lightSpy Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (161)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en78
zh76
de6
ru2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China106
US: USA56

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT4112
Cobalt Strike9
PlugX3
ToneShell2
Meterpreter2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined66
Smartphone Operating System8
Operating System8
Firewall Software8
Router Operating System6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined46
ONLYOFFICE10
Cisco8
Google6
Apple6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Node.js4
Google Android4
Cisco ASA4
Cisco Firepower Threat Defense4
ONLYOFFICE Server4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1EMQ X Dashboard auth information disclosure4.44.2$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.001840.02CVE-2021-46434
2vsftpd deny_file3.73.6$0-$5k$0-$5kNot definedOfficial fix 0.352900.09CVE-2015-1419
3Google Chrome V8 Remote Code Execution6.35.7$25k-$100k$0-$5kProof-of-ConceptOfficial fixpossible0.786710.00CVE-2020-16040
4FastAdmin lang path traversal5.35.2$0-$5k$0-$5kProof-of-ConceptOfficial fixexpected0.910080.06CVE-2024-7928
5Grafana Proxy authentication spoofing5.85.7$0-$5k$0-$5kNot definedOfficial fix 0.007290.03CVE-2022-35957
6Devilz Clanportal sql injection7.37.0$0-$5k$0-$5kHighOfficial fix 0.004720.02CVE-2006-6339
7Apollo apollo-configservice missing authentication7.47.2$0-$5k$0-$5kNot definedOfficial fix 0.000800.00CVE-2023-25570
8Linux Kernel file_ns_capable access control4.94.4$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.010520.00CVE-2013-1959
9Cisco IOS XE Web UI API command injection5.85.7$5k-$25k$0-$5kNot definedOfficial fix 0.000570.03CVE-2022-20851
10Radicale Multifilesystem Storage Backend File input validation10.09.7$0-$5k$0-$5kNot definedOfficial fix 0.017100.04CVE-2015-8747
11Synacor Zimbra Collaboration Suite WebEx Zimlet server-side request forgery8.58.2$0-$5k$0-$5kNot definedOfficial fixpossible0.785460.00CVE-2020-7796
12AirMore Key input validation6.46.1$0-$5k$0-$5kProof-of-ConceptWorkaround 0.183690.08CVE-2019-9831
13Atmail cross site scripting4.33.9$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.002540.00CVE-2013-2585
14Openfind Mail2000 CGI os command injection8.88.6$0-$5k$0-$5kNot definedOfficial fix 0.004150.06CVE-2024-5400
15aizuda snail-job Workflow-Task Management Module check-node-expression getRuntime deserialization7.17.0$0-$5k$0-$5kProof-of-ConceptNot defined 0.000540.46CVE-2025-2622
16Workerman-ThinkPHP-Redis Controller.class.php cross site scripting4.84.8$0-$5k$0-$5kNot definedNot defined 0.002400.02CVE-2021-43697
17Google Android SystemStatusAnimationSchedulerImpl.kt removePersistentDot race condition6.96.8$5k-$25k$0-$5kNot definedOfficial fix 0.000220.00CVE-2024-0041
18Huawei E6878-370 WAN authorization7.27.2$5k-$25k$5k-$25kNot definedNot defined 0.001730.02CVE-2020-9241
19argo-cd settings improper authentication6.06.0$0-$5k$0-$5kNot definedOfficial fix 0.208960.00CVE-2024-37152
20OPPO Store App improper authentication5.35.3$0-$5k$0-$5kNot definedNot defined 0.000690.00CVE-2024-1609

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • LightSpy

IOC - Indicator of Compromise (26)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
138.55.97.178lightSpy08/14/2024verifiedVery High
243.248.78.215lightSpy04/24/2025verifiedVery High
343.248.136.104lightSpy08/14/2024verifiedVery High
443.248.136.110lightSpy08/14/2024verifiedVery High
543.248.136.215lightSpy08/14/2024verifiedVery High
645.125.34.126mail.market126.net163b2b.xyzlightSpy08/14/2024verifiedVery High
7XX.XXX.XXX.XXXxxxxXxxxxxxx11/14/2024verifiedVery High
8XX.XXX.XXX.XXXXxxxxxxx08/14/2024verifiedVery High
9XX.XX.XX.XXXxxxxXxxxxxxx10/29/2023verifiedHigh
10XXX.XX.XXX.XXXXxxxxXxxxxxxx11/14/2024verifiedVery High
11XXX.XX.XXX.XXXXxxxxXxxxxxxx10/29/2023verifiedHigh
12XXX.XX.XXX.XXXxxxxxxx08/14/2024verifiedVery High
13XXX.XX.XXX.XXXXxxxxxxx04/16/2024verifiedHigh
14XXX.XX.XX.XXXxxxxxxx08/14/2024verifiedVery High
15XXX.XX.XX.XXXxxxxXxxxxxxx11/14/2024verifiedVery High
16XXX.XX.XX.XXXxxxxXxxxxxxx11/14/2024verifiedVery High
17XXX.XXX.XXX.XXXXxxxxXxxxxxxx11/15/2024verifiedVery High
18XXX.XXX.XXX.XXXXxxxxxxx08/14/2024verifiedVery High
19XXX.XXX.XXX.XXXxxxxXxxxxxxx11/14/2024verifiedVery High
20XXX.XX.XXX.XXXXxxxxxxx08/14/2024verifiedVery High
21XXX.XX.XXX.XXXxxxxXxxxxxxx11/14/2024verifiedVery High
22XXX.XX.X.XXXxxxxXxxxxxxx11/14/2024verifiedVery High
23XXX.XX.X.XXXxxxxXxxxxxxx11/14/2024verifiedVery High
24XXX.XX.XX.XXXXxxxxXxxxxxxx11/14/2024verifiedVery High
25XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxXxxxxxxx11/14/2024verifiedVery High
26XXX.XXX.XXX.XXXxxxxxxx08/14/2024verifiedVery High

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-137CWE-88, CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79Basic Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-XXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXXCAPEC-XXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-XXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
15TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
16TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (76)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/?Key=PhoneRequestAuthorizationpredictiveHigh
2File/addcompany.phppredictiveHigh
3File/api/v1/settingspredictiveHigh
4File/api /v3/authpredictiveHigh
5File/example/editorpredictiveHigh
6File/fcgi/scrut_fcgi.fcgipredictiveHigh
7File/filemanager/php/connector.phppredictiveHigh
8File/index/ajax/langpredictiveHigh
9File/snail-job/workflow/check-node-expressionpredictiveHigh
10Filexxxxx/xxxxxxxxxxpredictiveHigh
11Filexxxxx.xxxpredictiveMedium
12Filexxxxxxxx.xxxpredictiveMedium
13Filexxx-xxx/xxxxxxx_xxx.xxxpredictiveHigh
14Filexxxxxxxxxx.xxxxx.xxxpredictiveHigh
15Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
16Filexxxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx.xpredictiveHigh
17Filexxxxxxxxxxxx.xxxxpredictiveHigh
18Filexxx/xxx/xxxxxpredictiveHigh
19Filexx/xxxxx.xpredictiveMedium
20Filexxxxxxxxxxx.xxxpredictiveHigh
21Filexxx.xxpredictiveLow
22Filexxx/xxxxxx.xxxpredictiveHigh
23Filexxxxx.xxx/xxxx/x/predictiveHigh
24Filexxxxx.xxx?x=xxxx&x=xxxxxxx&x=xxxpredictiveHigh
25Filexxxxx.xxxpredictiveMedium
26Filexxxxxxxx.xxxpredictiveMedium
27Filexxx/xxxxxxxx/xxxxxxx.xpredictiveHigh
28Filexxxxxxx.xxxpredictiveMedium
29Filexxxx/xxxxxx.xxxpredictiveHigh
30Filexxxxxxxxxx.xxpredictiveHigh
31Filexxxxxxx.xpredictiveMedium
32Filexxxxxx/xxxxxxxxx.xxxpredictiveHigh
33Filexxxxxx_xxxxx.xxx/xxxxx_xxxxxxx_xxxxxxxxxx.xxpredictiveHigh
34Filexxx/xxxxxxxx.xpredictiveHigh
35Filexxxxxxx-xxxxxxxx.xxxpredictiveHigh
36Filexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxpredictiveHigh
37Filexxxx-xxxxxxxx.xxxpredictiveHigh
38Filexxxxxxxxxxxxxx.xxxxpredictiveHigh
39Filexxxx/xxxxxxxxxxxxxxxx.xxpredictiveHigh
40Filexxxxxx.xxxpredictiveMedium
41Filexx-xxxxx/xxxxx.xxx?xxxx=xxxxxxxxx_xxxxxxxx_xxxxxxx&xxx=xxxxxxxx_xxxxxpredictiveHigh
42Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
43Libraryxxxxxxx/xxx/xxxxxx.xxx.xxxpredictiveHigh
44Libraryxxxxxxxx.xxxpredictiveMedium
45Libraryxxxxxxxxxxx.xxxpredictiveHigh
46Argument--xxxxxx/--xxxxxxxxpredictiveHigh
47ArgumentxxxxxxxxpredictiveMedium
48Argumentxxxxxxxx xxxxpredictiveHigh
49ArgumentxxxxxxpredictiveLow
50ArgumentxxxxxxxxxxpredictiveMedium
51ArgumentxxxxxxxpredictiveLow
52ArgumentxxxxxxxpredictiveLow
53Argumentxxxxxxxxx xxxxpredictiveHigh
54ArgumentxxxxxxxpredictiveLow
55ArgumentxxxxxxpredictiveLow
56ArgumentxxxxxpredictiveLow
57ArgumentxxxxpredictiveLow
58ArgumentxxpredictiveLow
59ArgumentxxpredictiveLow
60ArgumentxxxxpredictiveLow
61Argumentxxxx_xxxxpredictiveMedium
62ArgumentxxxxxpredictiveLow
63ArgumentxxxxpredictiveLow
64ArgumentxxxxxxxxxxxxxxpredictiveHigh
65ArgumentxxxxxxxpredictiveLow
66ArgumentxxxxxxxxpredictiveMedium
67Argumentxxxxxxxx_xxxxxx_xxxxxpredictiveHigh
68ArgumentxxxxxxxpredictiveLow
69ArgumentxxxxxpredictiveLow
70ArgumentxxxxpredictiveLow
71ArgumentxxxpredictiveLow
72ArgumentxxxxxxxxpredictiveMedium
73Argumentxxxx->xxxxxxxpredictiveHigh
74Argument_xxxxxpredictiveLow
75Input Value/xxxx.xxxpredictiveMedium
76Input Value{xxxxx:xx(xxxx($_xxx[x]))}x{/xxxxx:xx}predictiveHigh

References (16)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!