BlueShell Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (197)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en148
zh48
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China112
US: USA66
GB: Great Britain14
ES: Spain2
RU: Russia2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

BlueShell6
Cobalt Strike3
PlugX2
APT291
ZuoRAT1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined74
Content Management System14
Router Operating System12
Firewall Software12
Operating System10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined46
Microsoft22
VMware12
Fortinet8
Oracle6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Microsoft Exchange Server6
MikroTik RouterOS4
Fortinet FortiOS4
Palo Alto PAN-OS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1OpenSLP out-of-bounds write8.58.5$0-$5k$0-$5kHighNot Defined0.202200.03CVE-2019-5544
2Microsoft Exchange Server Privilege Escalation7.26.6$5k-$25k$0-$5kUnprovenOfficial Fix0.001650.04CVE-2023-21710
3Joomla CMS path traversal6.56.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.004680.03CVE-2015-8565
4Cisco HyperFlex HX Web-based Management Interface os command injection9.89.7$5k-$25k$0-$5kHighOfficial Fix0.975060.00CVE-2021-1498
5Palo Alto PAN-OS GlobalProtect Portal stack-based overflow9.89.6$0-$5k$0-$5kNot DefinedOfficial Fix0.002740.02CVE-2021-3064
6Supermicro X8STi-F setvmdrive.asp os command injection7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.032680.00CVE-2019-19642
7TOPMeeting Union sql injection8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.001740.00CVE-2019-13409
8Mail2000 Login portal cross site scripting5.24.8$0-$5k$0-$5kNot DefinedNot Defined0.005690.00CVE-2019-15072
9Zoho ManageEngine ADSelfService Plus code injection8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.007340.00CVE-2020-11518
10Raisecom MSG1200/MSG2100E/MSG2200/MSG2300 Web Interface list_base_config.php os command injection7.57.2$0-$5k$0-$5kProof-of-ConceptWorkaround0.769040.05CVE-2024-7120
11Kerio Connect/Connect Client Desktop Application E-Mail Preview input validation6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.001850.00CVE-2017-7440
12Lightxun IPTV Gateway web_upload_template.html unrestricted upload5.04.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001170.04CVE-2023-7026
13VMware ESXi Host Client Stored cross site scripting5.24.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.000610.00CVE-2017-4940
14GNU Mailman Alias path traversal7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.029370.02CVE-2015-2775
15GNU Mailman mailman injection6.46.1$0-$5k$0-$5kNot DefinedOfficial Fix0.001240.00CVE-2020-12108
16ThinkCMF cross-site request forgery6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.001710.00CVE-2022-40489
17Ruijie RG-EG350 HTTP POST Request networksafe.php setAction os command injection8.88.4$0-$5k$0-$5kProof-of-ConceptNot Defined0.000460.04CVE-2024-2909
18Arista EOS gNMI Request access control6.86.8$0-$5k$0-$5kNot DefinedNot Defined0.000590.04CVE-2023-24512
19Openwrt HTTP Request header_value information disclosure5.55.4$0-$5k$0-$5kNot DefinedOfficial Fix0.002690.03CVE-2022-38333
20Fortinet FortiOS FortiPAM HTTPSd Daemon double free8.88.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000890.00CVE-2023-41678

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Korea / Thailand

IOC - Indicator of Compromise (11)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.206.227.142line001BlueShell11/30/2024verifiedVery High
220.200.213.72BlueShell02/08/2024verifiedHigh
320.214.201.166BlueShellKorea / Thailand10/11/2023verifiedHigh
4XX.XX.XX.XXXxxxxxxxx11/30/2024verifiedVery High
5XX.XX.XX.XXXxxxxxxxx11/30/2024verifiedVery High
6XX.XX.XXX.XXXxxxxxxxx11/30/2024verifiedVery High
7XX.XX.XXX.XXXxxx-xx-xx-xxx-xxx.xx-xxxxxxxxx-x.xxxxxxx.xxxxxxxxx.xxxXxxxxxxxx06/07/2024verifiedHigh
8XXX.XXX.XXX.XXxxxxxxxx06/07/2024verifiedVery High
9XXX.XXX.XXX.XXXXxxxxxxxx03/18/2024verifiedVery High
10XXX.XX.XXX.XXXxxxxxxxx11/30/2024verifiedVery High
11XXX.XX.XXX.XXXXxxxxxxxx02/08/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23, CWE-24, CWE-35Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79Basic Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-XXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
16TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
17TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (63)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/../../conf/template/uhttpd.jsonpredictiveHigh
2File/app/options.pypredictiveHigh
3File/cgi-bin/portalpredictiveHigh
4File/dev/block/mmcblk0rpmbpredictiveHigh
5File/etc/shadowpredictiveMedium
6File/etc/sudoerspredictiveMedium
7File/itbox_pi/networksafe.php?a=setpredictiveHigh
8File/options/mailmanpredictiveHigh
9File/xxxxx.xxxx.xxxpredictiveHigh
10File/xxx/xxxxxxxxxx.xxxpredictiveHigh
11File/xxxxxx/xxxx/xxxxpredictiveHigh
12File/xx-xxxxx/xxxxx-xxxx.xxxpredictiveHigh
13File/xxxxxx/xxxxx.xxx/xxxxx/xxxxx/xxx_xxxxxx_xxxxxxxx.xxxxpredictiveHigh
14Filexxxx_xxxxxxxxx.xxxpredictiveHigh
15Filexxx/xxxxx/xxxxxxxxxx/xxxx.xxxpredictiveHigh
16Filexxxxxx/xxxxxxxx.xxxxpredictiveHigh
17Filexxx-xxx/xxxxxxxxxxxx.xxx/xxxxxxxxxxxxpredictiveHigh
18Filexxx/xxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxpredictiveHigh
19Filexxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
20Filexxxxxxxxxxx.xxxpredictiveHigh
21Filexxxxxxxx.xxxpredictiveMedium
22Filexxxxxxxx/xxxxxx/xxxxx.xxxpredictiveHigh
23Filexxxxxx/xxxxxxxxxxxxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexxxx.xpredictiveLow
26Filexxxx_xxxx_xxxxxx.xxxpredictiveHigh
27Filexxx/xxxxxxxxx/xxx_xxxxxxxxx.xpredictiveHigh
28Filexxx_xxxxxx.xpredictiveMedium
29Filexxxxxxx.xxxpredictiveMedium
30Filexxxxx_xxxxxx_xxxxxxxx.xxxpredictiveHigh
31Filexxxxxxxxxx/xxxxxxxxxx_xxxx.xxx?xxxxxx=xxxxxxpredictiveHigh
32Filexxx.xpredictiveLow
33Filexxxxxx.xxxpredictiveMedium
34Filexxxxxx/xxxxxx_xxxx.xpredictiveHigh
35Filexxxxxx.xxxpredictiveMedium
36Filexxxxx/xxxx/xxxxxxx.xxxpredictiveHigh
37Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
38Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
39Filexxx-xxxxxx/predictiveMedium
40Filexxxxxx/xxxxxxxxxxx/xxxx_xxxxxxx.xxxpredictiveHigh
41Filexxxxxxxx.xxxpredictiveMedium
42Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
43Libraryxxxxxxx.xxxpredictiveMedium
44Argumentxx_xxxxxxxpredictiveMedium
45Argumentxxxx_xxxxxxxpredictiveMedium
46ArgumentxxxxxxxxxpredictiveMedium
47Argumentxxx_xxxxxx_xpredictiveMedium
48ArgumentxxxxxxxxxxxxxxpredictiveHigh
49ArgumentxxxxxxxxxxxpredictiveMedium
50ArgumentxxxxxxxxxxpredictiveMedium
51ArgumentxxxxpredictiveLow
52ArgumentxxxxxxpredictiveLow
53ArgumentxxpredictiveLow
54ArgumentxxxxxxxxpredictiveMedium
55ArgumentxxxxxxxxpredictiveMedium
56ArgumentxxxxxxxxxxpredictiveMedium
57ArgumentxxxpredictiveLow
58ArgumentxxxxxxxpredictiveLow
59ArgumentxxxxxxxxpredictiveMedium
60ArgumentxxxpredictiveLow
61ArgumentxxxxxxxxpredictiveMedium
62ArgumentxxxxxpredictiveLow
63Argument__xxxxxxxxxpredictiveMedium

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!