PKPLUG Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (250)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en152
zh92
jp4
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China186
US: USA62
GB: Great Britain2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

PlugX9
Cobalt Strike7
Mustang Panda4
PingPull3
Sogu3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined108
Content Management System16
SCADA Software8
Web Server8
Router Operating System6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined80
Apache16
Oracle10
Trend Micro8
Measuresoft8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Trend Micro Apex One8
Measuresoft ScadaPro Server8
WordPress6
Apache Struts4
FileZen4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Sophos Firewall User Portal/Webadmin improper authentication9.09.0$0-$5k$0-$5kHighNot definedverified0.944230.00CVE-2022-1040
2XoruX LPAR2RRD/STOR2RRD hard-coded credentials6.36.0$0-$5k$0-$5kNot definedOfficial fix 0.007250.00CVE-2021-42371
3Komodia Redirector SDK Web Companion cryptographic issues5.35.3$0-$5k$0-$5kNot definedNot defined 0.005920.00CVE-2015-2078
4Joomla sql injection6.36.3$5k-$25k$5k-$25kNot definedNot defined 0.000420.00CVE-2022-23797
5Tosei Online Store Management System ネット店舗管理システム Backend default credentials8.17.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.002430.09CVE-2024-7898
6SourceCodester Doctors Appointment System login.php sql injection7.47.1$0-$5k$0-$5kProof-of-ConceptNot defined 0.002470.08CVE-2023-4219
7IBM Security Guardium Request os command injection9.29.2$5k-$25k$5k-$25kNot definedNot defined 0.005770.00CVE-2023-35893
8Piwigo pwg.users.php sql injection6.36.1$0-$5k$0-$5kNot definedNot defined 0.006150.00CVE-2022-26266
9Pluck Theme Upload admin.php unrestricted upload4.74.3$0-$5k$0-$5kProof-of-ConceptNot definedpossible0.406320.04CVE-2022-26965
10Apache Struts ParameterInterceptor5.35.3$5k-$25k$0-$5kHighNot definedexpected0.928510.06CVE-2010-1870
11Synacor Zimbra Collaboration Memcache Command injection6.96.7$0-$5k$0-$5kHighOfficial fixverified0.723040.04CVE-2022-27924
12OpenSSL c_rehash os command injection5.55.3$5k-$25k$0-$5kNot definedOfficial fixpossible0.763220.19CVE-2022-1292
13AfterLogic Aurora/WebMail Pro DAV DAVServer.php pathname traversal7.67.6$0-$5k$0-$5kNot definedNot definedpossible0.507000.00CVE-2021-26293
14Artifex MuJS heap-based overflow5.55.3$0-$5k$0-$5kNot definedOfficial fix 0.004080.04CVE-2021-45005
15Discuz! DiscuzX Access Restriction index.php access control8.58.5$0-$5k$0-$5kNot definedNot defined 0.001150.02CVE-2018-5377
16Juniper Junos Pulse Secure Access Service SSL VPN Web Server cross site scripting6.36.0$5k-$25k$0-$5kNot definedOfficial fix 0.002630.04CVE-2013-5649
17Ubiquiti EdgeRouter X Web Management Interface command injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.112780.08CVE-2023-2373
18Zimbra Collaboration Suite zmmailboxdmgr exceptional condition7.87.7$0-$5k$0-$5kNot definedOfficial fix 0.000330.00CVE-2024-27442
19MongoDB Server tls.CAFile certificate validation5.95.9$0-$5k$0-$5kNot definedOfficial fix 0.006300.07CVE-2024-1351
20SpringBlade DAO/DTO list sql injection8.58.5$0-$5k$0-$5kNot definedNot defined 0.002450.03CVE-2020-16165

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • THOR

IOC - Indicator of Compromise (20)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
142.99.117.92PKPLUGTHOR08/29/2021verifiedLow
242.99.117.95PKPLUGTHOR08/29/2021verifiedLow
343.254.217.165PKPLUGTHOR08/29/2021verifiedLow
445.142.166.112PKPLUGTHOR08/29/2021verifiedLow
5XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedLow
6XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedLow
7XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedLow
8XX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedLow
9XXX.XX.XX.XXxxx.xx.xx.xx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedLow
10XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedLow
11XXX.XX.XX.XXXXxxxxxXxxx08/29/2021verifiedLow
12XXX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedLow
13XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedLow
14XXX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedLow
15XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxx.xxxXxxxxxXxxx08/29/2021verifiedVery Low
16XXX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedLow
17XXX.XXX.XXX.XXXXxxxxxXxxx08/29/2021verifiedLow
18XXX.XX.XXX.XXXxxxxxXxxx08/29/2021verifiedLow
19XXX.XX.XXX.XXXXxxxxxXxxx08/29/2021verifiedLow
20XXX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedLow

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94, CWE-1321Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Basic Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
12TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XXXXxxxxxx Xxxxxxxxxx Xx Xxx-xxxxxxxxpredictiveHigh
14TXXXXCAPEC-XXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxxpredictiveHigh
17TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
20TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (102)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin.php?action=themeinstallpredictiveHigh
2File/admin/ajax/avatar.phppredictiveHigh
3File/admin/uploads.phppredictiveHigh
4File/admin/users.php?source=edit_user&id=1predictiveHigh
5File/api/blade-log/api/listpredictiveHigh
6File/cgi-bin/p1_ftpserver.phppredictiveHigh
7File/cgi-bin/portalpredictiveHigh
8File/cgi-bin/tosei_kikai.phppredictiveHigh
9File/etc/passwdpredictiveMedium
10File/etc/shadowpredictiveMedium
11File/htmlcode/html/indexdefault.asppredictiveHigh
12File/include/config.cache.phppredictiveHigh
13File/xxxxxxx/xxxxxxx/xxxxxx.xxxxxx.xxxpredictiveHigh
14File/xxxxxxx/xxxxxxxxxxx.xxxpredictiveHigh
15File/xxxxxxx/xxxxxxpredictiveHigh
16File/xxxpredictiveLow
17Filexxxxx.xxxpredictiveMedium
18Filexxxxx/xxxx.xxxpredictiveHigh
19Filexxxx.xxxpredictiveMedium
20Filexxxxxxxxxxx.xxxpredictiveHigh
21Filexxx\xxxxx\xxxxxxxxxx\xxxxxxxxxxxxxxx.xxxpredictiveHigh
22Filexxxxxxxx\xxxxx.xxxpredictiveHigh
23Filexxx/xxxxxxx.xxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexxx.xxxpredictiveLow
26Filexxxxxx.xxxpredictiveMedium
27Filex_xxxxxxpredictiveMedium
28Filexxxxxxxxx.xxxpredictiveHigh
29Filexxxxxxx/xxxxx/xxxxxxxx/xxxxxpredictiveHigh
30Filexxxx-xxxxxxxx-xxxxxx.xxxpredictiveHigh
31Filexx/xx-xx.xpredictiveMedium
32Filexxx/xxxxxx.xxxpredictiveHigh
33Filexxxxxxx\xxxxxxx\xxxxxxx_xxxxx.xxxpredictiveHigh
34Filexxxxx.xxpredictiveMedium
35Filexxxxx.xxxpredictiveMedium
36Filexxxxx.xxx/xxxxxxxxxxxxx/xxxpredictiveHigh
37Filexxx/xxx.xpredictiveMedium
38Filexxxxxx/xxx/xxxxxxxx.xpredictiveHigh
39Filexxxxxxxxxx/xxx/xxxxxx_xxxx.xxxpredictiveHigh
40Filexxxxxxxxx/xxxx_xxxxxxx.xxx.xxxpredictiveHigh
41Filexxxxx.xxxpredictiveMedium
42Filexxxxx.xxxpredictiveMedium
43Filexxxxxxxxxx.xxxxx.xxxpredictiveHigh
44Filexxxxxxx.xxxpredictiveMedium
45Filexxxxxxx/xxxx/xxxxx/xxxxxxxxxxx.xxxpredictiveHigh
46Filexxxxxxx/xxxxx/xxxxxxx/xxxx.xxxpredictiveHigh
47Filexxxxxxx.xxpredictiveMedium
48Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
49Filexxxx/xxxxxxxxx.xxxpredictiveHigh
50Filexxxxxx/xxxxx_xxxxxxxx/xxxxxxx.xxxxpredictiveHigh
51Filexxxxx.xxxpredictiveMedium
52Filexxx.xxxxx.xxxpredictiveHigh
53Filexxx.xxxpredictiveLow
54Filexxx.xxxxxxxxxpredictiveHigh
55Filexxx/xxx/xxx.xpredictiveHigh
56Filexxx.xxxxxxpredictiveMedium
57Filexxxxxxxx/xxxxxxxxpredictiveHigh
58Filexxxxxxxxx.xxxpredictiveHigh
59Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
60Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
61Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
62Filexxxxxxxxxxxxx.xxxxpredictiveHigh
63FilexxxxxxxxxxxxxpredictiveHigh
64Libraryxxx/xxxxxx/xxxxxxxxx/xxxxxxx.xxpredictiveHigh
65Libraryxxxxxxx/xxxxxxx/xxxxxx/xxx/xxxxx.xxxxxxx.xxxpredictiveHigh
66Argument$_xxxxxpredictiveLow
67ArgumentxxxxxxxpredictiveLow
68ArgumentxxxpredictiveLow
69ArgumentxxxxxxpredictiveLow
70Argumentxxx_xxxpredictiveLow
71ArgumentxxxxxpredictiveLow
72ArgumentxxxxxpredictiveLow
73Argumentxxx/xxxxpredictiveMedium
74ArgumentxxxxxxxxpredictiveMedium
75ArgumentxxxxxxxxxxpredictiveMedium
76ArgumentxxxxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
77Argumentxxx-xxpredictiveLow
78ArgumentxxxxxxpredictiveLow
79ArgumentxxxxxpredictiveLow
80ArgumentxxxxxxpredictiveLow
81ArgumentxxpredictiveLow
82ArgumentxxpredictiveLow
83Argumentxx_xxxxxxxxpredictiveMedium
84ArgumentxxxxxxxxxxxpredictiveMedium
85ArgumentxxxxxxpredictiveLow
86ArgumentxxxxxxxpredictiveLow
87Argumentxxx_xxxpredictiveLow
88ArgumentxxxxxxxpredictiveLow
89Argumentxxxxxx_xxxxpredictiveMedium
90ArgumentxxxxxxxxxxxpredictiveMedium
91ArgumentxxxxpredictiveLow
92ArgumentxxxpredictiveLow
93ArgumentxxxxxxxxpredictiveMedium
94ArgumentxxxpredictiveLow
95ArgumentxxxxxxxxpredictiveMedium
96Argumentxxxxxx[]predictiveMedium
97ArgumentxxxxxxxxxpredictiveMedium
98ArgumentxxxxxxxxpredictiveMedium
99ArgumentxxxxxxxxpredictiveMedium
100Input Value..predictiveLow
101Input Value../predictiveLow
102Pattern|xx|xx|xx|predictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!