APT32 Analysis

IOB - Indicator of Behavior (631)

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Lang

en511
zh40
it39
fr18
es7

Country

us449
cn106
vn23
me13
tr11

Actors

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Android20
Apple iOS16
Linux Kernel14
Apple macOS14
Microsoft Windows12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1BD Totalys MultiProcessor hard-coded credentials8.17.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2022-40263
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.020160.02CVE-2007-1192
3DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.51CVE-2010-0966
4Google Chrome V8 Remote Code Execution6.36.0$25k-$100k$5k-$25kNot DefinedOfficial Fix0.243800.02CVE-2020-16040
5Watchdog Anti-Virus IoControlCode wsdk-driver.sys 0x80002008 access control5.35.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.000470.02CVE-2023-1453
6Apache PDFbox XML Parser xml external entity reference7.87.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000910.02CVE-2016-2175
7Google Android SimpleDecodingSource.cpp doRead privileges management9.89.6$25k-$100k$5k-$25kNot DefinedOfficial Fix0.001210.00CVE-2021-39623
8D-Link DCS-2530L/DCS-2670L ddns_enc.cgi command injection7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.001350.02CVE-2020-25079
9Gempar Script Toko Online shop_display_products.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001000.02CVE-2009-0296
10Puppet Agent SSL Certificate Valu certificate validation5.55.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000580.07CVE-2018-11751
11Norton Password Manager origin validation6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000720.00CVE-2019-18381
12Facebook osquery Configuration extensions.load link following7.77.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.002220.00CVE-2019-3567
13Microsoft Windows HMAC Key Derivation Local Privilege Escalation8.88.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000480.00CVE-2023-36400
14Microsoft Windows Kernel NtQueryInformationJobObject Kernel Memory information disclosure5.14.6$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.000700.00CVE-2017-8478
15OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.107370.32CVE-2016-6210
16TP-Link AC1750 NetUSB.ko integer overflow8.88.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000840.02CVE-2022-24354
17Pallets Werkzeug Windows SharedDataMiddleware path traversal7.57.3$0-$5k$0-$5kNot DefinedOfficial Fix0.631960.02CVE-2019-14322
18Peplink Balance Web Admin connector.php information disclosure5.95.6$0-$5k$0-$5kNot DefinedOfficial Fix0.002830.02CVE-2020-24246
19Tenda AC11 POST Request setmac stack-based overflow7.67.6$0-$5k$0-$5kNot DefinedNot Defined0.970250.03CVE-2021-31755
20Apple macOS Kernel type confusion7.87.5$5k-$25k$0-$5kHighOfficial Fix0.001920.00CVE-2020-27932

Campaigns (2)

These are the campaigns that can be associated with the actor:

  • Cobalt Kitty
  • OceanLotus

IOC - Indicator of Compromise (60)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
123.227.196.12623-227-196-126.static.hvvc.usAPT32Cobalt Kitty12/15/2020verifiedHigh
223.227.196.21023-227-196-210.static.hvvc.usAPT3212/15/2020verifiedHigh
323.227.199.12123-227-199-121.static.hvvc.usAPT32Cobalt Kitty12/15/2020verifiedHigh
427.102.70.211APT32Cobalt Kitty12/15/2020verifiedHigh
537.59.198.130APT32OceanLotus12/15/2020verifiedHigh
637.59.198.131APT32OceanLotus12/15/2020verifiedHigh
745.32.100.17945.32.100.179.vultr.comAPT32OceanLotus12/15/2020verifiedMedium
845.32.105.45APT32OceanLotus12/15/2020verifiedHigh
945.32.114.4945.32.114.49.vultr.comAPT32OceanLotus12/15/2020verifiedMedium
1045.76.147.20145.76.147.201.vultr.comAPT32OceanLotus12/15/2020verifiedMedium
1145.76.179.2845.76.179.28.vultr.comAPT32OceanLotus12/15/2020verifiedMedium
1245.76.179.15145.76.179.151.vultr.comAPT32OceanLotus12/15/2020verifiedMedium
1345.77.39.10145.77.39.101.vultr.comAPT32OceanLotus12/15/2020verifiedMedium
1445.114.117.137APT32Cobalt Kitty12/15/2020verifiedHigh
1545.114.117.164folien.reisnart.comAPT32OceanLotus12/15/2020verifiedHigh
1664.62.174.9agent2.jenkins.aoindustries.comAPT32OceanLotus12/15/2020verifiedHigh
1764.62.174.16unassigned16.net2.fc.aoindustries.comAPT32OceanLotus12/15/2020verifiedHigh
1864.62.174.17unassigned17.net2.fc.aoindustries.comAPT32OceanLotus12/15/2020verifiedHigh
1964.62.174.21unassigned21.net2.fc.aoindustries.comAPT32OceanLotus12/15/2020verifiedHigh
2064.62.174.41dev1.plant-orbit.comAPT32OceanLotus12/15/2020verifiedHigh
2164.62.174.99unassigned99.net2.fc.aoindustries.comAPT32OceanLotus12/15/2020verifiedHigh
2264.62.174.145unassigned145.net2.fc.aoindustries.comAPT32OceanLotus12/15/2020verifiedHigh
2364.62.174.146unassigned146.net2.fc.aoindustries.comAPT32OceanLotus12/15/2020verifiedHigh
2479.143.87.174APT32OceanLotus12/15/2020verifiedHigh
2580.255.3.87APT3212/15/2020verifiedHigh
2689.33.64.207APT32OceanLotus12/15/2020verifiedHigh
2789.33.64.232mypicsfromplane.comAPT32OceanLotus12/15/2020verifiedHigh
28103.28.44.112103028044112.hkserverdomain.comAPT32OceanLotus12/15/2020verifiedHigh
29103.28.44.115103028044115.hkserverdomain.comAPT32OceanLotus12/15/2020verifiedHigh
30103.41.177.33APT32Cobalt Kitty12/15/2020verifiedHigh
31103.53.197.202sg06.dewaweb.comAPT3212/15/2020verifiedHigh
32104.24.118.185APT32Cobalt Kitty12/15/2020verifiedHigh
33104.24.119.185APT32Cobalt Kitty12/15/2020verifiedHigh
34104.27.166.79APT32Cobalt Kitty12/15/2020verifiedHigh
35104.27.167.79APT32Cobalt Kitty12/15/2020verifiedHigh
36104.237.218.67usgreatly.comAPT32Cobalt Kitty12/15/2020verifiedHigh
37104.237.218.7070.utdanne.104.xandien.nlAPT3212/15/2020verifiedHigh
38104.237.218.72emudd.pointumetwe.comAPT3212/15/2020verifiedHigh
39108.170.31.69APT32Cobalt Kitty12/15/2020verifiedHigh
40110.10.179.65APT32Cobalt Kitty12/15/2020verifiedHigh
41128.199.90.216APT32OceanLotus12/15/2020verifiedHigh
42128.199.227.80426977.cloudwaysapps.comAPT32OceanLotus12/15/2020verifiedHigh
43138.197.236.215APT32OceanLotus12/15/2020verifiedHigh
44139.59.217.207APT32OceanLotus12/15/2020verifiedHigh
45139.59.220.10APT32OceanLotus12/15/2020verifiedHigh
46139.59.220.12APT32OceanLotus12/15/2020verifiedHigh
47139.59.223.191APT32OceanLotus12/15/2020verifiedHigh
48176.107.176.6176.107.176.6.ptrAPT32Cobalt Kitty12/15/2020verifiedHigh
49176.107.177.216176.107.177.216.deltahost-ptrAPT32Cobalt Kitty12/15/2020verifiedHigh
50176.223.111.116APT32Cobalt Kitty12/15/2020verifiedHigh
51184.95.51.179pen179.penflexhost.comAPT32Cobalt Kitty12/15/2020verifiedHigh
52184.95.51.181mx.earthgeneration.orgAPT32Cobalt Kitty12/15/2020verifiedHigh
53184.95.51.190laudantiumkvgqi.finewonu.clubAPT32Cobalt Kitty12/15/2020verifiedHigh
54185.157.79.3185.157.79.3.deltahost-ptrAPT3212/15/2020verifiedHigh
55188.166.219.18696006.cloudwaysapps.comAPT32OceanLotus12/15/2020verifiedHigh
56192.121.176.148APT32Cobalt Kitty12/15/2020verifiedHigh
57193.169.245.78193.169.245.78.deltahost-ptrAPT3212/15/2020verifiedHigh
58193.169.245.137n116.deltahost.com.uaAPT3212/15/2020verifiedHigh
59203.114.75.22APT32OceanLotus12/15/2020verifiedHigh
60203.114.75.73APT32OceanLotus12/15/2020verifiedHigh

TTP - Tactics, Techniques, Procedures (23)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1040CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CWE-94Argument InjectionpredictiveHigh
5T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
6T1068CWE-264, CWE-269, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
7T1110.001CWE-798Hard-coded CredentialspredictiveHigh
8T1202CWE-77, CWE-78Command Shell in Externally Accessible DirectorypredictiveHigh
9T1204.001CWE-601Open RedirectpredictiveHigh
10T1211CWE-2547PK Security FeaturespredictiveHigh
11T1222CWE-275, CWE-276Permission IssuespredictiveHigh
12T1505CWE-89SQL InjectionpredictiveHigh
13T1548.002CWE-285Improper AuthorizationpredictiveHigh
14T1552CWE-255, CWE-522Credentials ManagementpredictiveHigh
15T1574CWE-426, CWE-427Untrusted Search PathpredictiveHigh
16T1587.003CWE-295Improper Certificate ValidationpredictiveHigh
17T1588.001CWE-912BackdoorpredictiveHigh
18T1592CWE-200, CWE-209, CWE-532Invocation of Process Using Visible Sensitive InformationpredictiveHigh
19T1592.004CWE-16ConfigurationpredictiveHigh
20T1600CWE-310, CWE-311, CWE-326, CWE-327Cryptographic IssuespredictiveHigh
21T1600.001CWE-320, CWE-321, CWE-547Key Management ErrorpredictiveHigh
22T1608.002CWE-434Incomplete Identification of Uploaded File VariablespredictiveHigh
23T1611CWE-265Containment ErrorspredictiveHigh

IOA - Indicator of Attack (227)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/predictiveLow
2File/api/predictiveLow
3File/cgi-bin/cgiServer.exxpredictiveHigh
4File/cgi-bin/login_action.cgipredictiveHigh
5File/cgi-bin/nobody/Search.cgipredictiveHigh
6File/cgi-bin/webviewer_login_pagepredictiveHigh
7File/dev/sg0predictiveMedium
8File/event/runquery.dopredictiveHigh
9File/filemanager/php/connector.phppredictiveHigh
10File/forum/away.phppredictiveHigh
11File/goform/setmacpredictiveHigh
12File/log_download.cgipredictiveHigh
13File/manager?action=getlogcatpredictiveHigh
14File/mgmt/tm/util/bashpredictiveHigh
15File/pages/systemcall.php?command={COMMAND}predictiveHigh
16File/password.htmlpredictiveHigh
17File/system/ws/v11/ss/emailpredictiveHigh
18File/uncpath/predictiveMedium
19File/uploadpredictiveLow
20Fileadd_vhost.phppredictiveHigh
21Fileadmin/gv_mail.phppredictiveHigh
22Fileadmin/images.aspxpredictiveHigh
23Fileadmin/index.phppredictiveHigh
24Fileadv2.php?action=modifypredictiveHigh
25Fileagent.cfgpredictiveMedium
26Filearch/x86/include/asm/fpu/internal.hpredictiveHigh
27Fileasm/float.cpredictiveMedium
28Fileasm/nasm.cpredictiveMedium
29Fileauth.phppredictiveMedium
30Filebackup.cgipredictiveMedium
31Filebinder.cpredictiveMedium
32Filebitfield.cpredictiveMedium
33Fileblob.cpppredictiveMedium
34Filebooks.phppredictiveMedium
35Filec.phppredictiveLow
36Filecgi-bin/predictiveMedium
37Filecgi-bin/ddns_enc.cgipredictiveHigh
38Filecgi-bin/luci/admin/network/firewall/rulespredictiveHigh
39Filecgi-bin/MANGA/admin.cgipredictiveHigh
40Filecli.confpredictiveMedium
41Filecoders/png.cpredictiveMedium
42Filecoders/tiff.cpredictiveHigh
43Filecoffgen.cpredictiveMedium
44Fileconfig.xmlpredictiveMedium
45Fileconnector.minimal.phppredictiveHigh
46Filedata/gbconfiguration.datpredictiveHigh
47Filedb.phppredictiveLow
48Filedetail.phppredictiveMedium
49Filedevtools.shpredictiveMedium
50Filedomain/section/markdown/markdown.gopredictiveHigh
51Filedrivers/gpu/drm/udl/udl_fb.cpredictiveHigh
52Filedrivers/scsi/sr_ioctl.cpredictiveHigh
53Filedrivers/usb/misc/iowarrior.cpredictiveHigh
54Fileebmlstring.cpredictiveMedium
55Fileelf.cpredictiveLow
56Fileemail.phppredictiveMedium
57Fileevents-manager.jspredictiveHigh
58FileExceptionHandler.phppredictiveHigh
59Fileextensions.loadpredictiveHigh
60FileFlexPaperViewer.swfpredictiveHigh
61Filefolder_view.phppredictiveHigh
62FileFortiClientOnlineInstaller.exepredictiveHigh
63Fileframework/core/subsystems/expRouter.phppredictiveHigh
64Filefs/userfaultfd.cpredictiveHigh
65Filefunction.cpredictiveMedium
66Filefunctions.phppredictiveHigh
67Filefunctions_mod_user.phppredictiveHigh
68FilegetRemoteImage.phppredictiveHigh
69Fileget_set.ccppredictiveMedium
70Filegki_buffer.ccpredictiveHigh
71Filehandle_load_config.phppredictiveHigh
72Filehh.exepredictiveLow
73Fileimage_upload.phppredictiveHigh
74Fileimap/lmtp_sieve.cpredictiveHigh
75Fileinc/config.phppredictiveHigh
76Fileinc/filebrowser/browser.phppredictiveHigh
77Fileinclude/findusers.phppredictiveHigh
78Fileincludes/head.inc.phppredictiveHigh
79Fileindex.phppredictiveMedium
80Fileinit.inc.phppredictiveMedium
81FileintervalCheck.jsppredictiveHigh
82Fileiptc.cpredictiveLow
83FileItemReview.phppredictiveHigh
84Fileitems.cpredictiveLow
85Fileitems.queries.phppredictiveHigh
86Fileitem_show.phppredictiveHigh
87FileJBIG2Stream.ccpredictiveHigh
88FilejeecgFormDemoController.do?commonUploadpredictiveHigh
89Filejfinal_cms/admin/filemanager/listpredictiveHigh
90Filejpgraph.phppredictiveMedium
91Filekbdint.cpredictiveMedium
92Filekernel/events/core.cpredictiveHigh
93Filekernel/exit.cpredictiveHigh
94Filekernel/trace/trace_events_filter.cpredictiveHigh
95FilelaunchdpredictiveLow
96Filelibnvmmlite_video.sopredictiveHigh
97Filelibr/asm/asm.cpredictiveHigh
98Filemain/scala/authentikat/jwt/JsonWebToken.scalapredictiveHigh
99Filemisc/apr_rmm.cpredictiveHigh
100Filemm/mempolicy.cpredictiveHigh
101Filemm/oom_kill.cpredictiveHigh
102Filemodel/__show_info.phppredictiveHigh
103Filemodules/m_sasl.cpredictiveHigh
104FileNativeNfcManager.cpppredictiveHigh
105Filenet/ipv4/datagram.cpredictiveHigh
106Filenet/ipv4/inet_connection_sock.cpredictiveHigh
107Filenet/packet/af_packet.cpredictiveHigh
108Fileopenjp2/pi.cpredictiveMedium
109Filepages_system_settings.phppredictiveHigh
110Fileplugins\meta_engine\libfolder_plugin.dllpredictiveHigh
111Fileprod.phppredictiveMedium
112Fileprog/htmlviewer.cpredictiveHigh
113Fileproxy.cgipredictiveMedium
114Filepublic/index.php/homepredictiveHigh
115Filepublic/index.php/home/membersnsfriend/findlist.htmlpredictiveHigh
116FileQueryComponentRendererValue!Default.jspapredictiveHigh
117FileRecentLocationApps.javapredictiveHigh
118Fileregister/check/username?usernamepredictiveHigh
119Fileregistration_detailed.inc.phppredictiveHigh
120Filereports_mta_queue_status.htmlpredictiveHigh
121Filesecure_img_render.phppredictiveHigh
122Fileserver_databases.phppredictiveHigh
123Filesetenv.shpredictiveMedium
124Filesetup/index.phppredictiveHigh
125Fileshop.cgipredictiveMedium
126Fileshop_display_products.phppredictiveHigh
127Fileshowcat.phppredictiveMedium
128FileSimpleDecodingSource.cpppredictiveHigh
129Filesoftware-description.phppredictiveHigh
130Filesvox_ssml_parser.cpppredictiveHigh
131FileSystemEvent.jsppredictiveHigh
132Filesystem_log.cgipredictiveHigh
133Filetls1.cpredictiveLow
134Fileui/artifact/uploadpredictiveHigh
135Fileupgrade_handle.phppredictiveHigh
136Fileview/ProductsView.phppredictiveHigh
137FileWealthT24/GetImagepredictiveHigh
138Filewelcome.phppredictiveMedium
139Filewww/content/lessons/"lessonpredictiveHigh
140LibraryAeXNSPkgDLLib.dllpredictiveHigh
141LibraryATIDXX64.DLLpredictiveMedium
142LibraryENCDEC.DLLpredictiveMedium
143Libraryfilmfd.syspredictiveMedium
144Libraryfs/ncpfs/ncplib_kernel.cpredictiveHigh
145Libraryigcore19d.dllpredictiveHigh
146LibraryLib/DocXMLRPCServer.pypredictiveHigh
147Librarylib/MongoLite/Database.phppredictiveHigh
148Librarylib/rrd.phppredictiveMedium
149LibraryMonitor_win7_x64.syspredictiveHigh
150LibraryMonitor_x86.syspredictiveHigh
151Librarywsdk-driver.syspredictiveHigh
152Argument$linepredictiveLow
153Argument%spredictiveLow
154ArgumentagentidpredictiveLow
155ArgumentapppredictiveLow
156ArgumentAUTHENTICATEpredictiveMedium
157ArgumentbasePathpredictiveMedium
158ArgumentbauthpredictiveLow
159ArgumentbookidpredictiveLow
160ArgumentcatpredictiveLow
161ArgumentcatidpredictiveLow
162Argumentcat_idpredictiveLow
163Argumentccp_actpredictiveLow
164ArgumentcharsetpredictiveLow
165Argumentcode_nopredictiveLow
166ArgumentconfigFilepredictiveMedium
167ArgumentcontentpredictiveLow
168ArgumentContent-LengthpredictiveHigh
169ArgumentCPG_M_DIRpredictiveMedium
170Argumentdata3predictiveLow
171ArgumentdocDownloadPath/uploadLocationpredictiveHigh
172ArgumenterrpredictiveLow
173ArgumentfilepredictiveLow
174ArgumentfilenamepredictiveMedium
175ArgumentfromName/messagepredictiveHigh
176ArgumentgopredictiveLow
177ArgumentgroupspredictiveLow
178ArgumenthostnamepredictiveMedium
179ArgumentidpredictiveLow
180ArgumentipAddrpredictiveLow
181ArgumentIP addresspredictiveMedium
182Argumentitem_idpredictiveLow
183Argumentl/dl/delpredictiveMedium
184ArgumentlayoutpredictiveLow
185ArgumentmapTitlepredictiveMedium
186ArgumentmosConfig_absolute_pathpredictiveHigh
187ArgumentnamepredictiveLow
188ArgumentpagepredictiveLow
189ArgumentpasswordpredictiveMedium
190ArgumentPasswordpredictiveMedium
191Argumentphpbb_root_pathpredictiveHigh
192ArgumentprioritypredictiveMedium
193ArgumentreasonpredictiveLow
194ArgumentredirectpredictiveMedium
195Argumentredirect_uripredictiveMedium
196ArgumentRefererpredictiveLow
197ArgumentreferrerpredictiveMedium
198ArgumentresourceNamepredictiveMedium
199ArgumentrootpathpredictiveMedium
200ArgumentsbppredictiveLow
201ArgumentsearchpredictiveLow
202ArgumentsearchidpredictiveMedium
203ArgumentsidpredictiveLow
204ArgumentsitepredictiveLow
205Argumentsms_contentpredictiveMedium
206Argumentsort_bypredictiveLow
207ArgumentsrcpredictiveLow
208ArgumentSwfilepredictiveLow
209Argumentsys_namepredictiveMedium
210Argumenttpldir/filename/type/nidpredictiveHigh
211ArgumentupfilepredictiveLow
212ArgumentuploaddirpredictiveMedium
213Argumentup_auto_logpredictiveMedium
214ArgumenturlpredictiveLow
215ArgumentuselangpredictiveLow
216ArgumentwdpredictiveLow
217Argument_receiverspredictiveMedium
218Input Value%0a/%0dpredictiveLow
219Input Value./../../../predictiveMedium
220Input Value1" onmouseover=prompt(947671) bad="predictiveHigh
221Input Value</script><script>alert(1)</script>predictiveHigh
222Input Value<ScRiPt >alert(991)</ScRiPt>predictiveHigh
223Input Valuewelc0mepredictiveLow
224Input Value\x3D../../../../etc/passwdpredictiveHigh
225Network Port8888predictiveLow
226Network Porttcp/873predictiveLow
227Network Porttcp/6200predictiveMedium

References (4)

The following list contains external sources which discuss the actor and the associated activities:

Interested in the pricing of exploits?

See the underground prices here!