Cardinal RAT Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (307)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en228
fr44
it24
es4
de4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA166
CR: Costa Rica88
RU: Russia16
AR: Argentina12
GB: Great Britain2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Cardinal RAT5
Ave Maria2
TrickBot1
DNSpionage1
Dharma1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined114
Content Management System20
Smartphone Operating System12
Multimedia Player Software12
Image Processing Software10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined96
Cisco18
IBM18
Google14
Qualcomm10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Android10
Qualcomm Snapdragon Mobile10
Qualcomm Snapdragon Wear8
Adobe Flash Player8
Foxit Reader6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
2MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailablepossible0.018020.15CVE-2007-0354
3Foxit PhantomPDF fxhtml2pdf memory corruption7.57.5$0-$5k$0-$5kNot definedNot defined 0.005410.00CVE-2018-17706
4Qualcomm Snapdragon Mobile WLAN memory corruption6.86.7$5k-$25k$0-$5kNot definedOfficial fix 0.000350.06CVE-2018-11875
5Qualcomm Snapdragon Mobile WLAN input validation6.86.7$5k-$25k$0-$5kNot definedOfficial fix 0.000330.02CVE-2018-11873
6Qualcomm Snapdragon Mobile/Snapdragon Wear Modem Segment access control6.86.7$5k-$25k$0-$5kNot definedOfficial fix 0.002070.00CVE-2017-18308
7Yammer Desktop App input validation7.57.5$0-$5k$0-$5kNot definedNot defined 0.241980.00CVE-2018-8569
8Moxa ThingsPro command injection8.58.5$0-$5k$0-$5kNot definedNot defined 0.020020.00CVE-2018-18396
9elfutils libdw dwarf_getaranges.c dwarf_getaranges memory corruption6.46.3$0-$5k$0-$5kNot definedOfficial fix 0.000900.02CVE-2018-16062
10Kraftway 24F2XG Web Interface memory corruption8.58.5$0-$5k$0-$5kNot definedNot defined 0.036180.00CVE-2018-15353
11Google Android Qualcomm Crypto Driver access control9.39.3$25k-$100k$25k-$100kNot definedNot defined 0.044310.05CVE-2016-8418
12Google Android libjpeg access control7.87.6$25k-$100k$5k-$25kNot definedOfficial fix 0.016000.06CVE-2016-6702
13D-Link DI-8100 jhttpd pppoe_base.asp buffer overflow8.88.4$25k-$100k$0-$5kProof-of-ConceptNot defined 0.000001.81CVE-2025-6881
14IBM Informix Dynamic Server integer underflow7.57.3$5k-$25k$5k-$25kNot definedOfficial fix 0.000940.17CVE-2025-1991
15Linux Kernel hugetlb huge_pmd_unshare memory corruption8.07.6$5k-$25k$5k-$25kNot definedOfficial fix 0.000240.15CVE-2025-38085
16Linux Kernel HugeTLB Page __split_vma memory corruption8.07.6$5k-$25k$5k-$25kNot definedOfficial fix 0.000300.15CVE-2025-38084
17Cisco Identity Services Engine Software API injection8.58.4$5k-$25k$0-$5kNot definedOfficial fix 0.001090.09CVE-2025-20281
18DragonflyDB Dragonfly lua_struct.C integer overflow8.88.4$0-$5k$0-$5kNot definedOfficial fix 0.000470.03CVE-2025-52935
19Netgear EX6150 sub_410090 stack-based overflow8.88.0$25k-$100k$0-$5kProof-of-ConceptNot defined 0.001881.08CVE-2025-6511
20Netgear EX6100 sub_415EF8 stack-based overflow8.88.0$25k-$100k$0-$5kProof-of-ConceptNot defined 0.001881.31CVE-2025-6510

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Cardinal RAT

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1127.194.73.243Cardinal RATCardinal RAT12/22/2020verifiedLow
2127.194.87.192Cardinal RATCardinal RAT12/22/2020verifiedLow
3XXX.XX.XXX.Xxxx.xx.xxx.x.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
4XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
5XXX.XX.X.XXXxxxxxxxxxxxxx.xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
6XXX.XX.XX.XXxxx.xx.xx.xx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
7XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow
8XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxxxxx-xxxXxxxxxxx XxxXxxxxxxx Xxx12/22/2020verifiedLow

TTP - Tactics, Techniques, Procedures (14)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (113)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/?/plugin/comment/settingspredictiveHigh
2File/filemanager/upload.phppredictiveHigh
3File/forum/away.phppredictiveHigh
4File/goform/formSetACLFilterpredictiveHigh
5File/goform/openSchedWifipredictiveHigh
6File/inc/parser/xhtml.phppredictiveHigh
7File/php_action/fetchSelectedCategories.phppredictiveHigh
8File/pppoe_base.asppredictiveHigh
9File/routing/goform/aspFormpredictiveHigh
10File/transactionsave.phppredictiveHigh
11File/uncpath/predictiveMedium
12File/webconsole/APIControllerpredictiveHigh
13File/webmail/predictiveMedium
14Filexxxxxxx.xxxpredictiveMedium
15Filexxxxx.xxx?x=/xxxxx/xxxxxxpredictiveHigh
16Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveHigh
17Filexxxxx/xxx_xxxxxx.xxxpredictiveHigh
18Filexxxxxxx.xxxpredictiveMedium
19Filexxxxx.xpredictiveLow
20Filexx_xxxxx_xxxxx.xxxpredictiveHigh
21Filexxx_xxxxxxxxxxx_xxx_xxxx.xxxpredictiveHigh
22Filexxx_xxxxxx_xxxx.xxxpredictiveHigh
23Filexxxxxxxx.xxxpredictiveMedium
24Filexxxx/xxxxxxxx.xpredictiveHigh
25Filexxxxxx_xxxxxxxx_xxx.xxxpredictiveHigh
26Filexxxxx\xxxx\xxx_xxxx\xxxx_xxxx.xxxpredictiveHigh
27Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
28Filexxxxx_xxxxxxxxxx.xpredictiveHigh
29Filexxx/xxx/xxxxxpredictiveHigh
30Filexxxxx.xxxpredictiveMedium
31Filexxxxxx_xxx.xxxpredictiveHigh
32Filexxxx/xxxx.xpredictiveMedium
33Filexxxxxxxx.xpredictiveMedium
34Filexxx.xpredictiveLow
35Filexxx.xpredictiveLow
36Filexxxxxx.xxxpredictiveMedium
37Filexxxxx.xxxxpredictiveMedium
38Filexxxxx.xxxpredictiveMedium
39Filexxxxxx.xpredictiveMedium
40Filexxxxxxx.xxxpredictiveMedium
41Filexxx_xxxxxx.xpredictiveMedium
42Filexxxxxxxx.xpredictiveMedium
43Filexxxxxx/xxxxxxx.xxxpredictiveHigh
44Filexxxxxxx/xxx_xxxxxx/xxxxxx.xpredictiveHigh
45Filexxxxxxxx/xxxx/xxxx.xxxpredictiveHigh
46Filexxxxx.xxxpredictiveMedium
47Filexxxxxxxxxx.xxxpredictiveHigh
48Filexxxxxx_xxxxxx.xxpredictiveHigh
49Filexxxxxxxxxx.xxxxpredictiveHigh
50Filexxxx_xxxxxxx.xpredictiveHigh
51Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
52Filexxxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
53Filexxx-xxxxxxx.xpredictiveHigh
54Filexxx_xxxxxx.xpredictiveMedium
55Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveHigh
56Filexxxxxxxx.xpredictiveMedium
57Filexxxxx/xxxxxxxx.xpredictiveHigh
58Filexxxxx/xxxxxxx.xpredictiveHigh
59Filexxxxxx\xxxxxxx\xxx\xxxxxxx.xxxpredictiveHigh
60Filexxxx/xxxx_xxxx.xpredictiveHigh
61Filexxxx/xxx/xxxx-xxxxx.xxxpredictiveHigh
62Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
63Filexxx_xxxxx.xpredictiveMedium
64Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
65Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
66Filexx-xxxxxxxxx.xxxpredictiveHigh
67File_xxxx_xxxx.xxxpredictiveHigh
68File~/xxxxx/xxxxx.xxxpredictiveHigh
69Libraryxxx/xxxx/xxx/xxx.xxxpredictiveHigh
70Libraryxxx/xxxxx.xpredictiveMedium
71LibraryxxxxxxxpredictiveLow
72Libraryxxxxxxxxx.xxxpredictiveHigh
73Argument${xxx}predictiveLow
74ArgumentxxxxxxpredictiveLow
75Argumentxxxxxxxxxx_xxpredictiveHigh
76ArgumentxxxxxxxxxxxxxpredictiveHigh
77ArgumentxxxxxxxxxxxxpredictiveMedium
78Argumentxxxxxxx-xxxxxxpredictiveHigh
79Argumentxxxx_xxxxxpredictiveMedium
80ArgumentxxxxxxxpredictiveLow
81Argumentxxxx_xxxpredictiveMedium
82ArgumentxxxpredictiveLow
83ArgumentxxpredictiveLow
84ArgumentxxxxxxpredictiveLow
85ArgumentxxxxxxxxpredictiveMedium
86ArgumentxxxxxxxxpredictiveMedium
87Argumentxxx_xxxxxxxx_%x/xxxxx_xxxx_%xpredictiveHigh
88ArgumentxxxxxxxpredictiveLow
89Argumentxxxxxx_xxpredictiveMedium
90Argumentx_xxpredictiveLow
91ArgumentxxxxpredictiveLow
92ArgumentxxxxxpredictiveLow
93Argumentxxxxxx[xxxxxxx_xxxxxxxx]predictiveHigh
94ArgumentxxxxxxxxpredictiveMedium
95ArgumentxxxxxxxxpredictiveMedium
96Argumentxxxxx_xxxx_xxxxpredictiveHigh
97Argumentxxxx_xxxxxxpredictiveMedium
98ArgumentxxxxxxxxpredictiveMedium
99Argumentxxxxxxx_xxpredictiveMedium
100Argumentxxxxxxx_xxxxpredictiveMedium
101Argumentxxxxxxxxxxxxxx/xxxxxxxxxxxxpredictiveHigh
102ArgumentxxxxxxxxxxxxxxpredictiveHigh
103Argumentxx_xxpredictiveLow
104ArgumentxxxxxxxpredictiveLow
105ArgumentxxxxxpredictiveLow
106ArgumentxxxpredictiveLow
107ArgumentxxxpredictiveLow
108ArgumentxxxxxxxxpredictiveMedium
109ArgumentxxxxxxxxxxxxxxxxxpredictiveHigh
110Argumentx-xxxxxxxxx-xxxpredictiveHigh
111Argument_xxxxpredictiveLow
112Input Value-<xxxxxx>predictiveMedium
113Network Portxxx/xxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!