/email` | High
+15 | File | `/uncpath/` | Medium
+16 | File | `add_vhost.php` | High
+17 | File | `admin/images.aspx` | High
+18 | File | `admin/index.php` | High
+19 | File | `adv2.php?action=modify` | High
+20 | File | `agent.cfg` | Medium
+21 | File | `arch/x86/include/asm/fpu/internal.h` | High
+22 | File | `asm/float.c` | Medium
+23 | ... | ... | ...
 
-There are 187 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 188 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
 
 ## References
 

actors/Agent Tesla/README.md

@@ -29,10 +29,11 @@ ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
 1 | [69.174.99.181](https://vuldb.com/?ip.69.174.99.181) | unassigned.quadranet.com | Phishing Korea | High
 2 | [149.56.200.165](https://vuldb.com/?ip.149.56.200.165) | ip165.ip-149-56-200.net | Phishing Korea | High
+3 | [208.91.199.223](https://vuldb.com/?ip.208.91.199.223) | us2.outbound.mailhostbox.com | - | High
 
 ## TTP - Tactics, Techniques, Procedures
 
-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Agent Tesla. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Agent Tesla_. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@@ -102,12 +103,13 @@ ID | Type | Indicator | Confidence
 51 | File | `e/member/doaction.php` | High
 52 | ... | ... | ...
 
-There are 451 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 448 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
 
 ## References
 
 The following list contains _external sources_ which discuss the actor and the associated activities:
 
+* https://blogs.blackberry.com/en/2020/04/threat-spotlight-secret-agent-tesla
 * https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant
 
 ## Literature

actors/Amadey Bot/README.md

@@ -0,0 +1,36 @@
+# Amadey Bot - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Amadey Bot](https://vuldb.com/?actor.amadey_bot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.amadey_bot](https://vuldb.com/?actor.amadey_bot)
+
+## Campaigns
+
+The following _campaigns_ are known and can be associated with Amadey Bot:
+
+* Azorult
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Amadey Bot.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [2.59.42.63](https://vuldb.com/?ip.2.59.42.63) | vds-cw08597.timeweb.ru | Azorult | High
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

actors/Bitter/README.md

@@ -1,47 +1,78 @@
 # Bitter - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bitter](https://vuldb.com/?actor.bitter). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bitter](https://vuldb.com/?actor.bitter). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
 
-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bitter](https://vuldb.com/?actor.bitter)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.bitter](https://vuldb.com/?actor.bitter)
 
 ## Countries
 
-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bitter:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Bitter:
 
-* US
+* [US](https://vuldb.com/?country.us)
+* [CO](https://vuldb.com/?country.co)
+* [IT](https://vuldb.com/?country.it)
+* ...
+
+There are 16 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Bitter.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Bitter.
 
-ID | IP address | Hostname | Confidence
--- | ---------- | -------- | ----------
-1 | 82.221.129.17 | hengill.orangewebsite.com | High
-2 | 82.221.129.18 | baula.orangewebsite.com | High
-3 | 82.221.129.19 | jolnir.orangewebsite.com | High
-4 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [82.221.129.17](https://vuldb.com/?ip.82.221.129.17) | hengill.orangewebsite.com | - | High
+2 | [82.221.129.18](https://vuldb.com/?ip.82.221.129.18) | baula.orangewebsite.com | - | High
+3 | [82.221.129.19](https://vuldb.com/?ip.82.221.129.19) | jolnir.orangewebsite.com | - | High
+4 | ... | ... | ... | ...
 
-There are 3 more IOC items available. Please use our online service to access the data.
+There are 8 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Bitter_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...
+
+There are 3 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bitter. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Bitter. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
-1 | File | `shopreviewlist.asp` | High
-2 | File | `test-cgi` | Medium
-3 | Argument | `catalogid` | Medium
+1 | File | `.htaccess` | Medium
+2 | File | `/etc/gsissh/sshd_config` | High
+3 | File | `/forms/nslookupHandler` | High
+4 | File | `/news.dtl.php` | High
+5 | File | `/systemrw/` | Medium
+6 | File | `/uncpath/` | Medium
+7 | File | `/upload/file.php` | High
+8 | File | `/wp-content/plugins/woocommerce/templates/emails/plain/` | High
+9 | File | `5.2.9\syscrb.exe` | High
+10 | File | `admin.cgi` | Medium
+11 | File | `admin/category.inc.php` | High
+12 | File | `data/gbconfiguration.dat` | High
+13 | ... | ... | ...
+
+There are 99 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
 
 ## References
 
-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:
 
+* https://blogs.blackberry.com/en/2019/10/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform
 * https://www.threatminer.org/report.php?q=SuspectedBITTERAPTContinuesTargetingGovernmentofChinaandChineseOrganizations.pdf&y=2019
 
 ## Literature
 
-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:
 
 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

actors/DEV-0322/README.md

@@ -33,7 +33,7 @@ There are 11 more IOC items available. Please use our online service to access t
 
 ## TTP - Tactics, Techniques, Procedures
 
-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by DEV-0322. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _DEV-0322_. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------

actors/Edwind/README.md

@@ -1,6 +1,6 @@
 # Edwind - Cyber Threat Intelligence
 
-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Edwind](https://vuldb.com/?actor.edwind). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Edwind](https://vuldb.com/?actor.edwind). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
 
 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.edwind](https://vuldb.com/?actor.edwind)
 
@@ -8,7 +8,7 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
 
 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Edwind:
 
-* RU
+* [RU](https://vuldb.com/?country.ru)
 
 ## IOC - Indicator of Compromise
 
@@ -16,9 +16,9 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
 
 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 88.99.71.89 | static.89.71.99.88.clients.your-server.de | - | High
-2 | 88.99.112.168 | static.168.112.99.88.clients.your-server.de | - | High
-3 | 88.99.112.169 | static.169.112.99.88.clients.your-server.de | - | High
+1 | [88.99.71.89](https://vuldb.com/?ip.88.99.71.89) | static.89.71.99.88.clients.your-server.de | - | High
+2 | [88.99.112.168](https://vuldb.com/?ip.88.99.112.168) | static.168.112.99.88.clients.your-server.de | - | High
+3 | [88.99.112.169](https://vuldb.com/?ip.88.99.112.169) | static.169.112.99.88.clients.your-server.de | - | High
 
 ## IOA - Indicator of Attack
 

actors/Grizzly Steppe/README.md

@@ -13,7 +13,7 @@ These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. acce
 * [GB](https://vuldb.com/?country.gb)
 * ...
 
-There are 18 more country items available. Please use our online service to access the data.
+There are 17 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -151,7 +151,7 @@ There are 496 more IOC items available. Please use our online service to access
 
 ## TTP - Tactics, Techniques, Procedures
 
-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Grizzly Steppe. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Grizzly Steppe_. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@@ -169,39 +169,39 @@ These _indicators of attack_ (IOA) list the potential fragments used for technic
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
 1 | File | `/.env` | Low
-2 | File | `/admin/configure.php` | High
-3 | File | `/admin/doctors/view_doctor.php` | High
-4 | File | `/admin/index.php?lfj=mysql&action=del` | High
-5 | File | `/cgi-bin/luci/rc` | High
-6 | File | `/cms/ajax.php` | High
-7 | File | `/context/%2e/WEB-INF/web.xml` | High
-8 | File | `/dev/dri/card1` | High
-9 | File | `/domain/service/.ewell-known/caldav` | High
-10 | File | `/download` | Medium
-11 | File | `/formWlanSetup` | High
-12 | File | `/goform/setIPv6Status` | High
-13 | File | `/images` | Low
-14 | File | `/include/chart_generator.php` | High
-15 | File | `/InternalPages/ExecuteTask.aspx` | High
-16 | File | `/modules/profile/index.php` | High
-17 | File | `/monitoring` | Medium
-18 | File | `/music/ajax.php` | High
-19 | File | `/pandora_console/ajax.php` | High
-20 | File | `/plugins/servlet/audit/resource` | High
-21 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
-22 | File | `/proc/<pid>/status` | High
-23 | File | `/public/plugins/` | High
-24 | File | `/rest/api/1.0/render` | High
-25 | File | `/RestAPI` | Medium
-26 | File | `/SASWebReportStudio/logonAndRender.do` | High
-27 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
-28 | File | `/secure/QueryComponent!Default.jspa` | High
-29 | File | `/tmp` | Low
-30 | File | `/uncpath/` | Medium
-31 | File | `/var/log/nginx` | High
+2 | File | `/admin-panel1.php` | High
+3 | File | `/admin/configure.php` | High
+4 | File | `/admin/doctors/view_doctor.php` | High
+5 | File | `/admin/index.php?lfj=mysql&action=del` | High
+6 | File | `/cgi-bin/luci/rc` | High
+7 | File | `/cms/ajax.php` | High
+8 | File | `/context/%2e/WEB-INF/web.xml` | High
+9 | File | `/dev/dri/card1` | High
+10 | File | `/domain/service/.ewell-known/caldav` | High
+11 | File | `/download` | Medium
+12 | File | `/formWlanSetup` | High
+13 | File | `/goform/setIPv6Status` | High
+14 | File | `/images` | Low
+15 | File | `/include/chart_generator.php` | High
+16 | File | `/InternalPages/ExecuteTask.aspx` | High
+17 | File | `/modules/profile/index.php` | High
+18 | File | `/monitoring` | Medium
+19 | File | `/music/ajax.php` | High
+20 | File | `/pandora_console/ajax.php` | High
+21 | File | `/plugins/servlet/audit/resource` | High
+22 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
+23 | File | `/proc/<pid>/status` | High
+24 | File | `/public/plugins/` | High
+25 | File | `/rest/api/1.0/render` | High
+26 | File | `/RestAPI` | Medium
+27 | File | `/SASWebReportStudio/logonAndRender.do` | High
+28 | File | `/secure/admin/InsightDefaultCustomFieldConfig.jspa` | High
+29 | File | `/secure/QueryComponent!Default.jspa` | High
+30 | File | `/tmp` | Low
+31 | File | `/uncpath/` | Medium
 32 | ... | ... | ...
 
-There are 269 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 272 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
 
 ## References
 

actors/Hackers-for-Hire/README.md

@@ -0,0 +1,75 @@
+# Hackers-for-Hire - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hackers-for-Hire](https://vuldb.com/?actor.hackers-for-hire). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.hackers-for-hire](https://vuldb.com/?actor.hackers-for-hire)
+
+## Campaigns
+
+The following _campaigns_ are known and can be associated with Hackers-for-Hire:
+
+* CostaRicto
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hackers-for-Hire:
+
+* [US](https://vuldb.com/?country.us)
+* [TR](https://vuldb.com/?country.tr)
+* [DE](https://vuldb.com/?country.de)
+* ...
+
+There are 1 more country items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Hackers-for-Hire.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [45.89.175.206](https://vuldb.com/?ip.45.89.175.206) | - | CostaRicto | High
+2 | [45.138.172.54](https://vuldb.com/?ip.45.138.172.54) | - | CostaRicto | High
+3 | [144.217.53.146](https://vuldb.com/?ip.144.217.53.146) | ip146.ip-144-217-53.net | CostaRicto | High
+4 | ... | ... | ... | ...
+
+There are 3 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Hackers-for-Hire_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Hackers-for-Hire. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/EXCU_SHELL` | Medium
+2 | File | `category.asp` | Medium
+3 | File | `deliver.asp` | Medium
+4 | ... | ... | ...
+
+There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

actors/Moobot/README.md

@@ -1,6 +1,6 @@
 # Moobot - Cyber Threat Intelligence
 
-These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Moobot](https://vuldb.com/?actor.moobot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Moobot](https://vuldb.com/?actor.moobot). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
 
 _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.moobot](https://vuldb.com/?actor.moobot)
 
@@ -8,18 +8,19 @@ _Live data_ and more _analysis capabilities_ are available at [https://vuldb.com
 
 The following _campaigns_ are known and can be associated with Moobot:
 
+* DDoS Ukraine
 * UNIX CCTV DVR
 
 ## Countries
 
 These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Moobot:
 
-* US
-* LU
-* ES
+* [US](https://vuldb.com/?country.us)
+* [LU](https://vuldb.com/?country.lu)
+* [ES](https://vuldb.com/?country.es)
 * ...
 
-There are 20 more country items available. Please use our online service to access the data.
+There are 19 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
@@ -27,19 +28,19 @@ These _indicators of compromise_ (IOC) indicate associated network resources whi
 
 ID | IP address | Hostname | Campaign | Confidence
 -- | ---------- | -------- | -------- | ----------
-1 | 31.13.195.56 | - | - | High
-2 | 37.49.226.216 | - | - | High
-3 | 45.95.168.90 | - | - | High
-4 | 89.248.174.165 | - | UNIX CCTV DVR | High
-5 | 89.248.174.166 | - | UNIX CCTV DVR | High
-6 | 89.248.174.198 | - | - | High
+1 | [31.13.195.56](https://vuldb.com/?ip.31.13.195.56) | - | - | High
+2 | [37.49.226.216](https://vuldb.com/?ip.37.49.226.216) | - | - | High
+3 | [45.95.168.90](https://vuldb.com/?ip.45.95.168.90) | - | - | High
+4 | [89.248.174.165](https://vuldb.com/?ip.89.248.174.165) | - | UNIX CCTV DVR | High
+5 | [89.248.174.166](https://vuldb.com/?ip.89.248.174.166) | - | UNIX CCTV DVR | High
+6 | [89.248.174.198](https://vuldb.com/?ip.89.248.174.198) | - | - | High
 7 | ... | ... | ... | ...
 
-There are 24 more IOC items available. Please use our online service to access the data.
+There are 25 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Moobot. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _Moobot_. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@@ -48,7 +49,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...
 
-There are 8 more TTP items available. Please use our online service to access the data.
+There are 7 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
@@ -77,25 +78,23 @@ ID | Type | Indicator | Confidence
 19 | File | `/member/index/login.html` | High
 20 | File | `/moddable/xs/sources/xsScript.c` | High
 21 | File | `/moddable/xs/sources/xsSymbol.c` | High
-22 | File | `/multiux/SaveMailbox` | High
-23 | File | `/music/ajax.php` | High
-24 | File | `/nagioslogserver/configure/create_snapshot` | High
-25 | File | `/nova/bin/lcdstat` | High
-26 | File | `/orms/` | Low
-27 | File | `/rest/api/1.0/issues/{id}/ActionsAndOperations` | High
-28 | File | `/rest/api/2/user/picker` | High
-29 | File | `/rsms/` | Low
-30 | File | `/secure/QueryComponent!Default.jspa` | High
-31 | File | `/src/njs_vmcode.c` | High
-32 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
-33 | File | `/syscmd.asp` | Medium
-34 | File | `/system?action=ServiceAdmin` | High
-35 | File | `/tmp` | Low
-36 | File | `/uncpath/` | Medium
-37 | File | `/uploads/dede` | High
-38 | ... | ... | ...
+22 | File | `/music/ajax.php` | High
+23 | File | `/nagioslogserver/configure/create_snapshot` | High
+24 | File | `/nova/bin/lcdstat` | High
+25 | File | `/orms/` | Low
+26 | File | `/rest/api/1.0/issues/{id}/ActionsAndOperations` | High
+27 | File | `/rest/api/2/user/picker` | High
+28 | File | `/rsms/` | Low
+29 | File | `/secure/QueryComponent!Default.jspa` | High
+30 | File | `/src/njs_vmcode.c` | High
+31 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
+32 | File | `/syscmd.asp` | Medium
+33 | File | `/system?action=ServiceAdmin` | High
+34 | File | `/tmp` | Low
+35 | File | `/uncpath/` | Medium
+36 | ... | ... | ...
 
-There are 324 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+There are 306 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
 
 ## References
 
@@ -103,6 +102,7 @@ The following list contains _external sources_ which discuss the actor and the a
 
 * https://blog.netlab.360.com/ddos-botnet-moobot-en/
 * https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/
+* https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
 * https://blog.netlab.360.com/the-botnet-cluster-on-185-244-25-0-24-en/
 
 ## Literature

actors/PyXie/README.md

@@ -0,0 +1,61 @@
+# PyXie - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PyXie](https://vuldb.com/?actor.pyxie). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.pyxie](https://vuldb.com/?actor.pyxie)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PyXie:
+
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of PyXie.
+
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [104.200.67.173](https://vuldb.com/?ip.104.200.67.173) | - | - | High
+2 | [192.52.167.241](https://vuldb.com/?ip.192.52.167.241) | nordns.crowncloud.net | - | High
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _PyXie_. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1068 | CWE-250, CWE-264 | Execution with Unnecessary Privileges | High
+2 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+3 | T1211 | CWE-358 | 7PK Security Features | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PyXie. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/wp-content/plugins/updraftplus/admin.php` | High
+2 | File | `fm_backups` | Medium
+3 | File | `Forms/tools_admin_1` | High
+4 | ... | ... | ...
+
+There are 7 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the actor and the associated activities:
+
+* https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

actors/SilverFish/README.md

@@ -42,7 +42,7 @@ There are 35 more IOC items available. Please use our online service to access t
 
 ## TTP - Tactics, Techniques, Procedures
 
-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by SilverFish. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _SilverFish_. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------
@@ -51,7 +51,7 @@ ID | Technique | Weakness | Description | Confidence
 3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
 4 | ... | ... | ... | ...
 
-There are 9 more TTP items available. Please use our online service to access the data.
+There are 8 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 

actors/m8220/README.md

@@ -28,7 +28,7 @@ ID | IP address | Hostname | Campaign | Confidence
 
 ## TTP - Tactics, Techniques, Procedures
 
-_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by m8220. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _m8220_. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Technique | Weakness | Description | Confidence
 -- | --------- | -------- | ----------- | ----------

actors/njRAT/README.md

@@ -1,49 +1,49 @@
 # njRAT - Cyber Threat Intelligence
 
-The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [njRAT](https://vuldb.com/?actor.njrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [njRAT](https://vuldb.com/?actor.njrat). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
 
-Live data and more analysis capabilities are available at [https://vuldb.com/?actor.njrat](https://vuldb.com/?actor.njrat)
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.njrat](https://vuldb.com/?actor.njrat)
 
 ## Countries
 
-These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with njRAT:
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with njRAT:
 
-* ES
-* US
-* FR
+* [ES](https://vuldb.com/?country.es)
+* [US](https://vuldb.com/?country.us)
+* [TH](https://vuldb.com/?country.th)
 * ...
 
-There are 2 more country items available. Please use our online service to access the data.
+There are 3 more country items available. Please use our online service to access the data.
 
 ## IOC - Indicator of Compromise
 
-These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of njRAT.
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of njRAT.
 
-ID | IP address | Hostname | Confidence
--- | ---------- | -------- | ----------
-1 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
-2 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | High
-3 | 41.200.44.39 | - | High
-4 | ... | ... | ...
+ID | IP address | Hostname | Campaign | Confidence
+-- | ---------- | -------- | -------- | ----------
+1 | [23.3.13.88](https://vuldb.com/?ip.23.3.13.88) | a23-3-13-88.deploy.static.akamaitechnologies.com | - | High
+2 | [23.3.13.154](https://vuldb.com/?ip.23.3.13.154) | a23-3-13-154.deploy.static.akamaitechnologies.com | - | High
+3 | [41.200.44.39](https://vuldb.com/?ip.41.200.44.39) | - | - | High
+4 | ... | ... | ... | ...
 
-There are 13 more IOC items available. Please use our online service to access the data.
+There are 14 more IOC items available. Please use our online service to access the data.
 
 ## TTP - Tactics, Techniques, Procedures
 
-Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by njRAT. This data is unique as it uses our predictive model for actor profiling.
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by _njRAT_. This data is unique as it uses our predictive model for actor profiling.
 
-ID | Technique | Description | Confidence
--- | --------- | ----------- | ----------
-1 | T1059.007 | Cross Site Scripting | High
-2 | T1068 | Execution with Unnecessary Privileges | High
-3 | T1211 | 7PK Security Features | High
-4 | ... | ... | ...
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1211 | CWE-358 | 7PK Security Features | High
+4 | ... | ... | ... | ...
 
-There are 2 more TTP items available. Please use our online service to access the data.
+There are 1 more TTP items available. Please use our online service to access the data.
 
 ## IOA - Indicator of Attack
 
-These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by njRAT. This data is unique as it uses our predictive model for actor profiling.
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by njRAT. This data is unique as it uses our predictive model for actor profiling.
 
 ID | Type | Indicator | Confidence
 -- | ---- | --------- | ----------
@@ -53,21 +53,22 @@ ID | Type | Indicator | Confidence
 4 | File | `data/gbconfiguration.dat` | High
 5 | ... | ... | ...
 
-There are 28 more IOA items available. Please use our online service to access the data.
+There are 28 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
 
 ## References
 
-The following list contains external sources which discuss the actor and the associated activities:
+The following list contains _external sources_ which discuss the actor and the associated activities:
 
 * https://blog.talosintelligence.com/2021/02/threat-roundup-0219-0226.html
 * https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
 * https://blog.talosintelligence.com/2021/04/threat-roundup-0423-0430.html
 * https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
+* https://blogs.blackberry.com/en/2021/08/threat-thursday-dont-let-njrat-take-your-cheddar
 * https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
 
 ## Literature
 
-The following articles explain our unique predictive cyber threat intelligence:
+The following _articles_ explain our unique predictive cyber threat intelligence:
 
 * [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
 * [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

campaigns/Ammyy/README.md

@@ -0,0 +1,67 @@
+# Ammyy - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Ammyy_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Ammyy:
+
+* [US](https://vuldb.com/?country.us)
+* [GB](https://vuldb.com/?country.gb)
+* [RU](https://vuldb.com/?country.ru)
+
+## Actors
+
+These _actors_ are associated with Ammyy:
+
+* [TA505](https://vuldb.com/?actor.ta505)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Ammyy.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [179.60.146.3](https://vuldb.com/?ip.179.60.146.3) | hostby.data-solutions.net | TA505 | High
+2 | [194.165.16.11](https://vuldb.com/?ip.194.165.16.11) | - | TA505 | High
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Ammyy. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79 | Cross Site Scripting | High
+2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Ammyy. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/common/ticket_associated_tickets.php` | High
+2 | File | `msg.c` | Low
+3 | Argument | `id` | Low
+4 | ... | ... | ...
+
+There are 2 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

campaigns/Azorult/README.md

@@ -0,0 +1,76 @@
+# Azorult - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Azorult_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Azorult:
+
+* [RU](https://vuldb.com/?country.ru)
+* [US](https://vuldb.com/?country.us)
+* [KP](https://vuldb.com/?country.kp)
+* ...
+
+There are 3 more country items available. Please use our online service to access the data.
+
+## Actors
+
+These _actors_ are associated with Azorult:
+
+* [Ramnit](https://vuldb.com/?actor.ramnit)
+* [Amadey Bot](https://vuldb.com/?actor.amadey bot)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Azorult.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [2.59.42.63](https://vuldb.com/?ip.2.59.42.63) | vds-cw08597.timeweb.ru | Amadey Bot | High
+2 | [80.87.197.238](https://vuldb.com/?ip.80.87.197.238) | profiapp21.fvds.ru | Ramnit | High
+3 | [93.189.44.143](https://vuldb.com/?ip.93.189.44.143) | - | Ramnit | High
+4 | ... | ... | ... | ...
+
+There are 3 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Azorult. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Azorult. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/+CSCOE+/logon.html` | High
+2 | File | `/home/httpd/cgi-bin/cgi.cgi` | High
+3 | File | `/uncpath/` | Medium
+4 | ... | ... | ...
+
+There are 13 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot
+* https://research.checkpoint.com/2018/new-ramnit-campaign-spreads-azorult-malware/
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

campaigns/CostaRicto/README.md

@@ -0,0 +1,75 @@
+# CostaRicto - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _CostaRicto_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with CostaRicto:
+
+* [US](https://vuldb.com/?country.us)
+* [TR](https://vuldb.com/?country.tr)
+* [DE](https://vuldb.com/?country.de)
+* ...
+
+There are 1 more country items available. Please use our online service to access the data.
+
+## Actors
+
+These _actors_ are associated with CostaRicto:
+
+* [Hackers-for-Hire](https://vuldb.com/?actor.hackers-for-hire)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of CostaRicto.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [45.89.175.206](https://vuldb.com/?ip.45.89.175.206) | - | Hackers-for-Hire | High
+2 | [45.138.172.54](https://vuldb.com/?ip.45.138.172.54) | - | Hackers-for-Hire | High
+3 | [144.217.53.146](https://vuldb.com/?ip.144.217.53.146) | ip146.ip-144-217-53.net | Hackers-for-Hire | High
+4 | ... | ... | ... | ...
+
+There are 3 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within CostaRicto. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during CostaRicto. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/EXCU_SHELL` | Medium
+2 | File | `category.asp` | Medium
+3 | File | `deliver.asp` | Medium
+4 | ... | ... | ...
+
+There are 9 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

campaigns/DDoS Ukraine/README.md

@@ -0,0 +1,96 @@
+# DDoS Ukraine - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _DDoS Ukraine_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with DDoS Ukraine:
+
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+* [DK](https://vuldb.com/?country.dk)
+
+## Actors
+
+These _actors_ are associated with DDoS Ukraine:
+
+* [Ripprbot](https://vuldb.com/?actor.ripprbot)
+* [Moobot](https://vuldb.com/?actor.moobot)
+* [Mirai](https://vuldb.com/?actor.mirai)
+* ...
+
+There are 1 more actor items available. Please use our online service to access the data.
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of DDoS Ukraine.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [45.61.136.130](https://vuldb.com/?ip.45.61.136.130) | - | Mirai | High
+2 | [45.61.186.13](https://vuldb.com/?ip.45.61.186.13) | - | Mirai | High
+3 | [46.29.166.105](https://vuldb.com/?ip.46.29.166.105) | - | Mirai | High
+4 | ... | ... | ... | ...
+
+There are 14 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within DDoS Ukraine. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...
+
+There are 5 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during DDoS Ukraine. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/formSetPortTr` | High
+2 | File | `/forum/away.php` | High
+3 | File | `/jeecg-boot/sys/common/upload` | High
+4 | File | `/LogoStore/search.php` | High
+5 | File | `/navigate/navigate_download.php` | High
+6 | File | `/question/ask` | High
+7 | File | `/rest/api/2/search` | High
+8 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
+9 | File | `/uncpath/` | Medium
+10 | File | `/usr/sbin/httpd` | High
+11 | File | `123flashchat.php` | High
+12 | File | `acme_accountkeys_edit.php` | High
+13 | File | `adclick.php` | Medium
+14 | File | `admin.cropcanvas.php` | High
+15 | File | `admin.joomlaradiov5.php` | High
+16 | File | `admin.webring.docs.php` | High
+17 | File | `admin/dashboard.php` | High
+18 | File | `advsearch_h.asp` | High
+19 | File | `ajax/telemetry.php` | High
+20 | ... | ... | ...
+
+There are 167 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

campaigns/Phishing Korea/README.md

@@ -0,0 +1,122 @@
+# Phishing Korea - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Phishing Korea_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Phishing Korea:
+
+* [US](https://vuldb.com/?country.us)
+* [CN](https://vuldb.com/?country.cn)
+* [ES](https://vuldb.com/?country.es)
+* ...
+
+There are 8 more country items available. Please use our online service to access the data.
+
+## Actors
+
+These _actors_ are associated with Phishing Korea:
+
+* [Agent Tesla](https://vuldb.com/?actor.agent tesla)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Phishing Korea.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [69.174.99.181](https://vuldb.com/?ip.69.174.99.181) | unassigned.quadranet.com | Agent Tesla | High
+2 | [149.56.200.165](https://vuldb.com/?ip.149.56.200.165) | ip165.ip-149-56-200.net | Agent Tesla | High
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Phishing Korea. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...
+
+There are 3 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Phishing Korea. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/+CSCOE+/logon.html` | High
+2 | File | `/cgi-bin/wapopen` | High
+3 | File | `/etc/ajenti/config.yml` | High
+4 | File | `/goform/telnet` | High
+5 | File | `/modules/profile/index.php` | High
+6 | File | `/php/init.poll.php` | High
+7 | File | `/rom-0` | Low
+8 | File | `/tmp/phpglibccheck` | High
+9 | File | `/uncpath/` | Medium
+10 | File | `/var/tmp/sess_*` | High
+11 | File | `action.php` | Medium
+12 | File | `actionphp/download.File.php` | High
+13 | File | `add_comment.php` | High
+14 | File | `admin/admin.php` | High
+15 | File | `admin/content.php` | High
+16 | File | `admin/index.php?id=users/action=edit/user_id=1` | High
+17 | File | `admin/memberviewdetails.php` | High
+18 | File | `admin/sitesettings.php` | High
+19 | File | `affich.php` | Medium
+20 | File | `agent/Core/Controller/SendRequest.cpp` | High
+21 | File | `akeyActivationLogin.do` | High
+22 | File | `album_portal.php` | High
+23 | File | `apache-auth.conf` | High
+24 | File | `askapache-firefox-adsense.php` | High
+25 | File | `attachment.cgi` | High
+26 | File | `basic_search_result.php` | High
+27 | File | `blueprints/sections/edit/1` | High
+28 | File | `books.php` | Medium
+29 | File | `cart_add.php` | Medium
+30 | File | `CFS.c` | Low
+31 | File | `cgi-bin/gnudip.cgi` | High
+32 | File | `checktransferstatus.php` | High
+33 | File | `checkuser.php` | High
+34 | File | `class.SystemAction.php` | High
+35 | File | `clientarea.php` | High
+36 | File | `cmdmon.c` | Medium
+37 | File | `collectivite.class.php` | High
+38 | File | `confirm.php` | Medium
+39 | File | `contact` | Low
+40 | File | `control.c` | Medium
+41 | File | `core-util.c` | Medium
+42 | File | `core/coreuserinputhandler.cpp` | High
+43 | File | `d1_both.c` | Medium
+44 | File | `data/gbconfiguration.dat` | High
+45 | File | `Debug_command_page.asp` | High
+46 | File | `details_view.php` | High
+47 | File | `Diagnose.exe` | Medium
+48 | File | `DigiDocSAXParser.c` | High
+49 | File | `download-file.php` | High
+50 | File | `download.php` | Medium
+51 | File | `e/member/doaction.php` | High
+52 | ... | ... | ...
+
+There are 451 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

campaigns/SDBbot/README.md

@@ -0,0 +1,83 @@
+# SDBbot - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _SDBbot_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with SDBbot:
+
+* [US](https://vuldb.com/?country.us)
+* [DE](https://vuldb.com/?country.de)
+* [ZA](https://vuldb.com/?country.za)
+* ...
+
+There are 16 more country items available. Please use our online service to access the data.
+
+## Actors
+
+These _actors_ are associated with SDBbot:
+
+* [TA505](https://vuldb.com/?actor.ta505)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of SDBbot.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [5.149.252.171](https://vuldb.com/?ip.5.149.252.171) | absolutecorporation.info | TA505 | High
+2 | [37.59.52.229](https://vuldb.com/?ip.37.59.52.229) | bemta-05.srv.sopeople.net | TA505 | High
+3 | [45.8.126.7](https://vuldb.com/?ip.45.8.126.7) | mail01.bivoic.com | TA505 | High
+4 | ... | ... | ... | ...
+
+There are 14 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within SDBbot. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...
+
+There are 3 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during SDBbot. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/cgi-bin/webproc` | High
+2 | File | `/modules/tasks/summary.inc.php` | High
+3 | File | `/rest/api/2/user/picker` | High
+4 | File | `/secure/QueryComponent!Default.jspa` | High
+5 | File | `/uncpath/` | Medium
+6 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
+7 | File | `account_activations/edit` | High
+8 | File | `AddResolution.jspa` | High
+9 | ... | ... | ...
+
+There are 65 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

campaigns/UNIX CCTV DVR/README.md

@@ -0,0 +1,113 @@
+# UNIX CCTV DVR - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _UNIX CCTV DVR_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with UNIX CCTV DVR:
+
+* [US](https://vuldb.com/?country.us)
+* [LU](https://vuldb.com/?country.lu)
+* [ES](https://vuldb.com/?country.es)
+* ...
+
+There are 21 more country items available. Please use our online service to access the data.
+
+## Actors
+
+These _actors_ are associated with UNIX CCTV DVR:
+
+* [Moobot](https://vuldb.com/?actor.moobot)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of UNIX CCTV DVR.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [89.248.174.165](https://vuldb.com/?ip.89.248.174.165) | - | Moobot | High
+2 | [89.248.174.166](https://vuldb.com/?ip.89.248.174.166) | - | Moobot | High
+3 | [89.248.174.203](https://vuldb.com/?ip.89.248.174.203) | no-reverse-dns-configured.com | Moobot | High
+4 | [92.223.73.54](https://vuldb.com/?ip.92.223.73.54) | james050721.example.com | Moobot | High
+5 | ... | ... | ... | ...
+
+There are 16 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within UNIX CCTV DVR. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-250, CWE-264, CWE-266, CWE-274, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-307, CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...
+
+There are 7 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during UNIX CCTV DVR. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `%PROGRAMDATA%\Razer Chroma\SDK\Apps` | High
+2 | File | `/admin/cloud.php` | High
+3 | File | `/admin/login.php` | High
+4 | File | `/api/document/<DocumentID>/attachments` | High
+5 | File | `/bin/sh` | Low
+6 | File | `/cgi-bin-sdb/` | High
+7 | File | `/cgi-bin/` | Medium
+8 | File | `/core/admin/categories.php` | High
+9 | File | `/coreframe/app/order/admin/card.php` | High
+10 | File | `/device/device=345/?tab=ports` | High
+11 | File | `/downloadmaster/dm_apply.cgi?action_mode=initial&download_type=General&special_cgi=get_language` | High
+12 | File | `/eshop/products/json/aouCustomerAdresse` | High
+13 | File | `/etc/config/cameo` | High
+14 | File | `/etc/environment` | High
+15 | File | `/extensionsinstruction` | High
+16 | File | `/goods/getGoodsListByConditions/` | High
+17 | File | `/includes/lib/tree.php` | High
+18 | File | `/MagickCore/quantize.c` | High
+19 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
+20 | File | `/member/index/login.html` | High
+21 | File | `/moddable/xs/sources/xsScript.c` | High
+22 | File | `/moddable/xs/sources/xsSymbol.c` | High
+23 | File | `/multiux/SaveMailbox` | High
+24 | File | `/nagioslogserver/configure/create_snapshot` | High
+25 | File | `/nova/bin/lcdstat` | High
+26 | File | `/PreviewHandler.ashx` | High
+27 | File | `/rest/api/1.0/issues/{id}/ActionsAndOperations` | High
+28 | File | `/rest/api/2/user/picker` | High
+29 | File | `/secure/QueryComponent!Default.jspa` | High
+30 | File | `/src/njs_vmcode.c` | High
+31 | File | `/SSOPOST/metaAlias/%realm%/idpv2` | High
+32 | File | `/syscmd.asp` | Medium
+33 | File | `/system?action=ServiceAdmin` | High
+34 | File | `/tmp` | Low
+35 | File | `/uncpath/` | Medium
+36 | File | `/uploads/dede` | High
+37 | File | `/user/add` | Medium
+38 | ... | ... | ...
+
+There are 329 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

campaigns/Ukraine/README.md

@@ -0,0 +1,114 @@
+# Ukraine - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _Ukraine_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Ukraine:
+
+* [US](https://vuldb.com/?country.us)
+* [RU](https://vuldb.com/?country.ru)
+* [CN](https://vuldb.com/?country.cn)
+* ...
+
+There are 11 more country items available. Please use our online service to access the data.
+
+## Actors
+
+These _actors_ are associated with Ukraine:
+
+* [UAC-0056](https://vuldb.com/?actor.uac-0056)
+* [Gamaredon](https://vuldb.com/?actor.gamaredon)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Ukraine.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [31.42.185.63](https://vuldb.com/?ip.31.42.185.63) | dedicated.vsys.host | UAC-0056 | High
+2 | [37.77.105.102](https://vuldb.com/?ip.37.77.105.102) | 701115-cm83897.tmweb.ru | Gamaredon | High
+3 | [45.146.164.37](https://vuldb.com/?ip.45.146.164.37) | - | UAC-0056 | High
+4 | [45.146.165.91](https://vuldb.com/?ip.45.146.165.91) | - | UAC-0056 | High
+5 | [78.40.219.12](https://vuldb.com/?ip.78.40.219.12) | 628153-cn06191.tmweb.ru | Gamaredon | High
+6 | [87.249.44.41](https://vuldb.com/?ip.87.249.44.41) | 741903-co01240.tmweb.ru | Gamaredon | High
+7 | ... | ... | ... | ...
+
+There are 22 more IOC items available. Please use our online service to access the data.
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within Ukraine. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1110.001 | CWE-798 | Improper Restriction of Excessive Authentication Attempts | High
+4 | ... | ... | ... | ...
+
+There are 6 more TTP items available. Please use our online service to access the data.
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Ukraine. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/+CSCOE+/logon.html` | High
+2 | File | `/admin/login.php` | High
+3 | File | `/admin/produts/controller.php` | High
+4 | File | `/admin/user/team` | High
+5 | File | `/adminlogin.asp` | High
+6 | File | `/cgi-bin/system_mgr.cgi` | High
+7 | File | `/common/logViewer/logViewer.jsf` | High
+8 | File | `/crmeb/app/admin/controller/store/CopyTaobao.php` | High
+9 | File | `/forum/away.php` | High
+10 | File | `/includes/rrdtool.inc.php` | High
+11 | File | `/mc-admin/post.php?state=delete&delete` | High
+12 | File | `/mifs/c/i/reg/reg.html` | High
+13 | File | `/ms/cms/content/list.do` | High
+14 | File | `/orms/` | Low
+15 | File | `/sec/content/sec_asa_users_local_db_add.html` | High
+16 | File | `/uncpath/` | Medium
+17 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High
+18 | File | `/www/ping_response.cgi` | High
+19 | File | `ABuffer.cpp` | Medium
+20 | File | `account.asp` | Medium
+21 | File | `addmember.php` | High
+22 | File | `addtocart.asp` | High
+23 | File | `addtomylist.asp` | High
+24 | File | `add_edit_user.asp` | High
+25 | File | `admin.php` | Medium
+26 | File | `admin.x-shop.php` | High
+27 | File | `admin/auth.php` | High
+28 | File | `admin/changedata.php` | High
+29 | File | `admin/dashboard.php` | High
+30 | File | `admin/edit-news.php` | High
+31 | File | `admin/gallery.php` | High
+32 | File | `admin/index.php` | High
+33 | File | `admin/manage-departments.php` | High
+34 | File | `admin/sellerupd.php` | High
+35 | ... | ... | ...
+
+There are 304 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
+* https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

campaigns/servhelper/README.md

@@ -0,0 +1,70 @@
+# servhelper - Cyber Threat Intelligence
+
+These _indicators_ were reported, collected, and generated during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the campaign known as _servhelper_. The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ uses _big data_ to forecast activities and their characteristics.
+
+_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor](https://vuldb.com/?actor)
+
+## Countries
+
+These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with servhelper:
+
+* [US](https://vuldb.com/?country.us)
+* [AT](https://vuldb.com/?country.at)
+* [RU](https://vuldb.com/?country.ru)
+
+## Actors
+
+These _actors_ are associated with servhelper:
+
+* [TA505](https://vuldb.com/?actor.ta505)
+
+## IOC - Indicator of Compromise
+
+These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of servhelper.
+
+ID | IP address | Hostname | Actor | Confidence
+-- | ---------- | -------- | ----- | ----------
+1 | [45.63.101.210](https://vuldb.com/?ip.45.63.101.210) | 45.63.101.210.vultr.com | TA505 | Medium
+2 | [151.236.23.56](https://vuldb.com/?ip.151.236.23.56) | 56.23.236.151.in-addr.arpa | TA505 | High
+3 | [169.239.128.104](https://vuldb.com/?ip.169.239.128.104) | rns.za.zappiehost.com | TA505 | High
+
+## TTP - Tactics, Techniques, Procedures
+
+_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used within servhelper. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Technique | Weakness | Description | Confidence
+-- | --------- | -------- | ----------- | ----------
+1 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | High
+2 | T1068 | CWE-264, CWE-284 | Execution with Unnecessary Privileges | High
+3 | T1211 | CWE-254 | 7PK Security Features | High
+
+## IOA - Indicator of Attack
+
+These _indicators of attack_ (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during servhelper. This data is unique as it uses our predictive model for actor profiling.
+
+ID | Type | Indicator | Confidence
+-- | ---- | --------- | ----------
+1 | File | `/api/addusers` | High
+2 | File | `/OA_HTML/cabo/jsps/a.jsp` | High
+3 | File | `/public/login.htm` | High
+4 | File | `/sendKey` | Medium
+5 | ... | ... | ...
+
+There are 25 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.
+
+## References
+
+The following list contains _external sources_ which discuss the campaign and the associated activities:
+
+* https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/
+
+## Literature
+
+The following _articles_ explain our unique predictive cyber threat intelligence:
+
+* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
+* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
+
+## License
+
+(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!