Sofacy Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (164)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en142
de10
es6
ru4
zh2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA54
CH: Switzerland42
TR: Turkey10
RU: Russia6
AR: Argentina6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Sednit5
Sofacy4
APT283
Raccoon2
Vidar2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined66
Web Server10
Database Administration Software8
Content Management System8
Router Operating System8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined58
IBM4
DragonByte4
Microsoft4
Telerik4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

phpMyAdmin8
Drupal4
LG Mobile Devices4
WordPress4
Linux Kernel4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Backdoor.Win32.Tiny.c Service Port 7778 backdoor7.36.4$0-$5k$0-$5kProof-of-ConceptWorkaround 0.000000.00
2Linux Kernel NILFS File System inode.c security_inode_alloc use after free8.38.1$25k-$100k$0-$5kNot definedOfficial fix 0.000150.02CVE-2022-2978
3SourceCodester Simple and Nice Shopping Cart Script profile.php unrestricted upload6.35.7$0-$5k$0-$5kProof-of-ConceptNot defined 0.000960.04CVE-2022-2909
4Crow HTTP Pipelining use after free8.58.4$0-$5k$0-$5kNot definedOfficial fix 0.016040.06CVE-2022-38667
5mySCADA myPRO command injection9.29.0$0-$5k$0-$5kNot definedOfficial fix 0.032810.00CVE-2022-2234
6GNU Bash Environment Variable variables.c Shellshock os command injection9.89.6$25k-$100k$0-$5kAttackedOfficial fixverified0.942200.05CVE-2014-6271
7WordPress Editor information disclosure4.34.1$5k-$25k$0-$5kNot definedOfficial fix 0.018520.06CVE-2021-29450
8AnyMacro AnyMacro Mail System path traversal5.35.3$0-$5k$0-$5kNot definedNot defined 0.002750.00CVE-2011-2468
9phpMyAdmin Configuration File setup.php code injection8.58.4$5k-$25k$0-$5kAttackedOfficial fixverified0.933900.04CVE-2009-1151
10WordPress class-wp-customize-widgets.php privileges management7.36.4$5k-$25k$0-$5kUnprovenOfficial fix 0.064440.09CVE-2014-5203
11Zeus Zeus Web Server memory corruption10.09.0$0-$5k$0-$5kProof-of-ConceptOfficial fixpossible0.380430.05CVE-2010-0359
12Globitel KSA SpeechLog Save Query cross site scripting3.53.5$0-$5k$0-$5kNot definedNot defined 0.002860.00CVE-2024-33819
13TikiWiki tiki-index.php path traversal7.37.0$0-$5k$0-$5kNot definedOfficial fix 0.017730.12CVE-2007-5684
14PHPWind goto.php cross site scripting4.34.3$0-$5k$0-$5kNot definedNot defined 0.002950.00CVE-2015-4135
15Zabbix latest.php sql injection8.58.4$0-$5k$0-$5kHighOfficial fixexpected0.880010.02CVE-2016-10134
16Ruijie RG-UAC commit.php os command injection4.74.3$0-$5k$0-$5kProof-of-ConceptNot defined 0.003590.02CVE-2024-4504
17OpenSSL c_rehash os command injection5.55.3$5k-$25k$0-$5kNot definedOfficial fixpossible0.701860.04CVE-2022-1292
18Tenda AX1803 getIptvInfo stack-based overflow7.67.6$0-$5k$0-$5kNot definedNot defined 0.002550.07CVE-2023-51969
19ownCloud graphapi GetPhpInfo.php information disclosure7.67.5$0-$5k$0-$5kAttackedOfficial fixverified0.943660.04CVE-2023-49103
20Bitrix Site Manager Vote Module Remote Code Execution7.37.0$0-$5k$0-$5kNot definedOfficial fix 0.097610.07CVE-2022-27228

Campaigns (2)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (14)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
11.6.3.8Sofacy12/22/2020verifiedLow
223.0.0.185a23-0-0-185.deploy.static.akamaitechnologies.comSofacy12/23/2020verifiedLow
340.112.210.240Sofacy12/23/2020verifiedLow
4XX.XXX.XXX.XXXxxxxx.xxxxxxxxxxx.xxxXxxxxxXxxxxxx08/29/2021verifiedLow
5XX.XX.XX.XXXxxxxx12/23/2020verifiedLow
6XX.XX.XX.XXXXxxxxx12/23/2020verifiedLow
7XX.XXX.XX.XXXxxxxxxxxxxxxxxxx.xxxXxxxxxXxxxxxx08/29/2021verifiedLow
8XX.XXX.XXX.XXXXxxxxxXxxxxxx08/29/2021verifiedLow
9XX.XXX.XX.XXxxxxxx-xx.xxxxxxxx.xxXxxxxxXxxxxxxxxxxxx12/23/2020verifiedVery Low
10XXX.XX.XX.XXxxxxx-xxxxx.xxxxxxx.xxxxXxxxxx12/22/2020verifiedVery Low
11XXX.XX.XX.XXXxxxx-xxxxx.xxxxxxx.xxxxXxxxxx12/22/2020verifiedVery Low
12XXX.XXX.XX.XXXxxxxxxx.xxxx-xxxxxx.xxxXxxxxx12/22/2020verifiedLow
13XXX.XXX.XXX.XXxxxxxxxxxxxxx.xxxXxxxxx12/22/2020verifiedLow
14XXX.XXX.XXX.XXXXxxxxx12/22/2020verifiedLow

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-XCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-XXXCWE-XXXXxxxxxxx Xx Xxxx Xxxxxxx Xxxxxxxxx XxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
14TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxxpredictiveHigh
17TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-XXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (88)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.procmailrcpredictiveMedium
2File/dashboard/updatelogo.phppredictiveHigh
3File/etc/openshift/server_priv.pempredictiveHigh
4File/files.md5predictiveMedium
5File/index.phppredictiveMedium
6File/info/headerspredictiveHigh
7File/mkshop/Men/profile.phppredictiveHigh
8File/Noxen-master/users.phppredictiveHigh
9File/uncpath/predictiveMedium
10File/view/HAconfig/baseConfig/commit.phppredictiveHigh
11Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
12Filexxxxxxx/xxxx.xxxpredictiveHigh
13Filexxxxxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
14Filexxxxx/xxxx/xxxxxxxxxx/xxxxxxxxxxx.xxxpredictiveHigh
15Filexx/xxxxxx_xxx.xxxpredictiveHigh
16Filexxxx/xxxxxxxxxxxx.xxxpredictiveHigh
17Filexxx.xxx?xxx=xxxxx_xxxxpredictiveHigh
18Filexxxxxxxx/xxxxpredictiveHigh
19Filex_xxxxxxpredictiveMedium
20Filexx.xpredictiveLow
21Filexxxxx.xxxpredictiveMedium
22Filexxxxxxxxxx.xxxpredictiveHigh
23Filexxxxxx.xpredictiveMedium
24Filexxxxxxxx.xxxpredictiveMedium
25Filexxxxxxxxxx.xxxpredictiveHigh
26Filexxxx.xxxpredictiveMedium
27Filexxxx_xxxx.xpredictiveMedium
28Filexxxxx.xxxpredictiveMedium
29Filexxxxxx.xxxpredictiveMedium
30Filexxxxx.xpredictiveLow
31Filexxxxxx.xxxpredictiveMedium
32Filexxxxxxxxxx.xxxpredictiveHigh
33Filexxxxx_xxxxxxx.xxxpredictiveHigh
34Filexxx/xxxxxxx/xxxxxx/xxxx/xxxxx/xxxxxxx/xxxxxx/xxxxx/xxx%xxxxxxxxxxxxx.xx.xxxpredictiveHigh
35Filexxxx.xxxpredictiveMedium
36Filexxxxx.xxxpredictiveMedium
37Filexxxxx/xxxxx-xxxx-xxxxxxxx.xxxpredictiveHigh
38Filexxxx.xxx.xxxxxxxxxxpredictiveHigh
39Filexxxxxxxxx/xxxxx/xxxxxx.xxxxpredictiveHigh
40Filexxxx-xxxxx.xxxpredictiveHigh
41Filexxxxxx/xxxx.xxxpredictiveHigh
42Filexxxxxxxxxxxxxxxxx.xxxpredictiveHigh
43Filexxxx/xxx/xxxx-xxxxx.xxxpredictiveHigh
44Filexxxxxxxxx.xpredictiveMedium
45Filexxxxxxx.xxxpredictiveMedium
46Filexx-xxxxxxxx/xxxxx-xx-xxxxxxxxx-xxxxxxx.xxxpredictiveHigh
47Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
48Filexxxxxx.xxxpredictiveMedium
49Filexx_xxxxxxx.xpredictiveMedium
50Libraryxxxxxxxxx/xxx-xxxxxx/xxxxxxxx.xxxpredictiveHigh
51Libraryxxxxx.xxxpredictiveMedium
52ArgumentxxxxpredictiveLow
53ArgumentxxxxxpredictiveLow
54ArgumentxxxxxxxxxpredictiveMedium
55Argumentxxxx/xxxxpredictiveMedium
56Argumentxxxxxx_xxxx_xxxxxxxxpredictiveHigh
57ArgumentxxxxpredictiveLow
58Argumentxxx_xxxx/xxx_xxxxxxxpredictiveHigh
59ArgumentxxxxxxpredictiveLow
60ArgumentxxxxxxxxxxxpredictiveMedium
61Argumentxxxx_xxpredictiveLow
62Argumentxxx_xxxxxxxxpredictiveMedium
63ArgumentxxxxpredictiveLow
64Argumentxxx_xxpredictiveLow
65ArgumentxxxxxxxxpredictiveMedium
66Argumentxxxxxxx[xxxxx]/xxxxxxx[xxxxxxxxxxx]predictiveHigh
67Argumentxxxx_xxxxpredictiveMedium
68Argumentxxxx_xx/xxxxx_xxpredictiveHigh
69ArgumentxxxxxxpredictiveLow
70ArgumentxxxxxxxxxxxxpredictiveMedium
71ArgumentxxxxxxpredictiveLow
72Argumentxxxxxx_xxpredictiveMedium
73ArgumentxxxxxpredictiveLow
74ArgumentxxxxpredictiveLow
75Argumentxxxxxx_xxpredictiveMedium
76ArgumentxxxpredictiveLow
77ArgumentxxxpredictiveLow
78ArgumentxxxxxxxxpredictiveMedium
79ArgumentxxxxxxxpredictiveLow
80ArgumentxxxxpredictiveLow
81Argumentxxxxx/xxxxxpredictiveMedium
82Argument_xxxxpredictiveLow
83Input Value"><xxxxxx>xxxxx(/xxx/)</xxxxxx>predictiveHigh
84Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
85Input Valuexxx=/&xxxpredictiveMedium
86Pattern() {predictiveLow
87Network Portxxx/xxxx (xxx)predictiveHigh
88Network Portxxx/xxxxpredictiveMedium

References (6)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!