APT39 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (332)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en278
es20
zh8
de6
pt6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us184
ru26
es20
cn20
ir14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Chafer5
APT394
Cobalt Strike2
Quasar RAT1
MyKings1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined112
Content Management System22
Web Server18
Operating System18
Programming Language Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined122
Microsoft18
Apache14
Netwave6
D-Link6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Apache HTTP Server8
Microsoft Windows8
PHP6
phpMyAdmin6
WordPress6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.030.01798CVE-2007-1192
2nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined4.800.00000CVE-2020-12440
3Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.230.00568CVE-2017-0055
4VMware vRealize Orchestrator Path redirect3.02.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00119CVE-2021-22036
5vm2 injection9.99.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00456CVE-2023-32314
6OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.670.10737CVE-2016-6210
7PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00388CVE-2020-36326
8jQuery Property extend Pollution cross site scripting6.66.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.290.02952CVE-2019-11358
9Rust Programming Language Standard Library type_id memory corruption7.77.5$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00301CVE-2019-12083
10WordPress sql injection6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.060.00467CVE-2022-21664
11Apple iOS WebKit buffer overflow6.36.0$100k and more$5k-$25kHighOfficial Fix0.000.00349CVE-2021-30666
12WordPress path traversal5.75.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.320.00174CVE-2023-2745
13Canon IJ Network Tool Wi-Fi Connection Setup missing password field masking5.45.4$0-$5k$0-$5kNot DefinedNot Defined0.030.00052CVE-2023-1763
14ciubotaru share-on-diaspora new_window.php cross site scripting4.44.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00052CVE-2017-20176
15Postfix Admin functions.inc.php sql injection7.37.0$5k-$25k$0-$5kHighOfficial Fix0.030.00263CVE-2014-2655
16D-Link DCS-2530L/DCS-2670L ddns_enc.cgi command injection7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.030.00127CVE-2020-25079
17Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.550.00817CVE-2014-4078
18SourceCodester Library Management System bookdetails.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.060.00271CVE-2022-2214
19Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.030.00526CVE-2011-0643
20Lotus Domino Request information disclosure5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00877CVE-2002-0245

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Chafer

IOC - Indicator of Compromise (17)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
183.142.230.113APT3912/12/2020verifiedHigh
286.105.227.224APT3912/12/2020verifiedHigh
387.117.204.113APT3912/12/2020verifiedHigh
487.117.204.115APT3912/12/2020verifiedHigh
5XX.XX.XX.XXXxx-xx-xx-xxx.xxxxxx-xx-xxxxxxxxxxx.xxxXxxxx12/12/2020verifiedHigh
6XX.XX.XX.XXX Xxxxx12/12/2020verifiedHigh
7XX.XXX.XXX.XXXXxxxx12/12/2020verifiedHigh
8XX.XXX.XXX.XXXXxxxx12/12/2020verifiedHigh
9XX.XXX.XX.XXXxxx.xx.xxx.xx.xxxx-xxxxx.xxxxxx.xxXxxxx12/12/2020verifiedHigh
10XX.XXX.XX.XXXxx-xxx-xx-xxx.xxxxxx.xxxx.xxXxxxx12/12/2020verifiedHigh
11XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxx.xxxXxxxx12/12/2020verifiedMedium
12XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxx.xxxXxxxx12/15/2020verifiedMedium
13XXX.XXX.XXX.XXXxxxx12/12/2020verifiedHigh
14XXX.XXX.XXX.XXXxxxxXxxxxx12/12/2020verifiedHigh
15XXX.XXX.XXX.XXXxxx-xx.xxxxxx.xxXxxxx12/12/2020verifiedHigh
16XXX.XX.XXX.XXxxx.xxxxxxxxxxxxxxx.xxxxXxxxx12/12/2020verifiedHigh
17XXX.XXX.XX.XXXxxxxXxxxxx12/12/2020verifiedHigh

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22Pathname TraversalpredictiveHigh
2T1040CWE-294, CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CWE-74InjectionpredictiveHigh
4T1059CWE-94Cross Site ScriptingpredictiveHigh
5TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCWE-XXX, CWE-XXX, CWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx XxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx XxxxxxxxpredictiveHigh
8TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
14TXXXXCWE-XXX, CWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
15TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxxxxpredictiveHigh
17TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
18TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXXCWE-XXXXxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (140)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File//etc/RT2870STA.datpredictiveHigh
2File/admin/index.php?id=themes&action=edit_template&filename=blogpredictiveHigh
3File/api/loginpredictiveMedium
4File/appConfig/userDB.jsonpredictiveHigh
5File/bin/boapredictiveMedium
6File/cgi-bin/wapopenpredictiveHigh
7File/CPEpredictiveLow
8File/cwp_{SESSION_HASH}/admin/loader_ajax.phppredictiveHigh
9File/jquery_file_upload/server/php/index.phppredictiveHigh
10File/librarian/bookdetails.phppredictiveHigh
11File/magnoliaPublic/travel/members/login.htmlpredictiveHigh
12File/Main_AdmStatus_Content.asppredictiveHigh
13File/requests.phppredictiveHigh
14File/self.keypredictiveMedium
15File/server-statuspredictiveHigh
16File/uncpath/predictiveMedium
17File/xxx/xxx/xxxxxpredictiveHigh
18File/xxxxxxxx/xxxx_xxxxx.xxxpredictiveHigh
19Filexxxxxxx.xxxpredictiveMedium
20Filexxxxx.xxxpredictiveMedium
21Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveHigh
22Filexxxxx/xxxxx.xxxpredictiveHigh
23Filexxxxxxxxxxxxx/xxxxxxxxxx/xxx_xxxxx/xxxxxxx/xxxxx.xxxpredictiveHigh
24Filexxxxxxxxxx.xxxpredictiveHigh
25Filexxxxxxxxxxx.xxxpredictiveHigh
26Filexx_xxxxxxxxxx.xxxpredictiveHigh
27Filexxx:.xxxpredictiveMedium
28Filexxxxxxx.xxxpredictiveMedium
29Filexxxxxx_xxxxxx.xxxpredictiveHigh
30Filexxxxxxxx.xxxpredictiveMedium
31Filexxx-xxx/xxxx_xxx.xxxpredictiveHigh
32Filexxxxxx.xxxpredictiveMedium
33Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
34Filexxxxxx.xxxpredictiveMedium
35Filexxx.xxxpredictiveLow
36Filexxxxx.xxxpredictiveMedium
37Filexxx/xxxxxxxx/xxx_xxxxxxxxxxxx.xxpredictiveHigh
38Filexxxxxxxxx.xxx.xxxpredictiveHigh
39Filexxxxxxxxxxxx_xxxx.xxxpredictiveHigh
40Filexxx_xxxxxx.xxxpredictiveHigh
41Filexxxx_xxxxxxx.xxx.xxxpredictiveHigh
42Filexxxx_xxxx.xpredictiveMedium
43Filexxxxxxxxx.xxxpredictiveHigh
44Filexxxxxxxx/xxxxx.xxxx-xxx.xxxpredictiveHigh
45Filexxxxx.xxxpredictiveMedium
46Filexxxxxx.xpredictiveMedium
47Filexxxx/xxx_xxx.xpredictiveHigh
48Filexxxxxxxx.xxxpredictiveMedium
49Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveHigh
50Filexxx_xxxxxx.xxpredictiveHigh
51Filexxxx/xxxx/xxxxx.xxxpredictiveHigh
52Filexxx_xxxxxx.xxxpredictiveHigh
53Filexxxxxx.xxxpredictiveMedium
54Filexxxxxxxxxxxxxx.xxxpredictiveHigh
55Filexxxxxxx.xxxpredictiveMedium
56Filexxxxx.xxxxx.xxxpredictiveHigh
57Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
58Filexxxxx.xxxpredictiveMedium
59Filexxxxxxxx.xxxpredictiveMedium
60Filexxxxxxxxxx.xxxpredictiveHigh
61Filexxxxxxxx_xxxx.xxxpredictiveHigh
62Filexxxxxxxx.xxx?x=xxxxxx&x=xxxxxxxxxxpredictiveHigh
63Filexxxxxxx.xpredictiveMedium
64Filexxxxxx.xxxpredictiveMedium
65Filexxxx.xxxpredictiveMedium
66Filexxxxx/xxx/xxxx.xpredictiveHigh
67Filexxxxxx_xxx_xxxxx_xxx.xxxpredictiveHigh
68Filexxx_xxx_xxxxx.xxxpredictiveHigh
69Filexxxx/xxxxxxxxxxxxxxx.xxxxxxpredictiveHigh
70Filexxxxxxx_xxxxx.xxxpredictiveHigh
71Filexxxxxxx_xxxxxxxxxx.xxxpredictiveHigh
72Filexxx.xxxpredictiveLow
73Filexxxxxx.xxxpredictiveMedium
74Filexxxxxx.xxxpredictiveMedium
75Filexxxxxxxxxxxxxx.xxxpredictiveHigh
76Filexxxxxxx.xxxpredictiveMedium
77Filexx-xxxxx/xxxx-xxx.xxxpredictiveHigh
78Filexx-xxxxxxx/xxxxxxx/xxxx-xx-xxxx/predictiveHigh
79Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
80Filexx-xxxxxxxx/xxxxx-xx-xxxxxx-xxxxxx.xxxpredictiveHigh
81Filexx-xxxxxxxxxxx.xxxpredictiveHigh
82Libraryxxxxxxx/xxx/xxxxxx.xxx.xxxpredictiveHigh
83Libraryxxxxxx.xxxpredictiveMedium
84Argument$xxxxx_xxxxxxxxxxpredictiveHigh
85Argument$_xxxxxxxpredictiveMedium
86ArgumentxxxxxxxpredictiveLow
87ArgumentxxxxxpredictiveLow
88ArgumentxxxxxxpredictiveLow
89ArgumentxxxpredictiveLow
90ArgumentxxxxxpredictiveLow
91ArgumentxxxxxxxxxxxxxxxpredictiveHigh
92Argumentxxxx/xxxxpredictiveMedium
93ArgumentxxxxxxxxpredictiveMedium
94ArgumentxxxxpredictiveLow
95ArgumentxxxxxxxxxxpredictiveMedium
96ArgumentxxxxpredictiveLow
97ArgumentxxxxxxxxxxpredictiveMedium
98Argumentxxxx_xxxxxxxxpredictiveHigh
99Argumentxxxx[xxx]predictiveMedium
100ArgumentxxpredictiveLow
101ArgumentxxxxxxxxpredictiveMedium
102ArgumentxxxxpredictiveLow
103ArgumentxxxxxpredictiveLow
104Argumentxxxxx_xxpredictiveMedium
105Argumentxxxx_xxxxxxxpredictiveMedium
106ArgumentxxpredictiveLow
107ArgumentxxxxpredictiveLow
108Argumentxxxxxxxxxxxxx/xxxxxxxxxxxxxxpredictiveHigh
109Argumentx/xx/xxxpredictiveMedium
110Argumentxxxx_xxxxpredictiveMedium
111Argumentxx_xxxxxxxpredictiveMedium
112ArgumentxxxpredictiveLow
113Argumentxxxxxxxxx/xxxxxx/xxxxxxxxxpredictiveHigh
114ArgumentxxxxxxxxxxpredictiveMedium
115ArgumentxxxxxxxxxxxxxpredictiveHigh
116Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
117ArgumentxxxxxxpredictiveLow
118Argumentxxxxx_xxxxpredictiveMedium
119ArgumentxxxxxxxxpredictiveMedium
120ArgumentxxxxxxxxpredictiveMedium
121ArgumentxxxxxxxxpredictiveMedium
122ArgumentxxxxxxxpredictiveLow
123Argumentxxxx xxxxxpredictiveMedium
124Argumentxxxx_xxxxxpredictiveMedium
125ArgumentxxxxpredictiveLow
126ArgumentxxxxxxpredictiveLow
127ArgumentxxxxxxxxxxpredictiveMedium
128Argumentx/xxxxxxxxxxxxpredictiveHigh
129ArgumentxxxxpredictiveLow
130ArgumentxxxxxxxxpredictiveMedium
131Argumentxxxxx/xxxpredictiveMedium
132ArgumentxxxxxxxxxxpredictiveMedium
133ArgumentxxxpredictiveLow
134ArgumentxxxxxxpredictiveLow
135ArgumentxxxxxxxxpredictiveMedium
136Argumentxxxxxxxxx_xxxxxx_xx_[xxxx]predictiveHigh
137Input Value' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx)-- xxxxpredictiveHigh
138Input Value../..predictiveLow
139Network Portxxx/xxxxpredictiveMedium
140Network Portxxx/xxx (xxx)predictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!