APT32 Analysis

IOB - Indicator of Behavior (582)

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Lang

en466
zh39
it39
fr18
de6

Country

us423
cn102
vn18
tr11
ru4

Actors

APT3216
OceanLotus9
StrikeSuit Gif5
APT284
Patchwork2

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined216
Smartphone Operating System40
Content Management System32
Operating System30
Router Operating System20

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined128
Apple46
Google24
Apache14
Microsoft14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Android18
Apple iOS18
Linux Kernel14
Apple macOS12
Apple iPadOS12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.040.04187CVE-2007-1192
2DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.630.04187CVE-2010-0966
3Google Chrome V8 Remote Code Execution6.36.0$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.77051CVE-2020-16040
4Apache PDFbox XML Parser xml external entity reference7.87.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.02537CVE-2016-2175
5Google Android SimpleDecodingSource.cpp doRead privileges management9.89.6$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.01156CVE-2021-39623
6D-Link DCS-2530L/DCS-2670L ddns_enc.cgi command injection7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.050.02055CVE-2020-25079
7Gempar Script Toko Online shop_display_products.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.080.00986CVE-2009-0296
8Puppet Agent SSL Certificate Valu certificate validation5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00885CVE-2018-11751
9Norton Password Manager origin validation6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00885CVE-2019-18381
10Facebook osquery Configuration extensions.load link following7.77.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.00885CVE-2019-3567
11OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.280.49183CVE-2016-6210
12TP-Link AC1750 NetUSB.ko integer overflow8.88.6$0-$5k$0-$5kNot DefinedOfficial Fix0.010.01036CVE-2022-24354
13Pallets Werkzeug Windows SharedDataMiddleware path traversal7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.040.76925CVE-2019-14322
14Peplink Balance Web Admin connector.php information disclosure5.95.6$0-$5k$0-$5kNot DefinedOfficial Fix0.060.00885CVE-2020-24246
15Tenda AC11 POST Request setmac stack-based overflow7.67.6$0-$5k$0-$5kNot DefinedNot Defined0.000.01086CVE-2021-31755
16Apple macOS Kernel type confusion7.87.5$5k-$25k$0-$5kHighOfficial Fix0.020.01889CVE-2020-27932
17Apple tvOS LaunchServices sandbox5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.010.01034CVE-2021-30677
18Zyxel USG/USG Flex/Zywall/ATP/VPN Web-based Management Interface improper authentication7.37.3$5k-$25k$5k-$25kNot DefinedNot Defined0.040.01055CVE-2021-35029
19Fortinet FortiWeb Management Interface os command injection6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.000.10855CVE-2021-22123
20Apple iOS/iPadOS FontParser memory corruption6.36.0$100k and more$25k-$100kProof-of-ConceptOfficial Fix0.080.01889CVE-2020-27930

Campaigns (2)

These are the campaigns that can be associated with the actor:

  • Cobalt Kitty
  • OceanLotus

IOC - Indicator of Compromise (60)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
123.227.196.12623-227-196-126.static.hvvc.usAPT32Cobalt KittyverifiedHigh
223.227.196.21023-227-196-210.static.hvvc.usAPT32verifiedHigh
323.227.199.12123-227-199-121.static.hvvc.usAPT32Cobalt KittyverifiedHigh
427.102.70.211APT32Cobalt KittyverifiedHigh
537.59.198.130APT32OceanLotusverifiedHigh
637.59.198.131APT32OceanLotusverifiedHigh
745.32.100.17945.32.100.179.vultr.comAPT32OceanLotusverifiedMedium
845.32.105.45APT32OceanLotusverifiedHigh
945.32.114.4945.32.114.49.vultr.comAPT32OceanLotusverifiedMedium
1045.76.147.20145.76.147.201.vultr.comAPT32OceanLotusverifiedMedium
1145.76.179.2845.76.179.28.vultr.comAPT32OceanLotusverifiedMedium
1245.76.179.15145.76.179.151.vultr.comAPT32OceanLotusverifiedMedium
1345.77.39.10145.77.39.101.vultr.comAPT32OceanLotusverifiedMedium
1445.114.117.137APT32Cobalt KittyverifiedHigh
1545.114.117.164folien.reisnart.comAPT32OceanLotusverifiedHigh
1664.62.174.9agent2.jenkins.aoindustries.comAPT32OceanLotusverifiedHigh
1764.62.174.16unassigned16.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
1864.62.174.17unassigned17.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
1964.62.174.21unassigned21.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
2064.62.174.41dev1.plant-orbit.comAPT32OceanLotusverifiedHigh
2164.62.174.99unassigned99.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
2264.62.174.145unassigned145.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
2364.62.174.146unassigned146.net2.fc.aoindustries.comAPT32OceanLotusverifiedHigh
2479.143.87.174APT32OceanLotusverifiedHigh
2580.255.3.87APT32verifiedHigh
2689.33.64.207APT32OceanLotusverifiedHigh
2789.33.64.232mypicsfromplane.comAPT32OceanLotusverifiedHigh
28103.28.44.112103028044112.hkserverdomain.comAPT32OceanLotusverifiedHigh
29103.28.44.115103028044115.hkserverdomain.comAPT32OceanLotusverifiedHigh
30103.41.177.33APT32Cobalt KittyverifiedHigh
31103.53.197.202sg06.dewaweb.comAPT32verifiedHigh
32104.24.118.185APT32Cobalt KittyverifiedHigh
33104.24.119.185APT32Cobalt KittyverifiedHigh
34104.27.166.79APT32Cobalt KittyverifiedHigh
35104.27.167.79APT32Cobalt KittyverifiedHigh
36104.237.218.67usgreatly.comAPT32Cobalt KittyverifiedHigh
37104.237.218.7070.utdanne.104.xandien.nlAPT32verifiedHigh
38104.237.218.72emudd.pointumetwe.comAPT32verifiedHigh
39108.170.31.69APT32Cobalt KittyverifiedHigh
40110.10.179.65APT32Cobalt KittyverifiedHigh
41128.199.90.216APT32OceanLotusverifiedHigh
42128.199.227.80426977.cloudwaysapps.comAPT32OceanLotusverifiedHigh
43138.197.236.215APT32OceanLotusverifiedHigh
44139.59.217.207APT32OceanLotusverifiedHigh
45139.59.220.10APT32OceanLotusverifiedHigh
46139.59.220.12APT32OceanLotusverifiedHigh
47139.59.223.191APT32OceanLotusverifiedHigh
48176.107.176.6176.107.176.6.ptrAPT32Cobalt KittyverifiedHigh
49176.107.177.216176.107.177.216.deltahost-ptrAPT32Cobalt KittyverifiedHigh
50176.223.111.116APT32Cobalt KittyverifiedHigh
51184.95.51.179pen179.penflexhost.comAPT32Cobalt KittyverifiedHigh
52184.95.51.181mx.earthgeneration.orgAPT32Cobalt KittyverifiedHigh
53184.95.51.190laudantiumkvgqi.finewonu.clubAPT32Cobalt KittyverifiedHigh
54185.157.79.3185.157.79.3.deltahost-ptrAPT32verifiedHigh
55188.166.219.18696006.cloudwaysapps.comAPT32OceanLotusverifiedHigh
56192.121.176.148APT32Cobalt KittyverifiedHigh
57193.169.245.78193.169.245.78.deltahost-ptrAPT32verifiedHigh
58193.169.245.137n116.deltahost.com.uaAPT32verifiedHigh
59203.114.75.22APT32OceanLotusverifiedHigh
60203.114.75.73APT32OceanLotusverifiedHigh

TTP - Tactics, Techniques, Procedures (22)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22, CWE-23Pathname TraversalpredictiveHigh
2T1040CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CWE-74InjectionpredictiveHigh
4T1059CWE-94Cross Site ScriptingpredictiveHigh
5T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
6T1068CWE-264, CWE-269, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
7T1110.001CWE-798Improper Restriction of Excessive Authentication AttemptspredictiveHigh
8T1202CWE-77, CWE-78Command InjectionpredictiveHigh
9T1204.001CWE-601Open RedirectpredictiveHigh
10T1211CWE-2547PK Security FeaturespredictiveHigh
11T1222CWE-275, CWE-276Permission IssuespredictiveHigh
12T1505CWE-89SQL InjectionpredictiveHigh
13T1548.002CWE-285Improper AuthorizationpredictiveHigh
14T1552CWE-255, CWE-522ASP.NET Misconfiguration: Password in Configuration FilepredictiveHigh
15T1574CWE-426, CWE-427Untrusted Search PathpredictiveHigh
16T1587.003CWE-295Improper Certificate ValidationpredictiveHigh
17T1588.001CWE-912BackdoorpredictiveHigh
18T1592CWE-200, CWE-209ConfigurationpredictiveHigh
19T1592.004CWE-16ConfigurationpredictiveHigh
20T1600CWE-310, CWE-311, CWE-326, CWE-327J2EE Misconfiguration: Data Transmission Without EncryptionpredictiveHigh
21T1608.002CWE-434Unrestricted UploadpredictiveHigh
22T1611CWE-265Containment ErrorspredictiveHigh

IOA - Indicator of Attack (215)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/predictiveLow
2File/cgi-bin/cgiServer.exxpredictiveHigh
3File/cgi-bin/login_action.cgipredictiveHigh
4File/cgi-bin/nobody/Search.cgipredictiveHigh
5File/cgi-bin/webviewer_login_pagepredictiveHigh
6File/dev/sg0predictiveMedium
7File/event/runquery.dopredictiveHigh
8File/filemanager/php/connector.phppredictiveHigh
9File/forum/away.phppredictiveHigh
10File/goform/setmacpredictiveHigh
11File/log_download.cgipredictiveHigh
12File/manager?action=getlogcatpredictiveHigh
13File/mgmt/tm/util/bashpredictiveHigh
14File/pages/systemcall.php?command={COMMAND}predictiveHigh
15File/password.htmlpredictiveHigh
16File/system/ws/v11/ss/emailpredictiveHigh
17File/uncpath/predictiveMedium
18File/uploadpredictiveLow
19Fileadd_vhost.phppredictiveHigh
20Fileadmin/images.aspxpredictiveHigh
21Fileadmin/index.phppredictiveHigh
22Fileadv2.php?action=modifypredictiveHigh
23Fileagent.cfgpredictiveMedium
24Filearch/x86/include/asm/fpu/internal.hpredictiveHigh
25Fileasm/float.cpredictiveMedium
26Fileasm/nasm.cpredictiveMedium
27Fileauth.phppredictiveMedium
28Filebackup.cgipredictiveMedium
29Filebinder.cpredictiveMedium
30Filebitfield.cpredictiveMedium
31Fileblob.cpppredictiveMedium
32Filebooks.phppredictiveMedium
33Filec.phppredictiveLow
34Filecgi-bin/predictiveMedium
35Filecgi-bin/ddns_enc.cgipredictiveHigh
36Filecgi-bin/luci/admin/network/firewall/rulespredictiveHigh
37Filecgi-bin/MANGA/admin.cgipredictiveHigh
38Filecli.confpredictiveMedium
39Filecoders/png.cpredictiveMedium
40Filecoders/tiff.cpredictiveHigh
41Filecoffgen.cpredictiveMedium
42Fileconfig.xmlpredictiveMedium
43Fileconnector.minimal.phppredictiveHigh
44Filedata/gbconfiguration.datpredictiveHigh
45Filedb.phppredictiveLow
46Filedetail.phppredictiveMedium
47Filedevtools.shpredictiveMedium
48Filedomain/section/markdown/markdown.gopredictiveHigh
49Filedrivers/gpu/drm/udl/udl_fb.cpredictiveHigh
50Filedrivers/scsi/sr_ioctl.cpredictiveHigh
51Filedrivers/usb/misc/iowarrior.cpredictiveHigh
52Fileebmlstring.cpredictiveMedium
53Fileelf.cpredictiveLow
54Fileemail.phppredictiveMedium
55Fileevents-manager.jspredictiveHigh
56FileExceptionHandler.phppredictiveHigh
57Fileextensions.loadpredictiveHigh
58FileFlexPaperViewer.swfpredictiveHigh
59Filefolder_view.phppredictiveHigh
60FileFortiClientOnlineInstaller.exepredictiveHigh
61Fileframework/core/subsystems/expRouter.phppredictiveHigh
62Filefs/userfaultfd.cpredictiveHigh
63Filefunction.cpredictiveMedium
64Filefunctions.phppredictiveHigh
65Filefunctions_mod_user.phppredictiveHigh
66FilegetRemoteImage.phppredictiveHigh
67Fileget_set.ccppredictiveMedium
68Filegki_buffer.ccpredictiveHigh
69Filehandle_load_config.phppredictiveHigh
70Filehh.exepredictiveLow
71Fileimage_upload.phppredictiveHigh
72Fileimap/lmtp_sieve.cpredictiveHigh
73Fileinc/config.phppredictiveHigh
74Fileinc/filebrowser/browser.phppredictiveHigh
75Fileinclude/findusers.phppredictiveHigh
76Fileincludes/head.inc.phppredictiveHigh
77Fileindex.phppredictiveMedium
78Fileinit.inc.phppredictiveMedium
79FileintervalCheck.jsppredictiveHigh
80Fileiptc.cpredictiveLow
81FileItemReview.phppredictiveHigh
82Fileitems.cpredictiveLow
83Fileitems.queries.phppredictiveHigh
84Fileitem_show.phppredictiveHigh
85FileJBIG2Stream.ccpredictiveHigh
86FilejeecgFormDemoController.do?commonUploadpredictiveHigh
87Filejfinal_cms/admin/filemanager/listpredictiveHigh
88Filejpgraph.phppredictiveMedium
89Filekbdint.cpredictiveMedium
90Filekernel/events/core.cpredictiveHigh
91Filekernel/exit.cpredictiveHigh
92Filekernel/trace/trace_events_filter.cpredictiveHigh
93FilelaunchdpredictiveLow
94Filelibnvmmlite_video.sopredictiveHigh
95Filelibr/asm/asm.cpredictiveHigh
96Filemain/scala/authentikat/jwt/JsonWebToken.scalapredictiveHigh
97Filemisc/apr_rmm.cpredictiveHigh
98Filemm/mempolicy.cpredictiveHigh
99Filemm/oom_kill.cpredictiveHigh
100Filemodel/__show_info.phppredictiveHigh
101Filemodules/m_sasl.cpredictiveHigh
102FileNativeNfcManager.cpppredictiveHigh
103Filenet/ipv4/datagram.cpredictiveHigh
104Filenet/ipv4/inet_connection_sock.cpredictiveHigh
105Filenet/packet/af_packet.cpredictiveHigh
106Fileopenjp2/pi.cpredictiveMedium
107Fileplugins\meta_engine\libfolder_plugin.dllpredictiveHigh
108Fileprod.phppredictiveMedium
109Fileprog/htmlviewer.cpredictiveHigh
110Fileproxy.cgipredictiveMedium
111Filepublic/index.php/homepredictiveHigh
112Filepublic/index.php/home/membersnsfriend/findlist.htmlpredictiveHigh
113FileQueryComponentRendererValue!Default.jspapredictiveHigh
114FileRecentLocationApps.javapredictiveHigh
115Fileregister/check/username?usernamepredictiveHigh
116Fileregistration_detailed.inc.phppredictiveHigh
117Filesecure_img_render.phppredictiveHigh
118Filesetenv.shpredictiveMedium
119Filesetup/index.phppredictiveHigh
120Fileshop.cgipredictiveMedium
121Fileshop_display_products.phppredictiveHigh
122Fileshowcat.phppredictiveMedium
123FileSimpleDecodingSource.cpppredictiveHigh
124Filesoftware-description.phppredictiveHigh
125Filesvox_ssml_parser.cpppredictiveHigh
126FileSystemEvent.jsppredictiveHigh
127Filesystem_log.cgipredictiveHigh
128Filetls1.cpredictiveLow
129Fileui/artifact/uploadpredictiveHigh
130Fileupgrade_handle.phppredictiveHigh
131Fileview/ProductsView.phppredictiveHigh
132FileWealthT24/GetImagepredictiveHigh
133Filewelcome.phppredictiveMedium
134Filewww/content/lessons/"lessonpredictiveHigh
135LibraryAeXNSPkgDLLib.dllpredictiveHigh
136LibraryATIDXX64.DLLpredictiveMedium
137LibraryENCDEC.DLLpredictiveMedium
138Libraryfs/ncpfs/ncplib_kernel.cpredictiveHigh
139Libraryigcore19d.dllpredictiveHigh
140LibraryLib/DocXMLRPCServer.pypredictiveHigh
141Librarylib/MongoLite/Database.phppredictiveHigh
142Librarylib/rrd.phppredictiveMedium
143LibraryMonitor_win7_x64.syspredictiveHigh
144LibraryMonitor_x86.syspredictiveHigh
145Argument$linepredictiveLow
146Argument%spredictiveLow
147ArgumentagentidpredictiveLow
148ArgumentapppredictiveLow
149ArgumentAUTHENTICATEpredictiveMedium
150ArgumentbasePathpredictiveMedium
151ArgumentbauthpredictiveLow
152ArgumentbookidpredictiveLow
153ArgumentcatpredictiveLow
154ArgumentcatidpredictiveLow
155Argumentcat_idpredictiveLow
156Argumentccp_actpredictiveLow
157ArgumentcharsetpredictiveLow
158Argumentcode_nopredictiveLow
159ArgumentconfigFilepredictiveMedium
160ArgumentcontentpredictiveLow
161ArgumentContent-LengthpredictiveHigh
162ArgumentCPG_M_DIRpredictiveMedium
163Argumentdata3predictiveLow
164ArgumentdocDownloadPath/uploadLocationpredictiveHigh
165ArgumenterrpredictiveLow
166ArgumentfilepredictiveLow
167ArgumentfilenamepredictiveMedium
168ArgumentfromName/messagepredictiveHigh
169ArgumentgopredictiveLow
170ArgumentgroupspredictiveLow
171ArgumentidpredictiveLow
172ArgumentipAddrpredictiveLow
173ArgumentIP addresspredictiveMedium
174Argumentitem_idpredictiveLow
175Argumentl/dl/delpredictiveMedium
176ArgumentlayoutpredictiveLow
177ArgumentmapTitlepredictiveMedium
178ArgumentmosConfig_absolute_pathpredictiveHigh
179ArgumentnamepredictiveLow
180ArgumentpagepredictiveLow
181ArgumentpasswordpredictiveMedium
182ArgumentPasswordpredictiveMedium
183Argumentphpbb_root_pathpredictiveHigh
184ArgumentprioritypredictiveMedium
185ArgumentreasonpredictiveLow
186ArgumentredirectpredictiveMedium
187ArgumentRefererpredictiveLow
188ArgumentreferrerpredictiveMedium
189ArgumentresourceNamepredictiveMedium
190ArgumentrootpathpredictiveMedium
191ArgumentsbppredictiveLow
192ArgumentsearchpredictiveLow
193ArgumentsearchidpredictiveMedium
194ArgumentsidpredictiveLow
195ArgumentsitepredictiveLow
196Argumentsms_contentpredictiveMedium
197ArgumentsrcpredictiveLow
198ArgumentSwfilepredictiveLow
199Argumenttpldir/filename/type/nidpredictiveHigh
200ArgumentupfilepredictiveLow
201ArgumentuploaddirpredictiveMedium
202Argumentup_auto_logpredictiveMedium
203ArgumenturlpredictiveLow
204ArgumentuselangpredictiveLow
205ArgumentwdpredictiveLow
206Argument_receiverspredictiveMedium
207Input Value%0a/%0dpredictiveLow
208Input Value./../../../predictiveMedium
209Input Value1" onmouseover=prompt(947671) bad="predictiveHigh
210Input Value</script><script>alert(1)</script>predictiveHigh
211Input Valuewelc0mepredictiveLow
212Input Value\x3D../../../../etc/passwdpredictiveHigh
213Network Port8888predictiveLow
214Network Porttcp/873predictiveLow
215Network Porttcp/6200predictiveMedium

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!