cyber_threat_intelligence/actors/Lazarus
2023-10-27 13:52:44 +02:00
..
README.md Update October 2023 2023-10-27 13:52:44 +02:00

Lazarus - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Lazarus. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.lazarus

Campaigns

The following campaigns are known and can be associated with Lazarus:

  • AppleJeus
  • Chemical Sector
  • DTrack
  • Fallchill
  • Hidden Cobra
  • Hoplight
  • ...

There are 11 more campaign items available. Please use our online service to access the data.

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:

There are 8 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Lazarus.

ID IP address Hostname Campaign Confidence
1 1.251.44.118 - - High
2 1.254.179.18 - - High
3 2.50.22.137 - Hidden Cobra High
4 2.50.22.189 - Hidden Cobra High
5 2.50.25.205 - Hidden Cobra High
6 2.50.27.239 - Hidden Cobra High
7 2.50.40.245 - Hidden Cobra High
8 2.93.86.36 - Hidden Cobra High
9 2.93.86.38 - Hidden Cobra High
10 2.93.86.65 - Hidden Cobra High
11 2.93.86.89 - Hidden Cobra High
12 2.93.86.106 - Hidden Cobra High
13 2.93.86.136 - Hidden Cobra High
14 2.93.86.150 - Hidden Cobra High
15 2.93.86.194 - Hidden Cobra High
16 2.93.86.197 - Hidden Cobra High
17 2.93.86.224 - Hidden Cobra High
18 2.93.86.226 - Hidden Cobra High
19 2.93.86.247 - Hidden Cobra High
20 2.93.86.251 - Hidden Cobra High
21 2.93.86.253 - Hidden Cobra High
22 2.93.131.116 - Hidden Cobra High
23 2.93.131.179 - Hidden Cobra High
24 2.93.238.2 - Hidden Cobra High
25 2.93.238.12 - Hidden Cobra High
26 2.93.238.20 - Hidden Cobra High
27 2.93.238.26 - Hidden Cobra High
28 2.93.238.35 - Hidden Cobra High
29 2.93.238.93 - Hidden Cobra High
30 2.93.238.146 - Hidden Cobra High
31 2.93.238.167 - Hidden Cobra High
32 2.93.238.176 - Hidden Cobra High
33 2.93.238.183 - Hidden Cobra High
34 2.93.238.199 - Hidden Cobra High
35 2.93.238.213 - Hidden Cobra High
36 2.93.238.215 - Hidden Cobra High
37 2.93.238.222 - Hidden Cobra High
38 2.93.238.252 - Hidden Cobra High
39 2.93.238.253 - Hidden Cobra High
40 2.93.248.5 - Hidden Cobra High
41 2.93.248.46 - Hidden Cobra High
42 2.94.53.139 - Hidden Cobra High
43 2.94.65.211 - Hidden Cobra High
44 2.94.65.246 - Hidden Cobra High
45 2.94.82.42 - Hidden Cobra High
46 2.94.117.30 - Hidden Cobra High
47 2.94.117.46 - Hidden Cobra High
48 2.94.117.47 - Hidden Cobra High
49 2.94.117.56 - Hidden Cobra High
50 2.94.209.30 - Hidden Cobra High
51 2.187.99.180 - Hidden Cobra High
52 3.39.49.255 ec2-3-39-49-255.ap-northeast-2.compute.amazonaws.com - Medium
53 3.239.189.175 ec2-3-239-189-175.compute-1.amazonaws.com - Medium
54 5.22.137.178 mail.bpdl.co.uk Hidden Cobra High
55 5.22.140.93 5-22-140-93.host.as51043.net Hidden Cobra High
56 5.41.88.137 - Hidden Cobra High
57 5.41.89.32 - Hidden Cobra High
58 5.41.94.221 - Hidden Cobra High
59 5.41.190.7 - Hidden Cobra High
60 5.41.201.151 - Hidden Cobra High
61 5.41.237.214 - Hidden Cobra High
62 5.79.99.169 nsg037-19.divide.nl Fallchill High
63 5.98.91.76 host-5-98-91-76.business.telecomitalia.it Hidden Cobra High
64 5.134.119.142 - - High
65 5.141.87.156 5-141-97-156.static-adsl.isurgut.ru Hidden Cobra High
66 5.189.190.67 m2767.contaboserver.net Hidden Cobra High
67 5.200.154.208 - Hidden Cobra High
68 5.200.177.218 - Hidden Cobra High
69 5.200.191.104 - Hidden Cobra High
70 5.200.198.10 - Hidden Cobra High
71 5.200.202.99 - Hidden Cobra High
72 6.4.21.94 - QuiteRAT High
73 13.88.245.250 - - High
74 13.107.21.200 - - High
75 14.102.46.3 - Volgmer High
76 14.139.125.214 - Volgmer High
77 14.140.123.179 14.140.123.179.static-pune-vsnl.net.in Hidden Cobra High
78 14.141.27.100 14.141.26.100.static-Mumbai.vsnl.net.in Hidden Cobra High
79 14.141.129.116 14.141.129.116.static-Delhi.vsnl.net.in Volgmer High
80 14.149.149.211 - Hidden Cobra High
81 21.252.107.198 - Hoplight High
82 23.50.0.140 a23-50-0-140.deploy.static.akamaitechnologies.com - High
83 23.81.246.107 - - High
84 23.81.246.131 - South Korea High
85 23.81.246.179 - - High
86 23.82.141.50 - - High
87 23.82.141.172 - - High
88 23.94.37.55 23-94-37-55-host.colocrossing.com - High
89 23.94.139.92 23-94-139-92-host.colocrossing.com - High
90 23.95.67.143 23-95-67-143-host.colocrossing.com - High
91 23.106.160.40 - - High
92 23.106.223.194 - - High
93 23.108.57.232 - - High
94 23.152.0.232 betrp-basisto.seemband.com - High
95 23.227.196.5 23-227-196-5.static.hvvc.us - High
96 23.227.196.116 23-227-196-116.static.hvvc.us - High
97 23.227.199.21 23-227-199-21.static.hvvc.us - High
98 23.227.199.53 23-227-199-53.static.hvvc.us - High
99 23.227.199.69 23-227-199-69.static.hvvc.us - High
100 23.229.111.197 - - High
101 23.254.119.12 - - High
102 26.165.218.44 - Hoplight High
103 27.96.110.130 130.110.96.27.static.m1net.com.sg Hidden Cobra High
104 27.114.187.37 - Volgmer High
105 27.123.221.66 66-221.fiber.net.id Fallchill High
106 27.125.35.229 - Hidden Cobra High
107 31.11.32.79 websn1s069.aruba.it Netherlands and Belgium High
108 31.47.47.130 - Hidden Cobra High
109 31.54.73.156 host31-54-73-156.range31-54.btcentralplus.com Hidden Cobra High
110 31.54.74.176 host31-54-74-176.range31-54.btcentralplus.com Hidden Cobra High
111 31.146.82.22 31-146-82-22.dsl.utg.ge Volgmer High
112 31.146.136.6 31-146-136-6.dsl.utg.ge Hidden Cobra High
113 31.168.203.44 bzq-203-168-31-44.red.bezeqint.net Hidden Cobra High
114 31.186.8.221 - - High
115 34.199.186.157 ec2-34-199-186-157.compute-1.amazonaws.com - Medium
116 36.71.90.4 - Fallchill High
117 37.34.240.177 - Hidden Cobra High
118 37.48.106.69 high-convey.blockother.com Hidden Cobra High
119 37.71.50.2 2.50.71.37.rev.sfr.net Hidden Cobra High
120 37.72.168.228 228.168.72.37.static.swiftway.net - High
121 37.72.175.135 37-72-175-135.static.hvvc.us - High
122 37.72.175.179 37-72-175-179.static.hvvc.us - High
123 37.72.175.196 37-72-175-196.static.hvvc.us - High
124 37.75.0.98 - Hidden Cobra High
125 37.75.2.203 - Hidden Cobra High
126 37.75.10.194 mail.kplus.com.tr Hidden Cobra High
127 37.75.11.162 37-75-11-162.rdns.saglayici.net Hidden Cobra High
128 37.98.114.90 90.mobinnet.net Volgmer High
129 37.104.24.220 - Hidden Cobra High
130 37.104.50.144 - Hidden Cobra High
131 37.104.67.33 - Hidden Cobra High
132 37.105.234.200 - Hidden Cobra High
133 37.106.115.3 - Hidden Cobra High
134 37.143.29.10 - Hidden Cobra High
135 37.148.209.156 37-148-209-156.cizgi.net.tr Hidden Cobra High
136 37.216.67.155 - Volgmer High
137 37.216.213.70 - Hidden Cobra High
138 37.235.21.166 - Volgmer High
139 37.238.135.70 - - High
140 38.132.124.161 - TraderTraitor High
141 40.121.90.194 - - High
142 41.57.108.68 - Hidden Cobra High
143 41.67.136.38 netcomafrica.com Hidden Cobra High
144 41.67.136.39 netcomafrica.com Hidden Cobra High
145 41.72.99.5 - Hidden Cobra High
146 41.72.101.138 - Hidden Cobra High
147 41.74.166.253 - Hidden Cobra High
148 41.92.208.194 - Fallchill High
149 41.92.208.196 - Fallchill High
150 41.92.208.197 - Fallchill High
151 41.110.179.197 - Hidden Cobra High
152 41.128.226.60 - Hidden Cobra High
153 41.131.49.228 host-41-131-49-228.static.link.com.eg Hidden Cobra High
154 41.131.164.156 - Hidden Cobra High
155 41.134.208.234 41-134-208-234.dsl.mweb.co.za Hidden Cobra High
156 41.182.252.56 ADSL-41-182-252-56.ipb.na Hidden Cobra High
157 41.205.139.34 ADSL-41-205-139-34.ipb.na Hidden Cobra High
158 41.208.106.68 owa.altaqnya.com.ly Hidden Cobra High
159 41.208.106.70 dc1.Mail.dsmhlc.ly Hidden Cobra High
160 41.215.250.40 - Hidden Cobra High
161 41.223.30.20 host30-20.creolink.com Hidden Cobra High
162 41.224.254.90 - Hidden Cobra High
163 43.249.216.6 - Volgmer High
164 45.33.2.79 li956-79.members.linode.com AppleJeus High
165 45.33.23.183 li977-183.members.linode.com AppleJeus High
166 45.56.79.23 li929-23.members.linode.com AppleJeus High
167 45.58.112.77 - - High
168 45.79.19.196 li1118-196.members.linode.com AppleJeus High
169 45.118.34.215 - Volgmer High
170 45.120.61.145 - Hidden Cobra High
171 45.122.138.130 - - High
172 45.124.169.36 - Volgmer High
173 45.128.156.27 smtp.flatmeadow.com - High
174 45.199.63.220 - AppleJeus High
175 46.16.62.238 fnadh-35.srv.cat TraderTraitor High
176 46.19.101.186 ip-46-19-101-186.gnc.net Hidden Cobra High
177 46.21.147.161 46-21-147-161.static.hvvc.us - High
178 46.21.153.87 87.153.21.46.static.swiftway.net - High
179 46.52.131.102 - Hidden Cobra High
180 46.121.242.180 46-121-242-180.static.012.net.il Hidden Cobra High
181 46.174.116.60 - Hidden Cobra High
182 46.174.116.87 - Hidden Cobra High
183 46.174.116.90 - Hidden Cobra High
184 46.174.116.99 - Hidden Cobra High
185 46.174.116.221 - Hidden Cobra High
186 46.174.116.231 - Hidden Cobra High
187 46.174.116.234 - Hidden Cobra High
188 46.174.117.15 - Hidden Cobra High
189 46.174.117.32 - Hidden Cobra High
190 46.174.117.36 - Hidden Cobra High
191 46.174.117.42 - Hidden Cobra High
192 46.174.117.44 - Hidden Cobra High
193 46.174.117.50 - Hidden Cobra High
194 46.174.117.61 - Hidden Cobra High
195 46.174.117.77 - Hidden Cobra High
196 46.174.117.80 - Hidden Cobra High
197 46.174.117.97 - Hidden Cobra High
198 46.174.117.98 - Hidden Cobra High
199 46.174.117.103 - Hidden Cobra High
200 46.174.117.116 - Hidden Cobra High
201 46.174.117.121 - Hidden Cobra High
202 46.174.117.129 - Hidden Cobra High
203 46.174.117.134 - Hidden Cobra High
204 46.174.117.153 - Hidden Cobra High
205 46.174.117.164 - Hidden Cobra High
206 46.183.221.109 ip-221-109.dataclub.info - High
207 46.218.127.110 reverse.completel.fr Hidden Cobra High
208 47.206.4.145 static-47-206-4-145.srst.fl.frontiernet.net Hoplight High
209 49.206.1.61 49.206.1.61.actcorp.in Hidden Cobra High
210 49.247.9.177 - - High
211 50.62.168.157 p3nwvpweb145.shr.prod.phx3.secureserver.net Fallchill High
212 50.87.144.227 somethingaboutmarketing.com - High
213 50.192.28.29 speed-stream.com Netherlands and Belgium High
214 51.38.234.8 hydra.skok.pl - High
215 51.68.119.230 ns3145204.ip-51-68-119.eu - High
216 51.79.44.111 server2.urgentfury.net - High
217 51.235.1.216 - Hidden Cobra High
218 51.235.13.162 - Hidden Cobra High
219 51.235.17.133 - Hidden Cobra High
220 51.235.19.202 - Hidden Cobra High
221 51.235.33.226 - Hidden Cobra High
222 51.235.49.202 - Hidden Cobra High
223 52.79.118.195 ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com Chemical Sector Medium
224 52.79.120.37 ec2-52-79-120-37.ap-northeast-2.compute.amazonaws.com - Medium
225 52.128.23.153 - DTrack High
226 52.148.148.114 - - High
227 52.202.193.124 ec2-52-202-193-124.compute-1.amazonaws.com MagicRAT Medium
228 54.38.11.132 ip132.ip-54-38-11.eu - High
229 54.39.64.114 server2.urgentfury.net - High
230 54.39.204.190 ip190.ip-54-39-204.net - High
231 54.64.30.175 vega.mh-tec.co.jp - High
232 ... ... ... ...

There are 922 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-24, CWE-25, CWE-29, CWE-35 Pathname Traversal High
2 T1040 CWE-294 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-94, CWE-1321 Cross Site Scripting High
5 ... ... ... ...

There are 18 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /+CSCOE+/logon.html High
2 File /academy/tutor/filter High
3 File /adfs/ls Medium
4 File /admin/index2.html High
5 File /admin/sales/view_details.php High
6 File /api/baskets/{name} High
7 File /api/sys/set_passwd High
8 File /app/search/table High
9 File /aqpg/users/login.php High
10 File /bsms_ci/index.php/user/edit_user/ High
11 File /cgi-bin/koha/catalogue/search.pl High
12 File /cgi-bin/upload_vpntar High
13 File /cgi-bin/wlogin.cgi High
14 File /common/info.cgi High
15 File /debug/pprof Medium
16 File /forum/away.php High
17 File /goform/Diagnosis High
18 File /goform/net\_Web\_get_value High
19 File /GponForm/usb_restore_Form?script/ High
20 File /gracemedia-media-player/templates/files/ajax_controller.php High
21 File /group1/uploa High
22 File /hrm/controller/employee.php High
23 File /hrm/employeeview.php High
24 File /importexport.php High
25 File /includes/db_connect.php High
26 File /includes/session.php High
27 File /leaves/validate High
28 File /mail.php Medium
29 File /mc Low
30 File /modules/projects/vw_files.php High
31 File /modules/public/calendar.php High
32 File /modules/public/date_format.php High
33 File /modules/tasks/gantt.php High
34 File /out.php Medium
35 File /pf/idprofile.ping High
36 File /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php High
37 File /php-spms/admin/?page=user/ High
38 File /plugin Low
39 File /project/tasks/list High
40 File /protocol/iscgwtunnel/uploadiscgwrouteconf.php High
41 File /secure/QueryComponent!Default.jspa High
42 ... ... ...

There are 360 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!