APT41 Analysis

IOB - Indicator of Behavior (143)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en116
zh8
ru8
jp4
pl4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us64
ru28
cn24
gb10
jp6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft IIS6
Linux Kernel6
Fortinet FortiOS4
WordPress4
SourceCodester Canteen Management System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Esoftpro Online Guestbook Pro ogp_show.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001080.13CVE-2009-4935
2MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.013020.84CVE-2007-0354
3Joomla CMS com_easyblog sql injection6.36.1$5k-$25k$5k-$25kNot DefinedNot Defined0.000000.49
4HP Router/Switch SNMP information disclosure3.73.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.002850.05CVE-2012-3268
5Esoftpro Online Guestbook Pro ogp_show.php cross site scripting4.34.2$0-$5k$0-$5kHighUnavailable0.002090.06CVE-2009-2441
6Apache Struts ExceptionDelegator input validation8.88.4$5k-$25k$0-$5kHighOfficial Fix0.331270.04CVE-2012-0391
7Schneider Electric Vijeo Designer path traversal5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.002760.00CVE-2021-22704
8Tiki Admin Password tiki-login.php improper authentication8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix0.009362.66CVE-2020-15906
9Hscripts PHP File Browser Script index.php path traversal5.95.9$0-$5k$0-$5kNot DefinedNot Defined0.001510.00CVE-2018-16549
10Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.29CVE-2014-4078
11Microsoft Windows Win32k Privilege Escalation8.37.8$25k-$100k$0-$5kHighOfficial Fix0.001030.03CVE-2021-40449
12Sphinx missing authentication7.47.3$0-$5k$0-$5kNot DefinedWorkaround0.010380.05CVE-2019-14511
13vsftpd deny_file unknown vulnerability3.73.6$0-$5k$0-$5kNot DefinedOfficial Fix0.003120.09CVE-2015-1419
14LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable0.000001.66
15JoomlaTune Com Jcomments admin.jcomments.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.004890.00CVE-2010-5048
16Apache HTTP Server mod_reqtimeout resource management5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.016960.06CVE-2007-6750
17Atlassian JIRA Server/Data Center Private Project key information disclosure4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000820.00CVE-2021-39121
18WordPress Admin Pages type confusion6.56.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.002030.02CVE-2019-17675
19tough-cookie Cookies prototype pollution7.97.8$0-$5k$0-$5kNot DefinedOfficial Fix0.001070.04CVE-2023-26136
20SourceCodester Medical Hub Directory Site view_details.php sql injection6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.001900.00CVE-2022-28533

Campaigns (6)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (104)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.183.101.21bestofgy.co.ukAPT41MoonBounce01/21/2022verifiedHigh
25.183.101.114APT41MoonBounce01/21/2022verifiedHigh
35.183.103.122APT41MoonBounce01/21/2022verifiedHigh
45.188.93.132gcorelabs.paris.vpn015APT41MoonBounce01/21/2022verifiedHigh
55.188.108.22pol1.htjsq.comAPT41MoonBounce01/21/2022verifiedHigh
65.188.108.228xc5.exclusivacondominios.comAPT41MoonBounce01/21/2022verifiedHigh
75.189.222.33spain466.esAPT41MoonBounce01/21/2022verifiedHigh
818.118.56.237ec2-18-118-56-237.us-east-2.compute.amazonaws.comAPT41CVE-2021-4420703/11/2022verifiedMedium
920.121.42.11APT41CVE-2021-4420703/11/2022verifiedHigh
1023.67.95.153a23-67-95-153.deploy.static.akamaitechnologies.comAPT4110/06/2021verifiedHigh
1134.139.13.4646.13.139.34.bc.googleusercontent.comAPT41CVE-2021-4420703/11/2022verifiedMedium
1243.255.191.255APT4112/23/2020verifiedHigh
1345.61.136.199APT41ColunmTK04/18/2022verifiedHigh
1445.76.6.14945.76.6.149.vultr.comAPT4105/31/2021verifiedMedium
1545.76.75.21945.76.75.219.vultr.comAPT4105/31/2021verifiedMedium
1645.84.1.181vm372737.pq.hostingAPT41CVE-2021-4420703/11/2022verifiedHigh
1745.128.132.6APT41MoonBounce01/21/2022verifiedHigh
1845.128.135.15APT41MoonBounce01/21/2022verifiedHigh
1945.138.157.78srv1.fincantleri.coAPT4109/14/2021verifiedHigh
2045.153.231.31cheater.rehabAPT41CVE-2021-4420703/11/2022verifiedHigh
2146.17.43.74APT41LightSpy10/29/2023verifiedHigh
22XX.XX.XX.XXXxxx-xx-xx-xx-xxx.xxxxxxx-x.xxxxxxxxx.xxxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedMedium
23XX.XXX.XXX.XXxxx-xx-xxx-xxx-xx.xx-xxxxxxxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedMedium
24XX.XX.XX.XXXxxxx12/23/2020verifiedHigh
25XX.XXX.XX.XXXxxx-xxx-xx-xxx.xxxxxxxxxx.xx.xxXxxxx12/23/2020verifiedHigh
26XX.XX.XX.XXXxx.xx.xx.xxx.xxxxx.xxxXxxxx05/31/2021verifiedMedium
27XX.XX.XX.XXXxx.xx.xx.xxx.xxxxx.xxxXxxxxXxx-xxxx-xxxxx12/12/2020verifiedMedium
28XX.XX.XXX.XXXxx.xx.xxx.xxx.xxxxx.xxxXxxxx05/31/2021verifiedMedium
29XX.XX.XXX.XXXxx.xx.xxx.xxx.xxxxx.xxxXxxxx05/31/2021verifiedMedium
30XX.XX.XXX.XXXxx.xx.xxx.xxx.xxxxxxxx.xxxXxxxx05/31/2021verifiedHigh
31XX.XXX.XXX.XXXxx.xxx.xxx.xxx.xxxxxxxx.xxxxx.xxxXxxxx12/23/2020verifiedHigh
32XX.XXX.XXX.XXXxx.xxx.xxx.xxx.xxxxxxxx.xxxxx.xxxXxxxx12/23/2020verifiedHigh
33XX.XXX.XXX.XXXxx.xxx.xxx.xxx.xxxxxxxx.xxxxx.xxxXxxxx12/23/2020verifiedHigh
34XX.XXX.XXX.XXXXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
35XX.XX.XXX.XXxx.xx.xxx.xx.xxxxx.xxxXxxxxXxxxxxxxxx01/21/2022verifiedMedium
36XX.XX.XXX.Xxx.xx.xxx.x.xxxxxxxx.xxxXxxxx12/15/2020verifiedHigh
37XX.XXX.XXX.XXxx-xxxxx.xxxXxxxx12/15/2020verifiedHigh
38XX.XX.XXX.XXXxxxxxxx-x-xx.xxxXxxxxXxxxxxxxxx01/21/2022verifiedHigh
39XX.XXX.XXX.XXXxxxxxxxxxxxxxxxxxxxxxxx.xxxXxxxxXxxxxxxxxx01/21/2022verifiedHigh
40XXX.XX.X.XXxxx.xx.x.xx.xxxxxx.xxxx.xxxXxxxx05/31/2021verifiedHigh
41XXX.XX.X.XXXxxx.xx.x.xxx.xxxxxx.xxxx.xxxXxxxx05/31/2021verifiedHigh
42XXX.XX.XXX.XXXXxxxxXxxxxxxx10/29/2023verifiedHigh
43XXX.XX.XX.XXXxxxx07/21/2023verifiedHigh
44XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxx.xxxxxxxx.xxxXxxxx05/31/2021verifiedHigh
45XXX.XXX.XX.XXXxxxx05/31/2021verifiedHigh
46XXX.XXX.XXX.XXXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
47XXX.XX.X.XXXXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
48XXX.XX.X.XXXXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
49XXX.XX.XXX.XXXXxxxx10/06/2021verifiedHigh
50XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxxxxx.xxxXxxxx05/31/2021verifiedHigh
51XXX.XXX.XXX.XXxxx-xxx-xxx-xx-xxxx.xxxxxxxxxxxx.xxxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
52XXX.XXX.XX.XXXxxx-xxx-xx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxx05/31/2021verifiedHigh
53XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxxxx.xxxXxxxx05/31/2021verifiedHigh
54XXX.XX.XXX.XXXXxxxx05/31/2021verifiedHigh
55XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xx.xxxxxx.xxxxxxxx.xxxXxxxx12/21/2020verifiedHigh
56XXX.XXX.X.XXXxxxx07/21/2023verifiedHigh
57XXX.XX.XXX.XXxxxx05/31/2021verifiedHigh
58XXX.XX.XXX.XXXxxxx05/31/2021verifiedHigh
59XXX.XXX.XX.XXXXxxxx07/21/2023verifiedHigh
60XXX.XXX.XXX.XXXXxxxx05/31/2021verifiedHigh
61XXX.XX.XXX.XXXxxxx07/21/2023verifiedHigh
62XXX.XXX.XXX.XXXxxxx07/21/2023verifiedHigh
63XXX.XX.XXX.XXXXxxxx05/31/2021verifiedHigh
64XXX.XXX.XXX.XXXxxx-xxx-xxxxx.xx.xxxxxx.xx.xxXxxxx12/23/2020verifiedHigh
65XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxx.xxxXxxxxXxxxxxxxxx01/21/2022verifiedMedium
66XXX.XXX.XX.XXXxxxxx-xxx.xxxxxxx.xxxxxx.xxxXxxxx12/23/2020verifiedHigh
67XXX.XXX.XXX.XXXxxxxxx-xxx.xxxxxxx.xxxxxx.xxxXxxxx06/11/2021verifiedHigh
68XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxx.xxxXxxxx10/06/2021verifiedMedium
69XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedMedium
70XXX.XX.XX.XXxxxxxxxx.xxxxxxxxx.xxxXxxxx05/31/2021verifiedHigh
71XXX.XX.XX.XXxxx.xx.xx.xx.xxxxx.xxxXxxxx10/06/2021verifiedMedium
72XXX.XX.XX.XXxxx.xx.xx.xx.xxxxx.xxxXxxxx05/31/2021verifiedMedium
73XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxxxxxxxxxxxxx.xxxXxxxxXxxxxxxx04/18/2022verifiedHigh
74XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxx.xxxXxxxx05/31/2021verifiedMedium
75XXX.XXX.X.XXXXxxxx05/31/2021verifiedHigh
76XXX.XXX.XXX.XXXXxxxx05/31/2021verifiedHigh
77XXX.XXX.XXX.XXXXxxxx12/21/2020verifiedHigh
78XXX.XX.XXX.XXXxxxx-xxxxxx.xxxXxxxx12/23/2020verifiedHigh
79XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxxx.xxxxxxxxx.xxxXxxxx06/11/2021verifiedHigh
80XXX.XX.XXX.XXXXxxxx05/31/2021verifiedHigh
81XXX.XXX.X.XXxxxx05/31/2021verifiedHigh
82XXX.XXX.XXX.XXxxxxxxx.xxxxxxxxxxxxxx.xxxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
83XXX.XXX.XX.XXxxxxxx-xx.xxxxxxx.xxxxxx.xxxXxxxxXxxxxxxxxx01/21/2022verifiedHigh
84XXX.XXX.XXX.XXXXxxxxXxxxxxxxxx01/21/2022verifiedHigh
85XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxxxx.xxxx.xxxXxxxx12/23/2020verifiedHigh
86XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxxxx.xxxx.xxxXxxxx12/23/2020verifiedHigh
87XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxxxx.xxxx.xxxXxxxx12/23/2020verifiedHigh
88XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxxxxx.xxxXxxxx05/31/2021verifiedHigh
89XXX.XXX.XX.XXxxx.xxx.xx.xx.xx.xxxxxxxxxxx.xxxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
90XXX.XX.XX.XXxx.xxxxxxxXxxxx10/06/2021verifiedHigh
91XXX.XXX.XXX.XXXxxxxxxxxxxxx.xxxxxxx.xxXxxxxXxxxxxxx04/18/2022verifiedHigh
92XXX.XXX.XXX.XXxxxx.xxXxxxxXxxxxxxx04/18/2022verifiedHigh
93XXX.XXX.XXX.XXxxxxxx.xxxxxxx.xxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
94XXX.XXX.XXX.XXxxxxxx.xxxx.xxXxxxx12/21/2020verifiedHigh
95XXX.XXX.XX.XXXXxxxxXxxxxxxxxx01/21/2022verifiedHigh
96XXX.XX.XX.XXXxxxxxxxx.xxxXxxxxXxxxxxxxxx01/21/2022verifiedHigh
97XXX.XX.XXX.XXXxxxx10/06/2021verifiedHigh
98XXX.XXX.XX.XXxxxxxxxx.xx.xxxxxxxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
99XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx.xx.xxxxxxxxxxxxxxxxx.xxxXxxxxXxx-xxxx-xxxxx03/11/2022verifiedHigh
100XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxxxxx.xxxXxxxx12/21/2020verifiedHigh
101XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxx.xxxXxxxx05/31/2021verifiedMedium
102XXX.XXX.XXX.XXxxx.xxx.xxx.xx.xxxxx.xxxXxxxx05/31/2021verifiedMedium
103XXX.XX.XXX.XXXXxxxx12/21/2020verifiedHigh
104XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxxXxxxxxxxxx01/21/2022verifiedMedium

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IOA - Indicator of Attack (82)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/csms/?page=contact_uspredictiveHigh
2File/forum/away.phppredictiveHigh
3File/goform/PowerSaveSetpredictiveHigh
4File/index.phppredictiveMedium
5File/members/view_member.phppredictiveHigh
6File/mhds/clinic/view_details.phppredictiveHigh
7File/owa/auth/logon.aspxpredictiveHigh
8File/rest/api/latest/projectvalidate/keypredictiveHigh
9File/SSOPOST/metaAlias/%realm%/idpv2predictiveHigh
10File/uncpath/predictiveMedium
11Filexxxxxxx.xxxpredictiveMedium
12Filexxxxxxxxx.xxxpredictiveHigh
13Filexxxxx.xxxxxxxxx.xxxpredictiveHigh
14Filexxxxx/xxxxx-xxxx.xxxpredictiveHigh
15Filexxxxxxx.xxxpredictiveMedium
16Filexxx/xxx.xxxpredictiveMedium
17Filexxxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxx/xxx/xxxxxx.xxxxxxxxx.xxxpredictiveHigh
18Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
19Filexxxxxxxx.xxxpredictiveMedium
20Filexxxxx.xxxpredictiveMedium
21Filexxx/xxxxx/xxxxxxxxxx/xxxxx.xxxxpredictiveHigh
22Filexxx/xxxx/xxxx.xpredictiveHigh
23Filexxxxxxxxxxx/xxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
24Filexxx.xxxpredictiveLow
25Filexxxxx.xxxxpredictiveMedium
26Filexxx/xxxxxx.xxxpredictiveHigh
27Filexxxxx.xxxpredictiveMedium
28Filexxxxxxxx/xx/xxxx.xxpredictiveHigh
29Filexxxxxxx/xxxxx/xx/xxxxxx/xxxxx.xxxxx.xxxpredictiveHigh
30Filexxxxx.xxxpredictiveMedium
31Filexxx/xxxxxpredictiveMedium
32Filexxx_xxxx.xxxpredictiveMedium
33Filexxx/xxxxxx_xxxx.xxxpredictiveHigh
34Filexxx_xx_xx_xxxxxxxx.xxxpredictiveHigh
35Filexxxxxxxxx.xxxpredictiveHigh
36Filexxxxxxxx.xxxpredictiveMedium
37Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
38Filexxxxxxx.xpredictiveMedium
39Filexxxx.xxxpredictiveMedium
40Filexxxxxxxxxx.xxxpredictiveHigh
41Filexxx_xxxxx.xxxpredictiveHigh
42Filexxxx.xxxpredictiveMedium
43Filexxxx-xxxxx.xxxpredictiveHigh
44Filexxx.xpredictiveLow
45Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
46Libraryxxx/xxxxxx.xpredictiveMedium
47ArgumentxxxxxxxxpredictiveMedium
48ArgumentxxxxxxxxpredictiveMedium
49Argumentxxx_xxpredictiveLow
50Argumentxxx_xxxxpredictiveMedium
51ArgumentxxxxxxxxxpredictiveMedium
52Argumentxxxxxxx-xxxxxxpredictiveHigh
53ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
54ArgumentxxxxpredictiveLow
55ArgumentxxxxxxxpredictiveLow
56ArgumentxxxxxxxxpredictiveMedium
57ArgumentxxxxxpredictiveLow
58ArgumentxxxxpredictiveLow
59Argumentxxxxx xxxxpredictiveMedium
60Argumentxx_xxpredictiveLow
61ArgumentxxxxpredictiveLow
62ArgumentxxpredictiveLow
63ArgumentxxxxpredictiveLow
64ArgumentxxxpredictiveLow
65ArgumentxxxxpredictiveLow
66ArgumentxxxxxxxpredictiveLow
67ArgumentxxxxxxxxpredictiveMedium
68ArgumentxxxxpredictiveLow
69ArgumentxxxxxxxpredictiveLow
70Argumentxxxx_xxpredictiveLow
71ArgumentxxxxxxpredictiveLow
72ArgumentxxxxxxxxxxxpredictiveMedium
73ArgumentxxxpredictiveLow
74ArgumentxxxpredictiveLow
75ArgumentxxxpredictiveLow
76ArgumentxxxpredictiveLow
77ArgumentxxxxxxxxpredictiveMedium
78ArgumentxxxxxpredictiveLow
79Argumentx-xxxxxxxxx-xxxxxxpredictiveHigh
80Input Value../predictiveLow
81Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
82Network Portxxx/xxx (xxxx)predictiveHigh

References (17)

The following list contains external sources which discuss the actor and the associated activities:

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!