PKPLUG Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (239)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en144
zh92
jp2
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China182
US: USA58

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

PlugX10
Cobalt Strike7
Mustang Panda5
Earth Preta4
Sogu3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined102
Content Management System12
Operating System10
Firewall Software6
Chat Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined76
Apache10
Oracle10
Linux10
Huawei8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Linux Kernel10
chatwoot4
Apple watchOS4
Zen Cart4
The Digital Craft Atom CMS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Sophos Firewall User Portal/Webadmin improper authentication8.58.5$1k-$2k$0-$1kHighNot Defined0.974100.03CVE-2022-1040
2XoruX LPAR2RRD/STOR2RRD hard-coded credentials6.36.0$1k-$2k$0-$1kNot DefinedOfficial Fix0.002750.03CVE-2021-42371
3Komodia Redirector SDK Web Companion cryptographic issues5.35.3$1k-$2k$0-$1kNot DefinedNot Defined0.002200.00CVE-2015-2078
4SourceCodester Doctors Appointment System login.php sql injection7.47.1$1k-$2k$0-$1kProof-of-ConceptNot Defined0.000640.04CVE-2023-4219
5IBM Security Guardium Request os command injection9.29.2$10k-$25k$10k-$25kNot DefinedNot Defined0.000660.00CVE-2023-35893
6Piwigo pwg.users.php sql injection6.36.1$1k-$2k$0-$1kNot DefinedNot Defined0.000880.04CVE-2022-26266
7Pluck Theme Upload unrestricted upload4.74.6$1k-$2k$0-$1kNot DefinedNot Defined0.028930.07CVE-2022-26965
8Apache Struts ParameterInterceptor unknown vulnerability5.35.3$10k-$25k$0-$1kHighNot Defined0.084840.00CVE-2010-1870
9Synacor Zimbra Collaboration Memcache Command injection6.36.0$1k-$2k$0-$1kHighOfficial Fix0.096650.05CVE-2022-27924
10OpenSSL c_rehash os command injection5.55.3$10k-$25k$1k-$2kNot DefinedOfficial Fix0.106490.05CVE-2022-1292
11AfterLogic Aurora/WebMail Pro DAV DAVServer.php pathname traversal7.67.6$1k-$2k$0-$1kNot DefinedNot Defined0.002900.03CVE-2021-26293
12Artifex MuJS heap-based overflow5.55.3$2k-$5k$0-$1kNot DefinedOfficial Fix0.002210.00CVE-2021-45005
13Discuz! DiscuzX Access Restriction index.php access control8.58.5$2k-$5k$0-$1kNot DefinedNot Defined0.003230.03CVE-2018-5377
14Juniper Junos Pulse Secure Access Service SSL VPN Web Server cross site scripting6.36.0$5k-$10k$0-$1kNot DefinedOfficial Fix0.001350.04CVE-2013-5649
15Total.js Platform index.js path traversal7.47.2$1k-$2k$0-$1kNot DefinedOfficial Fix0.012840.00CVE-2019-8903
16Matomo safemode.twig Path information disclosure4.34.3$0-$1k$0-$1kNot DefinedNot Defined0.000580.00CVE-2019-12215
17Google Chrome V8 out-of-bounds write7.57.4$25k-$50k$10k-$25kNot DefinedOfficial Fix0.000800.07CVE-2024-0517
18tough-cookie Cookies prototype pollution7.97.8$1k-$2k$0-$1kNot DefinedOfficial Fix0.001230.04CVE-2023-26136
19ASUS RT-AC51U Network Request cross site scripting3.53.5$1k-$2k$0-$1kNot DefinedNot Defined0.000630.05CVE-2023-29772
20Asus RT-AC2900 input validation8.58.2$2k-$5k$0-$1kNot DefinedOfficial Fix0.085970.00CVE-2018-8826

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • THOR

IOC - Indicator of Compromise (20)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
142.99.117.92PKPLUGTHOR08/29/2021verifiedMedium
242.99.117.95PKPLUGTHOR08/29/2021verifiedMedium
343.254.217.165PKPLUGTHOR08/29/2021verifiedMedium
445.142.166.112PKPLUGTHOR08/29/2021verifiedMedium
5XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedMedium
6XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedMedium
7XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedMedium
8XX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedMedium
9XXX.XX.XX.XXxxx.xx.xx.xx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedMedium
10XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedMedium
11XXX.XX.XX.XXXXxxxxxXxxx08/29/2021verifiedMedium
12XXX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedMedium
13XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedMedium
14XXX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedMedium
15XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxx.xxxXxxxxxXxxx08/29/2021verifiedLow
16XXX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedMedium
17XXX.XXX.XXX.XXXXxxxxxXxxx08/29/2021verifiedMedium
18XXX.XX.XXX.XXXxxxxxXxxx08/29/2021verifiedMedium
19XXX.XX.XXX.XXXXxxxxxXxxx08/29/2021verifiedMedium
20XXX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedMedium

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94, CWE-1321Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-466CWE-XXXXxxxxxx Xxxxxxxxxx Xx Xxx-xxxxxxxxpredictiveHigh
14TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
16TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-112CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
19TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (92)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin.php?action=themeinstallpredictiveHigh
2File/admin/ajax/avatar.phppredictiveHigh
3File/admin/uploads.phppredictiveHigh
4File/admin/users.php?source=edit_user&id=1predictiveHigh
5File/cgi-bin/portalpredictiveHigh
6File/etc/passwdpredictiveMedium
7File/etc/shadowpredictiveMedium
8File/htmlcode/html/indexdefault.asppredictiveHigh
9File/include/config.cache.phppredictiveHigh
10File/include/helpers/upload.helper.phppredictiveHigh
11File/patient/appointment.phppredictiveHigh
12File/xxxxxxx/xxxxxxpredictiveHigh
13File/xxxpredictiveLow
14Filexxxxx.xxxpredictiveMedium
15Filexxxxx/xxxx.xxxpredictiveHigh
16Filexxxx.xxxpredictiveMedium
17Filexxxxxxxxxxx.xxxpredictiveHigh
18Filexxx\xxxxx\xxxxxxxxxx\xxxxxxxxxxxxxxx.xxxpredictiveHigh
19Filexxxxxxxx\xxxxx.xxxpredictiveHigh
20Filexxx/xxxxxxx.xxpredictiveHigh
21Filexxxxx.xxxpredictiveMedium
22Filexxx.xxxpredictiveLow
23Filexxxxxx.xxxpredictiveMedium
24Filex_xxxxxxpredictiveMedium
25Filexxxxxxxxx.xxxpredictiveHigh
26Filexxxxxxx/xxxxx/xxxxxxxx/xxxxxpredictiveHigh
27Filexxxx-xxxxxxxx-xxxxxx.xxxpredictiveHigh
28Filexx/xx-xx.xpredictiveMedium
29Filexxx/xxxxxx.xxxpredictiveHigh
30Filexxxxxxx\xxxxxxx\xxxxxxx_xxxxx.xxxpredictiveHigh
31Filexxxxx.xxpredictiveMedium
32Filexxxxx.xxxpredictiveMedium
33Filexxxxx.xxx/xxxxxxxxxxxxx/xxxpredictiveHigh
34Filexxx/xxx.xpredictiveMedium
35Filexxxxxx/xxx/xxxxxxxx.xpredictiveHigh
36Filexxxxxxxxxx/xxx/xxxxxx_xxxx.xxxpredictiveHigh
37Filexxxxxxxxx/xxxx_xxxxxxx.xxx.xxxpredictiveHigh
38Filexxxxx.xxxpredictiveMedium
39Filexxxxx.xxxpredictiveMedium
40Filexxxxxxx.xxxpredictiveMedium
41Filexxxxxxx/xxxx/xxxxx/xxxxxxxxxxx.xxxpredictiveHigh
42Filexxxxxxx/xxxxx/xxxxxxx/xxxx.xxxpredictiveHigh
43Filexxxxxxx.xxpredictiveMedium
44Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
45Filexxxx/xxxxxxxxx.xxxpredictiveHigh
46Filexxxxxx/xxxxx_xxxxxxxx/xxxxxxx.xxxxpredictiveHigh
47Filexxxxx.xxxpredictiveMedium
48Filexxx.xxxxx.xxxpredictiveHigh
49Filexxx.xxxpredictiveLow
50Filexxx.xxxxxxxxxpredictiveHigh
51Filexxx/xxx/xxx.xpredictiveHigh
52Filexxxxxxxx/xxxxxxxxpredictiveHigh
53Filexxxxxxxxx.xxxpredictiveHigh
54Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
55Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
56Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
57Filexxxxxxxxxxxxx.xxxxpredictiveHigh
58Libraryxxx/xxxxxx/xxxxxxxxx/xxxxxxx.xxpredictiveHigh
59Libraryxxxxxxx/xxxxxxx/xxxxxx/xxx/xxxxx.xxxxxxx.xxxpredictiveHigh
60Argument$_xxxxxpredictiveLow
61ArgumentxxxxxxxpredictiveLow
62ArgumentxxxpredictiveLow
63ArgumentxxxxxxpredictiveLow
64ArgumentxxxxxpredictiveLow
65ArgumentxxxxxpredictiveLow
66ArgumentxxxxxxxxpredictiveMedium
67ArgumentxxxxxxxxxxpredictiveMedium
68ArgumentxxxxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
69ArgumentxxxxxxpredictiveLow
70ArgumentxxxxxpredictiveLow
71ArgumentxxxxxxpredictiveLow
72ArgumentxxpredictiveLow
73ArgumentxxpredictiveLow
74Argumentxx_xxxxxxxxpredictiveMedium
75ArgumentxxxxxxpredictiveLow
76ArgumentxxxxxxxpredictiveLow
77Argumentxxx_xxxpredictiveLow
78ArgumentxxxxxxxpredictiveLow
79Argumentxxxxxx_xxxxpredictiveMedium
80ArgumentxxxxxxxxxxxpredictiveMedium
81ArgumentxxxxpredictiveLow
82ArgumentxxxpredictiveLow
83ArgumentxxxxxxxxpredictiveMedium
84ArgumentxxxpredictiveLow
85ArgumentxxxxxxxxpredictiveMedium
86Argumentxxxxxx[]predictiveMedium
87ArgumentxxxxxxxxxpredictiveMedium
88ArgumentxxxxxxxxpredictiveMedium
89ArgumentxxxxxxxxpredictiveMedium
90Input Value..predictiveLow
91Input Value../predictiveLow
92Pattern|xx|xx|xx|predictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!