Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cyber_threat_intelligence/actors/Lazarus/README.md

30 KiB
Raw Blame History

Lazarus - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Lazarus. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.lazarus

Campaigns

The following campaigns are known and can be associated with Lazarus:

  • AppleJeus
  • Chemical Sector
  • DTrack
  • Fallchill
  • Hidden Cobra
  • Hoplight
  • ...

There are 11 more campaign items available. Please use our online service to access the data.

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:

There are 15 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Lazarus.

ID IP address Hostname Campaign Confidence
1 1.251.44.118 - - High
2 1.254.179.18 - - High
3 2.50.22.137 - Hidden Cobra High
4 2.50.22.189 - Hidden Cobra High
5 2.50.25.205 - Hidden Cobra High
6 2.50.27.239 - Hidden Cobra High
7 2.50.40.245 - Hidden Cobra High
8 2.93.86.36 - Hidden Cobra High
9 2.93.86.38 - Hidden Cobra High
10 2.93.86.65 - Hidden Cobra High
11 2.93.86.89 - Hidden Cobra High
12 2.93.86.106 - Hidden Cobra High
13 2.93.86.136 - Hidden Cobra High
14 2.93.86.150 - Hidden Cobra High
15 2.93.86.194 - Hidden Cobra High
16 2.93.86.197 - Hidden Cobra High
17 2.93.86.224 - Hidden Cobra High
18 2.93.86.226 - Hidden Cobra High
19 2.93.86.247 - Hidden Cobra High
20 2.93.86.251 - Hidden Cobra High
21 2.93.86.253 - Hidden Cobra High
22 2.93.131.116 - Hidden Cobra High
23 2.93.131.179 - Hidden Cobra High
24 2.93.238.2 - Hidden Cobra High
25 2.93.238.12 - Hidden Cobra High
26 2.93.238.20 - Hidden Cobra High
27 2.93.238.26 - Hidden Cobra High
28 2.93.238.35 - Hidden Cobra High
29 2.93.238.93 - Hidden Cobra High
30 2.93.238.146 - Hidden Cobra High
31 2.93.238.167 - Hidden Cobra High
32 2.93.238.176 - Hidden Cobra High
33 2.93.238.183 - Hidden Cobra High
34 2.93.238.199 - Hidden Cobra High
35 2.93.238.213 - Hidden Cobra High
36 2.93.238.215 - Hidden Cobra High
37 2.93.238.222 - Hidden Cobra High
38 2.93.238.252 - Hidden Cobra High
39 2.93.238.253 - Hidden Cobra High
40 2.93.248.5 - Hidden Cobra High
41 2.93.248.46 - Hidden Cobra High
42 2.94.53.139 - Hidden Cobra High
43 2.94.65.211 - Hidden Cobra High
44 2.94.65.246 - Hidden Cobra High
45 2.94.82.42 - Hidden Cobra High
46 2.94.117.30 - Hidden Cobra High
47 2.94.117.46 - Hidden Cobra High
48 2.94.117.47 - Hidden Cobra High
49 2.94.117.56 - Hidden Cobra High
50 2.94.209.30 - Hidden Cobra High
51 2.187.99.180 - Hidden Cobra High
52 3.39.49.255 ec2-3-39-49-255.ap-northeast-2.compute.amazonaws.com - Medium
53 3.239.189.175 ec2-3-239-189-175.compute-1.amazonaws.com - Medium
54 5.22.137.178 mail.bpdl.co.uk Hidden Cobra High
55 5.22.140.93 5-22-140-93.host.as51043.net Hidden Cobra High
56 5.41.88.137 - Hidden Cobra High
57 5.41.89.32 - Hidden Cobra High
58 5.41.94.221 - Hidden Cobra High
59 5.41.190.7 - Hidden Cobra High
60 5.41.201.151 - Hidden Cobra High
61 5.41.237.214 - Hidden Cobra High
62 5.79.99.169 nsg037-19.divide.nl Fallchill High
63 5.98.91.76 host-5-98-91-76.business.telecomitalia.it Hidden Cobra High
64 5.134.119.142 - - High
65 5.141.87.156 5-141-97-156.static-adsl.isurgut.ru Hidden Cobra High
66 5.189.190.67 m2767.contaboserver.net Hidden Cobra High
67 5.200.154.208 - Hidden Cobra High
68 5.200.177.218 - Hidden Cobra High
69 5.200.191.104 - Hidden Cobra High
70 5.200.198.10 - Hidden Cobra High
71 5.200.202.99 - Hidden Cobra High
72 6.4.21.94 - QuiteRAT High
73 13.88.245.250 - - High
74 13.107.21.200 - - High
75 14.102.46.3 - Volgmer High
76 14.139.125.214 - Volgmer High
77 14.140.123.179 14.140.123.179.static-pune-vsnl.net.in Hidden Cobra High
78 14.141.27.100 14.141.26.100.static-Mumbai.vsnl.net.in Hidden Cobra High
79 14.141.129.116 14.141.129.116.static-Delhi.vsnl.net.in Volgmer High
80 14.149.149.211 - Hidden Cobra High
81 21.252.107.198 - Hoplight High
82 23.50.0.140 a23-50-0-140.deploy.static.akamaitechnologies.com - High
83 23.81.246.107 - - High
84 23.81.246.131 - South Korea High
85 23.81.246.179 - - High
86 23.82.141.50 - - High
87 23.82.141.172 - - High
88 23.94.37.55 23-94-37-55-host.colocrossing.com - High
89 23.94.139.92 23-94-139-92-host.colocrossing.com - High
90 23.95.67.143 23-95-67-143-host.colocrossing.com - High
91 23.106.160.40 - - High
92 23.106.223.194 - - High
93 23.108.57.232 - - High
94 23.152.0.232 betrp-basisto.seemband.com - High
95 23.227.196.5 23-227-196-5.static.hvvc.us - High
96 23.227.196.116 23-227-196-116.static.hvvc.us - High
97 23.227.199.21 23-227-199-21.static.hvvc.us - High
98 23.227.199.53 23-227-199-53.static.hvvc.us - High
99 23.227.199.69 23-227-199-69.static.hvvc.us - High
100 23.229.111.197 - - High
101 23.254.119.12 - - High
102 26.165.218.44 - Hoplight High
103 27.96.110.130 130.110.96.27.static.m1net.com.sg Hidden Cobra High
104 27.102.113.93 - - High
105 27.114.187.37 - Volgmer High
106 27.123.221.66 66-221.fiber.net.id Fallchill High
107 27.125.35.229 - Hidden Cobra High
108 31.11.32.79 websn1s069.aruba.it Netherlands and Belgium High
109 31.47.47.130 - Hidden Cobra High
110 31.54.73.156 host31-54-73-156.range31-54.btcentralplus.com Hidden Cobra High
111 31.54.74.176 host31-54-74-176.range31-54.btcentralplus.com Hidden Cobra High
112 31.146.82.22 31-146-82-22.dsl.utg.ge Volgmer High
113 31.146.136.6 31-146-136-6.dsl.utg.ge Hidden Cobra High
114 31.168.203.44 bzq-203-168-31-44.red.bezeqint.net Hidden Cobra High
115 31.186.8.221 - - High
116 34.199.186.157 ec2-34-199-186-157.compute-1.amazonaws.com - Medium
117 36.71.90.4 - Fallchill High
118 37.34.240.177 - Hidden Cobra High
119 37.48.106.69 high-convey.blockother.com Hidden Cobra High
120 37.71.50.2 2.50.71.37.rev.sfr.net Hidden Cobra High
121 37.72.168.228 228.168.72.37.static.swiftway.net - High
122 37.72.175.135 37-72-175-135.static.hvvc.us - High
123 37.72.175.179 37-72-175-179.static.hvvc.us - High
124 37.72.175.196 37-72-175-196.static.hvvc.us - High
125 37.75.0.98 - Hidden Cobra High
126 37.75.2.203 - Hidden Cobra High
127 37.75.10.194 mail.kplus.com.tr Hidden Cobra High
128 37.75.11.162 37-75-11-162.rdns.saglayici.net Hidden Cobra High
129 37.98.114.90 90.mobinnet.net Volgmer High
130 37.104.24.220 - Hidden Cobra High
131 37.104.50.144 - Hidden Cobra High
132 37.104.67.33 - Hidden Cobra High
133 37.105.234.200 - Hidden Cobra High
134 37.106.115.3 - Hidden Cobra High
135 37.143.29.10 - Hidden Cobra High
136 37.148.209.156 37-148-209-156.cizgi.net.tr Hidden Cobra High
137 37.216.67.155 - Volgmer High
138 37.216.213.70 - Hidden Cobra High
139 37.235.21.166 - Volgmer High
140 37.238.135.70 - - High
141 38.132.124.161 - TraderTraitor High
142 40.121.90.194 - - High
143 41.57.108.68 - Hidden Cobra High
144 41.67.136.38 netcomafrica.com Hidden Cobra High
145 41.67.136.39 netcomafrica.com Hidden Cobra High
146 41.72.99.5 - Hidden Cobra High
147 41.72.101.138 - Hidden Cobra High
148 41.74.166.253 - Hidden Cobra High
149 41.92.208.194 - Fallchill High
150 41.92.208.196 - Fallchill High
151 41.92.208.197 - Fallchill High
152 41.110.179.197 - Hidden Cobra High
153 41.128.226.60 - Hidden Cobra High
154 41.131.49.228 host-41-131-49-228.static.link.com.eg Hidden Cobra High
155 41.131.164.156 - Hidden Cobra High
156 41.134.208.234 41-134-208-234.dsl.mweb.co.za Hidden Cobra High
157 41.182.252.56 ADSL-41-182-252-56.ipb.na Hidden Cobra High
158 41.205.139.34 ADSL-41-205-139-34.ipb.na Hidden Cobra High
159 41.208.106.68 owa.altaqnya.com.ly Hidden Cobra High
160 41.208.106.70 dc1.Mail.dsmhlc.ly Hidden Cobra High
161 41.215.250.40 - Hidden Cobra High
162 41.223.30.20 host30-20.creolink.com Hidden Cobra High
163 41.224.254.90 - Hidden Cobra High
164 43.249.216.6 - Volgmer High
165 45.33.2.79 li956-79.members.linode.com AppleJeus High
166 45.33.23.183 li977-183.members.linode.com AppleJeus High
167 45.56.79.23 li929-23.members.linode.com AppleJeus High
168 45.58.112.77 - - High
169 45.61.129.255 - - High
170 45.61.130.0 - - High
171 45.61.160.14 45-61-160-14.static.cloudzy.com - High
172 45.61.169.187 - - High
173 45.79.19.196 li1118-196.members.linode.com AppleJeus High
174 45.118.34.215 - Volgmer High
175 45.120.61.145 - Hidden Cobra High
176 45.122.138.130 - - High
177 45.124.169.36 - Volgmer High
178 45.128.156.27 smtp.flatmeadow.com - High
179 45.199.63.220 - AppleJeus High
180 46.16.62.238 fnadh-35.srv.cat TraderTraitor High
181 46.19.101.186 ip-46-19-101-186.gnc.net Hidden Cobra High
182 46.21.147.161 46-21-147-161.static.hvvc.us - High
183 46.21.153.87 87.153.21.46.static.swiftway.net - High
184 46.52.131.102 - Hidden Cobra High
185 46.105.57.169 cluster020.hosting.ovh.net - High
186 46.121.242.180 46-121-242-180.static.012.net.il Hidden Cobra High
187 46.174.116.60 - Hidden Cobra High
188 46.174.116.87 - Hidden Cobra High
189 46.174.116.90 - Hidden Cobra High
190 46.174.116.99 - Hidden Cobra High
191 46.174.116.221 - Hidden Cobra High
192 46.174.116.231 - Hidden Cobra High
193 46.174.116.234 - Hidden Cobra High
194 46.174.117.15 - Hidden Cobra High
195 46.174.117.32 - Hidden Cobra High
196 46.174.117.36 - Hidden Cobra High
197 46.174.117.42 - Hidden Cobra High
198 46.174.117.44 - Hidden Cobra High
199 46.174.117.50 - Hidden Cobra High
200 46.174.117.61 - Hidden Cobra High
201 46.174.117.77 - Hidden Cobra High
202 46.174.117.80 - Hidden Cobra High
203 46.174.117.97 - Hidden Cobra High
204 46.174.117.98 - Hidden Cobra High
205 46.174.117.103 - Hidden Cobra High
206 46.174.117.116 - Hidden Cobra High
207 46.174.117.121 - Hidden Cobra High
208 46.174.117.129 - Hidden Cobra High
209 46.174.117.134 - Hidden Cobra High
210 46.174.117.153 - Hidden Cobra High
211 46.174.117.164 - Hidden Cobra High
212 46.183.221.109 ip-221-109.dataclub.info - High
213 46.218.127.110 reverse.completel.fr Hidden Cobra High
214 47.206.4.145 static-47-206-4-145.srst.fl.frontiernet.net Hoplight High
215 49.206.1.61 49.206.1.61.actcorp.in Hidden Cobra High
216 49.247.9.177 - - High
217 50.62.168.157 p3nwvpweb145.shr.prod.phx3.secureserver.net Fallchill High
218 50.87.144.227 somethingaboutmarketing.com - High
219 50.192.28.29 speed-stream.com Netherlands and Belgium High
220 51.38.234.8 hydra.skok.pl - High
221 51.68.119.230 ns3145204.ip-51-68-119.eu - High
222 51.79.44.111 server2.urgentfury.net - High
223 51.235.1.216 - Hidden Cobra High
224 51.235.13.162 - Hidden Cobra High
225 51.235.17.133 - Hidden Cobra High
226 51.235.19.202 - Hidden Cobra High
227 51.235.33.226 - Hidden Cobra High
228 51.235.49.202 - Hidden Cobra High
229 52.79.118.195 ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com Chemical Sector Medium
230 52.79.120.37 ec2-52-79-120-37.ap-northeast-2.compute.amazonaws.com - Medium
231 52.128.23.153 - DTrack High
232 52.148.148.114 - - High
233 52.202.193.124 ec2-52-202-193-124.compute-1.amazonaws.com MagicRAT Medium
234 54.38.11.132 ip132.ip-54-38-11.eu - High
235 54.39.64.114 server2.urgentfury.net - High
236 ... ... ... ...

There are 941 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-25, CWE-425 Pathname Traversal High
2 T1040 CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94, CWE-1321 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 19 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /admin/ Low
2 File /admin/addemployee.php High
3 File /admin/add_exercises.php High
4 File /admin/add_trainers.php High
5 File /admin/admin_user.php High
6 File /admin/api/admin/articles/ High
7 File /admin/api/theme-edit/ High
8 File /Admin/createClass.php High
9 File /admin/edit.php High
10 File /admin/edit_teacher.php High
11 File /admin/settings.php High
12 File /admin/students/manage.php High
13 File /api/admin/system/store/order/list High
14 File /api/public/signup High
15 File /api/v1/attack High
16 File /api/v1/bait/set High
17 File /api/v2/open/tablesInfo High
18 File /b2b-supermarket/shopping-cart High
19 File /boaform/device_reset.cgi High
20 File /boaform/wlan_basic_set.cgi High
21 File /category.php High
22 File /cgi-bin/cstecgi.cgi High
23 File /cgi-bin/cstecgi.cgi?action=login High
24 File /change-language/de_DE High
25 File /course/filterRecords/ High
26 File /csms/?page=contact_us High
27 File /csms/admin/?page=user/list High
28 File /cwms/classes/Master.php?f=save_contact High
29 File /dayrui/My/Config/Install.txt High
30 File /debug/pprof Medium
31 File /DesignTools/CssEditor.aspx High
32 File /devinfo Medium
33 File /dist/index.js High
34 File /ebics-server/ebics.aspx High
35 File /edituser.php High
36 File /employeeview.php High
37 File /endpoint/add-user.php High
38 File /forum/away.php High
39 File /forums/editforum.php High
40 File /FuguHub/cmsdocs/ High
41 File /hedwig.cgi Medium
42 File /home/courses High
43 File /hosts/firewall/ip High
44 File /inc/jquery/uploadify/uploadify.php High
45 File /index.php/ccm/system/file/upload High
46 File /log/decodmail.php High
47 File /login.php Medium
48 File /loginVaLidation.php High
49 File /mims/app/addcustomerHandler.php High
50 File /mkshope/login.php High
51 File /modals/class_form.php High
52 File /nagiosxi/admin/banner_message-ajaxhelper.php High
53 File /novel/bookSetting/list High
54 File /oauth/idp/.well-known/openid-configuration High
55 File /OA_HTML/cabo/jsps/a.jsp High
56 File /obs/bookPerPub.php High
57 File /omos/admin/?page=user/list High
58 File /one_church/churchprofile.php High
59 ... ... ...

There are 512 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2024 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!