APT31 Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (147)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en134
zh8
ru4
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China56
US: USA44
SG: Singapore14
RU: Russia8
SE: Sweden4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT3111
NetSupportManager RAT10
Cobalt Strike10
Raccoon8
SideWinder7

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined54
Content Management System12
WordPress Plugin12
Firewall Software10
Router Operating System8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined46
Hikvision8
Linux8
Computrols6
Microsoft6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Linux Kernel8
Computrols CBAS6
WordPress4
Sophos Firewall4
Joomla CMS2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Atmail Remote Code Execution9.89.4$2k-$5k$0-$1kNot definedOfficial fix 0.003820.07CVE-2013-5033
2Palo Alto PAN-OS GlobalProtect Clientless VPN buffer overflow8.88.6$2k-$5k$0-$1kNot definedOfficial fix 0.007510.00CVE-2021-3056
3nginx request smuggling6.96.9$2k-$5k$0-$1kNot definedNot defined 0.000000.56CVE-2020-12440
4Linksys WRT54GL Web Management Interface SysInfo1.htm information disclosure4.34.1$1k-$2k$0-$1kProof-of-ConceptNot defined 0.000330.07CVE-2024-1406
5Teclib GLPI unlock_tasks.php sql injection8.58.5$1k-$2k$0-$1kNot definedOfficial fixexpected0.858650.05CVE-2019-10232
6Sophos Firewall User Portal/Webadmin improper authentication9.09.0$1k-$2k$0-$1kHighNot definedverified0.944230.00CVE-2022-1040
7Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$50k$0-$1kUnprovenOfficial fix 0.155470.16CVE-2014-4078
8H3C GR-1200W EditWlanMacList stack-based overflow7.67.5$2k-$5k$0-$1kNot definedNot defined 0.003530.00CVE-2022-36518
9Linux Kernel netfilter nf_reject_ip6_tcphdr_put uninitialized resource6.76.6$10k-$25k$2k-$5kNot definedOfficial fix 0.002800.08CVE-2024-47685
10Directus access control4.64.5$2k-$5k$0-$1kNot definedOfficial fix 0.000280.00CVE-2024-46990
11Invision Community toolbar.php addPlugin privilege escalation4.74.3$1k-$2k$0-$1kProof-of-ConceptNot defined 0.004930.07CVE-2024-30162
12Liferay Portal ommand absolute path traversal8.48.2$1k-$2k$0-$1kProof-of-ConceptNot definedpossible0.580660.00CVE-2021-33990
13MZ Automation LibIEC61850 MMS Client stack-based overflow5.55.3$2k-$5k$0-$1kNot definedOfficial fix 0.001000.00CVE-2024-45970
14iText XML Parser xml external entity reference8.07.7$2k-$5k$0-$1kNot definedOfficial fix 0.099050.00CVE-2017-9096
15Pureftpd pure-FTPd path traversal5.15.1$1k-$2k$0-$1kNot definedNot defined 0.000280.06CVE-2011-3171
16WP Maps Plugin sql injection7.57.4$1k-$2k$1k-$2kNot definedNot defined 0.002960.00CVE-2024-2386
17Qualcomm Snapdragon Wired Infrastructure and Networking Log File memory corruption9.89.6$25k-$50k$5k-$10kNot definedOfficial fix 0.001380.07CVE-2024-33066
18vBulletin moderation.php sql injection7.37.0$2k-$5k$0-$1kHighOfficial fixexpected0.839410.07CVE-2016-6195
19Bitrix24 tools.php initialization7.57.5$1k-$2k$0-$1kNot definedNot definedexpected0.903530.07CVE-2023-1719
20Known SVG File isSVG cross site scripting5.85.8$0-$1k$0-$1kNot definedNot defined 0.007030.00CVE-2022-32115

IOC - Indicator of Compromise (70)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.252.176.102no-rdns.mivocloud.comAPT3111/28/2022verifiedLow
220.11.11.67APT3102/19/2024verifiedHigh
345.147.229.194APT3111/28/2022verifiedMedium
450.71.100.164S010690a7c1a10cf2.wp.shawcable.netAPT3111/28/2022verifiedLow
558.96.237.98APT3111/28/2022verifiedMedium
658.182.61.137137.61.182.58.starhub.net.sgAPT3111/28/2022verifiedMedium
768.146.18.127S010690a7c1b6e041.cg.shawcable.netAPT3111/28/2022verifiedLow
871.64.151.132cpe-71-64-151-132.cinci.res.rr.comAPT3111/28/2022verifiedMedium
973.229.137.54c-73-229-137-54.hsd1.co.comcast.netAPT3111/28/2022verifiedMedium
1078.82.247.3778-82-247-37.customers.ownit.seAPT3111/28/2022verifiedLow
1181.83.4.48d51530430.static.telenet.beAPT3111/28/2022verifiedMedium
1281.227.88.10881-227-88-108-no2661.tbcn.telia.comAPT3111/28/2022verifiedMedium
1381.232.51.16181-232-51-161-no600.tbcn.telia.comAPT3111/28/2022verifiedMedium
1481.234.227.6281-234-227-62-no551.tbcn.telia.comAPT3111/28/2022verifiedMedium
15XX.XXX.XXX.XXXxx-xxx-xxx-xxx-xxxxx.xxxx.xxxxx.xxxXxxxx11/28/2022verifiedMedium
16XX.XXX.XX.XXXxxxxxxxxxxxxxx-xxx-x-xxx-xxx.xxx-xxx.xxx.xxxxxxx.xxXxxxx11/28/2022verifiedMedium
17XX.XXX.XX.XXXxxxxxxxxxxxxxxx.xx-xxx.xxxxxxx.xxXxxxx11/28/2022verifiedMedium
18XX.XX.XX.XXxx-xx-xx-xx.xxxxx.xxxxxxx.xx.xxxxx.xxXxxxx11/28/2022verifiedVery Low
19XX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xxxxxxxx.xxxxx.xxXxxxx11/28/2022verifiedMedium
20XX.XX.XXX.XXXxxx.xxxxxxxxxxxxxxx.xxxxxxxx.xxxXxxxx11/28/2022verifiedMedium
21XX.XXX.XXX.XXxxxxxxxxxx-xxxx.xx.xxxxxx.xxXxxxx11/28/2022verifiedMedium
22XX.XXX.XXX.XXXxxxx11/28/2022verifiedMedium
23XX.XXX.XX.XXXx-xxxxxxxx.xx-xx-xxxxxxxx.xxxxxx.xxxxxxx.xxXxxxx11/28/2022verifiedLow
24XX.X.XXX.XXXxxxxxxxxx-xxxxxx-x-x-xxxxxxx.x-x.xxxxx.xxxxxxx.xxxXxxxx11/28/2022verifiedLow
25XX.XX.XXX.XXXxxxxxxxxxx-xxxx.xx.xxxxxx.xxXxxxx11/28/2022verifiedMedium
26XX.XXX.XX.XXXxxx-xxx-xx-xxx.xxxx.xxxxxxxxx.xxxXxxxx11/28/2022verifiedLow
27XX.XXX.XXX.XXxxx-xxx-xxx-xx.xxxx.xxxxxxxxx.xxxXxxxx11/28/2022verifiedLow
28XX.XX.XXX.XXXXxxxx11/28/2022verifiedMedium
29XX.XX.XXX.XXXxx.xx.xxxx.xxxxx.xxxxx.xxxXxxxx11/28/2022verifiedMedium
30XX.XX.XXX.XXXxx.xx.xxxx.xxxxx.xxxxx.xxxXxxxx11/28/2022verifiedMedium
31XX.XXX.XXX.XXxx-xxx-xxx-xx-xxxxxx.xxxx.xxxxx.xxxXxxxx11/28/2022verifiedMedium
32XX.XXX.XXX.XXxx.xxx.xxx.xx.xxxxxxx.xxxxxxx-xxxxx-x.xxxXxxxx11/28/2022verifiedVery Low
33XX.XXX.XXX.XXXXxxxx11/28/2022verifiedMedium
34XX.XXX.XXX.XXXXxxxx11/28/2022verifiedMedium
35XX.XX.X.XXXxxxxxxxxxx-xxxx.xx.xxxxxx.xxXxxxx11/28/2022verifiedMedium
36XX.XXX.XX.XXXXxxxx11/28/2022verifiedMedium
37XX.XX.XXX.XXXxx-xx-xxx-xxx-xxxxxx.xxx.xxxxxxxxxxxxxxx.xxxXxxxx11/28/2022verifiedMedium
38XX.XXX.XXX.XXXx-xx-xxx-xxx-xxx.xxxx.xxxx.xxxxxxx.xxXxxxx11/28/2022verifiedMedium
39XX.XXX.XXX.XXxxxxxxxxxxxxxxx-xxxxxxxxxxxxxx.xxx.xxx.xxxxx.xxxxxx.xxxXxxxx11/28/2022verifiedLow
40XXX.XXX.XX.XXXXxxxx08/26/2021verifiedLow
41XXX.XXX.XXX.XXxxxx08/26/2021verifiedLow
42XXX.XXX.XXX.XXXxxxx08/26/2021verifiedLow
43XXX.XX.XXX.XXXxxxx-xxx-xx-xxx-xxx.xxxxxx.xxxx.xxxxxxx.xxxXxxxx11/28/2022verifiedLow
44XXX.XX.XXX.XXxxxx-xxx-xx-xxx-xx.xxxxxx.xxxx.xxxxxxx.xxxXxxxx11/28/2022verifiedLow
45XXX.XX.XXX.XXXxxxxx-xxxxx-xxx.xxxxxx.xxxXxxxx08/26/2021verifiedLow
46XXX.XX.XXX.XXXxxxx08/26/2021verifiedLow
47XXX.XXX.XXX.XXXxxxx08/26/2021verifiedLow
48XXX.XX.XXX.XXXxxx.xxx.xx.xxx.xxxxxxx.xxx.xxXxxxx11/28/2022verifiedMedium
49XXX.XXX.XXX.XXxxxxxx-xxx-xxx-xxx-xx.xxxxxx.xx.xxXxxxx08/26/2021verifiedLow
50XXX.XXX.XX.XXxxxx.xxxxxxxxx.xxXxxxx08/26/2021verifiedLow
51XXX.XXX.XX.XXXXxxxx08/26/2021verifiedLow
52XXX.XX.XXX.XXxxxx-xxxx.xxxx-xxx-xx.xxxxxxx.xxxxxxxxxxx.xxxXxxxx08/26/2021verifiedVery Low
53XXX.XX.XX.XXXxxxxxxxxxxxxx.xxxxxx.xxxxx.xxxXxxxx08/26/2021verifiedLow
54XXX.XXX.XXX.XXXXxxxx08/26/2021verifiedLow
55XXX.XX.XX.XXXxxxx08/26/2021verifiedLow
56XXX.XXX.XXX.XXxxxx-xxx.xxx.xx.xxx-xxxxxx.xxxxxx.xxxXxxxx08/26/2021verifiedLow
57XXX.XXX.XX.XXXxxxx-xxx.xxx.xxx.xx-xxxxxx.xxxxxx.xxxXxxxx08/26/2021verifiedLow
58XXX.XXX.XXX.XXXxxxx-xxx.xxx.xxx.xxx-xxxxxx.xxxxxx.xxxXxxxx08/26/2021verifiedLow
59XXX.XXX.XXX.XXx-xxx-xxx-xxx-xx.xxxx.xxxx.xxxxxxx.xxXxxxx11/28/2022verifiedMedium
60XXX.XX.XXX.XXXxxx-xx-xxx-xxx.xxxx.xxxxxxxx.xxXxxxx11/28/2022verifiedLow
61XXX.XX.XX.XXxxxxx.xxxxxxxxxx.xxXxxxx11/28/2022verifiedMedium
62XXX.XX.XXX.XXXxxxx11/28/2022verifiedMedium
63XXX.XXX.XXX.XXXxx-xxx-xxx-xxx-xxx.xxxxxxxx.xxXxxxx11/28/2022verifiedMedium
64XXX.XXX.XXX.XXxxx-xxx-xxx-xx.xxxx.xx-xxxxxxxxx.xxXxxxx11/28/2022verifiedMedium
65XXX.XXX.XX.XXxxxx.xx-xxx-xxx-xx.xxXxxxx11/28/2022verifiedMedium
66XXX.XXX.XXX.XXXxxxxxxxx.xxxxxx.xxx.xxXxxxx11/28/2022verifiedMedium
67XXX.XX.XXX.XXXxxxx-xx-xxx-xxx.xxxx.xxxxxxxxx.xxxXxxxx11/28/2022verifiedLow
68XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xxxxxxxxx.xxxxx.xxXxxxx11/28/2022verifiedLow
69XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx-xxxxxx.xxxx.xxxxx.xxxXxxxx11/28/2022verifiedMedium
70XXX.XXX.XX.XXXxxx-xxx-xx-xxx-xxxx.xxxx.xxxxx.xxxXxxxx11/28/2022verifiedMedium

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22, CWE-23, CWE-29, CWE-37Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-XXXCWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCWE-XXXXxxx Xxx Xxxxxxxxx Xxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-XCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
15TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (63)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/+CSCOE+/logon.htmlpredictiveHigh
2File/api/RecordingList/DownloadRecord?file=predictiveHigh
3File/applications/core/modules/admin/editor/toolbar.phppredictiveHigh
4File/apply.cgipredictiveMedium
5File/cgi-bin/cstecgi.cgipredictiveHigh
6File/php/ping.phppredictiveHigh
7File/scripts/unlock_tasks.phppredictiveHigh
8File/SysInfo1.htmpredictiveHigh
9File/xxxxxxx_xxxx.xxxpredictiveHigh
10File/xxxxxx/xxxxxxxx/xxxxxxxxxxxxpredictiveHigh
11File/xxxxxx/xxxx/xxxxxxx/xxx_xxxxx/xxxxxxxxxx.xxxpredictiveHigh
12File/xxxxxxx/predictiveMedium
13File/xxxx/xxx/xxxxxxx/xxx_xxxxxx.xxxpredictiveHigh
14Filexxxxxxx/xxxx.xxxpredictiveHigh
15Filexxxx/xxx/xxx/xxx/xxxxxx.xpredictiveHigh
16Filexxxxxx/xxxxxxx/xxxx/xxxxx.xxxpredictiveHigh
17Filexxxxxxx=xxxxxxxxxx&xxxx=xxxx&xxxxxxxxxxxxx=/predictiveHigh
18Filexxxx/xxxxx.xxxxpredictiveHigh
19Filexxxxxxx.xxxpredictiveMedium
20Filexxxxxxxxxxx/xxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
21Filexxxxxx/xxxxxxxxxxxpredictiveHigh
22Filexxxxxxxx/xxxxxxxx/xxxxx-xxxxxxxx-xxxxx.xxxpredictiveHigh
23Filexxxxx.xxxpredictiveMedium
24Filexxxxx.xxx?xxx=xxxx&xxx=xxxxxxxxpredictiveHigh
25Filexxxxx.xxxpredictiveMedium
26Filexxxxx.xxxpredictiveMedium
27Filexxxxxxxxxxx.xxxpredictiveHigh
28Filexxxxxxxx.xxxpredictiveMedium
29Filexxxx.xxxxxxxx.xxxpredictiveHigh
30Filexxxxxxxxx.xxxpredictiveHigh
31Filexxxxxxxxx.xxxpredictiveHigh
32File~/xxxxx/xxxxxx/xxxxx-xxxxxxxxx-xxxxx.xxxpredictiveHigh
33ArgumentxxxxxxpredictiveLow
34Argumentxxxxxxx_xxxxpredictiveMedium
35Argumentxxxxxx_xxxxpredictiveMedium
36ArgumentxxxxxxxxxxxxxxpredictiveHigh
37Argumentxxx.xxxxxx.xxxxxxxx.xxxxxxxxxxxxxxxpredictiveHigh
38ArgumentxxxxxpredictiveLow
39Argumentxxxxxxxxxxx/xxxxxxxx/xxx/xxxxxpredictiveHigh
40ArgumentxxxxxpredictiveLow
41ArgumentxxxxpredictiveLow
42ArgumentxxxxpredictiveLow
43ArgumentxxxxpredictiveLow
44Argumentxxxxxxxx[xx]predictiveMedium
45ArgumentxxxpredictiveLow
46Argumentxxx_xxxxpredictiveMedium
47ArgumentxxxxpredictiveLow
48ArgumentxxxxxxpredictiveLow
49ArgumentxxxxxxxxpredictiveMedium
50ArgumentxxxxxxxpredictiveLow
51Argumentxxxxxxx/xxxxxpredictiveHigh
52Argumentxxxxxx_xxxpredictiveMedium
53Argumentxxxxxx_xxxxpredictiveMedium
54ArgumentxxxxxpredictiveLow
55Argumentxxxx_xxpredictiveLow
56ArgumentxxxpredictiveLow
57ArgumentxxxxxxxxpredictiveMedium
58Input Value.%xx.../.%xx.../predictiveHigh
59Input Value../../../../../xxx/xxx/xxxxx/xxxx/xxxxxxxx/xxxxx/xxx.xxxpredictiveHigh
60Input Valuexxxxxxx -xxxpredictiveMedium
61Network PortxxxxpredictiveLow
62Network PortxxxxpredictiveLow
63Network Portxxx/xxxxpredictiveMedium

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!