DeathStalker Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (191)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en180
fr4
de2
zh2
ru2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us28
cn12
ru8
bg4
es2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT283
DeathStalker3
RecordBreaker2
Raccoon2
Cobalt Strike2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined76
Operating System16
WordPress Plugin8
Content Management System6
Smartphone Operating System6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined62
Microsoft14
Apple12
IBM8
Adobe8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows10
Apple iOS6
Apple iPadOS4
Google Chrome4
AXIS 2110 Network Camera4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Best Gallery Albums Plugin admin.php cross site scripting5.24.9$0-$5k$0-$5kNot DefinedOfficial Fix0.001090.00CVE-2014-8758
2AXIS 2110 Network Camera getparam.cgi denial of service9.89.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.034610.00CVE-2004-2427
3onnx ONNX_ASSERTM out-of-bounds4.94.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000450.00CVE-2024-27319
4Google Android Codec2BufferUtils.cpp ConvertRGBToPlanarYUV out-of-bounds write5.35.1$5k-$25k$5k-$25kNot DefinedOfficial Fix0.000430.05CVE-2024-0023
57-card Fakabao alipay_notify.php sql injection5.55.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000640.06CVE-2023-7183
6Scott Paterson Easy PayPal Shopping Cart Plugin cross site scripting5.15.1$0-$5k$0-$5kNot DefinedNot Defined0.000450.00CVE-2023-47239
7AWeber Free Sign Up Form and Landing Page Builder for Lead Generation and Email Newsletter Growth Plugin cross-site request forgery5.85.8$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2023-47757
8Guillemant David WP Full Auto Tags Manager Plugin cross-site request forgery6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2023-34024
9Os Commerce cross site scripting6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000490.00CVE-2023-43718
10Dolibarr cross site scripting5.05.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000460.04CVE-2023-5323
11WordPress Password Reset wp-login.php mail password recovery6.15.8$5k-$25k$0-$5kProof-of-ConceptNot Defined0.028270.07CVE-2017-8295
12TOTOLINK Realtek SDK formSysCmd os command injection7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.964260.07CVE-2019-19824
13Samsung ScanPool MAC Address Information information disclosure1.91.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.04CVE-2022-30728
14Microsoft Windows Runtime Remote Code Execution8.17.7$25k-$100k$5k-$25kHighOfficial Fix0.400280.00CVE-2022-21971
15TP-LINK TL-WR840N/TL-WR841N Session session fixiation8.57.5$0-$5k$0-$5kProof-of-ConceptWorkaround0.339800.04CVE-2018-11714
16Huawei HarmonyOS Audio Module out-of-bounds3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.002210.00CVE-2021-46786
17Huawei HarmonyOS Frame Scheduling Module use after free5.55.5$5k-$25k$5k-$25kNot DefinedNot Defined0.002210.07CVE-2022-29794
18mySCADA myPRO unrestricted upload7.47.2$0-$5k$0-$5kNot DefinedOfficial Fix0.002180.00CVE-2021-33009
19Puppet Enterprise CD4PE Deployment Definition Credentials insufficiently protected credentials4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000440.00CVE-2020-7945
20Easy Cookies Policy Plugin Subscriber cross-site request forgery3.53.4$0-$5k$0-$5kNot DefinedNot Defined0.001900.00CVE-2021-24405

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Janicab

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
187.120.37.68www.tubebg.comDeathStalkerJanicab12/17/2022verifiedHigh
2XX.XXX.XXX.XXXXxxxxxxxxxxxXxxxxxx12/17/2022verifiedHigh
3XXX.XXX.XXX.XXXXxxxxxxxxxxxXxxxxxx12/17/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294, CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-137CWE-88, CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-1CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-102CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
14TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (73)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/etc/postfix/sender_loginpredictiveHigh
2File/goform/openSchedWifipredictiveHigh
3File/services/details.asppredictiveHigh
4Fileadmin/getparam.cgipredictiveHigh
5FileaepxpredictiveLow
6Fileapp/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.phppredictiveHigh
7Fileboafrm/formSysCmdpredictiveHigh
8Filebrowser.phppredictiveMedium
9Filexxxx/xxxxxx.xpredictiveHigh
10Filexxxxxxxxxxxxxxxxx.xxxpredictiveHigh
11Filexxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
12Filexxxxxx.xxxpredictiveMedium
13Filexxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
14Filexxxxxxxxx.xxxpredictiveHigh
15Filexxxxxxx/xxx/xxxxxxxxxx/xxxxx.xpredictiveHigh
16Filexxxxxxx/xxx/xxxx/xxxxxx.xpredictiveHigh
17Filexxxxxxx.xxxpredictiveMedium
18Filexxx/xxxx_xxxx.xpredictiveHigh
19Filexxx/xxxxxxxxxx.xpredictiveHigh
20Filexxxx/xxxxxx.xpredictiveHigh
21Filexxxxx.xxxpredictiveMedium
22Filexxxxxxxx.xxxpredictiveMedium
23Filexxxxxxxx.xxxpredictiveMedium
24Filexxxxxxx.xxxpredictiveMedium
25Filexxxxx/xxxxxxxx.xxx.xxxpredictiveHigh
26Filexxxxxxxxxx.xpredictiveMedium
27Filexxxxxx/xxxxx/xxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
28Filexxxxxxx.xxxxpredictiveMedium
29Filexxxxxxxx.xxxpredictiveMedium
30Filexxxxxxx.xxpredictiveMedium
31Filexxxx/xxxxxx_xxxxxx.xxxpredictiveHigh
32Filexxxxxx.xxxpredictiveMedium
33Filexxxxxxxxx.xxxpredictiveHigh
34Filexxxxxxxxxxxx.xxxpredictiveHigh
35Filexxxxx/xxxxx.xxx?xxxxxxxxxxx_xx=xxxxpredictiveHigh
36Filexx-xxxxx/xxxxx.xxxpredictiveHigh
37Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
38Filexx-xxxxx.xxxpredictiveMedium
39Library/xxx/xxx_xx-xxxxx-xxx/xxxx.xx.xpredictiveHigh
40Libraryxxxxxxxx.xxxpredictiveMedium
41Libraryxxxxxx.xxxpredictiveMedium
42ArgumentxxxxxxpredictiveLow
43ArgumentxxxxxxxxxxpredictiveMedium
44ArgumentxxxxxxxxxxxxpredictiveMedium
45ArgumentxxxxxxpredictiveLow
46ArgumentxxxxxxxxxpredictiveMedium
47Argumentxxxxx xxxxxxx xx xxxxxxx xxxxxxxxxxxx xx xxxx xxxxxxxxxxpredictiveHigh
48ArgumentxxxxxxxxpredictiveMedium
49ArgumentxxxxxxxxpredictiveMedium
50ArgumentxxxxpredictiveLow
51ArgumentxxpredictiveLow
52Argumentxxx[xxxx_xx]predictiveMedium
53Argumentxxxxxxx_xxxxxx_xxxxx[x]predictiveHigh
54Argumentxxxxx_xxxxx[xxxxxxxxx_xxxx_xxx]/xxxxx_xxxxx[xxxxxxxxx_xxxxxx_xxx]/xxxxx_xxxxx[xxxxxxxxx_xxxx]/xxxxx_xxxxx[xxxx_xxxxxx]predictiveHigh
55Argumentxxxxx_xxpredictiveMedium
56Argumentxxx_xxxxx_xxpredictiveMedium
57ArgumentxxxxxxxxpredictiveMedium
58ArgumentxxxxxxpredictiveLow
59Argumentxxxxxxxxxxxxxx/xxxxxxxxxxxxpredictiveHigh
60Argumentxxxxxxx_xxpredictiveMedium
61ArgumentxxxxxxxpredictiveLow
62ArgumentxxxxxxpredictiveLow
63ArgumentxxxxxxpredictiveLow
64ArgumentxxxxxpredictiveLow
65ArgumentxxxxxpredictiveLow
66Argument_xxx_xxxxxxx_xxxxxx_xxxxx_xxx_xxxxxxx_xxxxxxxxxxxxxxxxx_xxxxpredictiveHigh
67Input Value/../predictiveLow
68Input ValuexxxxxxxxxxpredictiveMedium
69Input Valuex+xxxx (xxxxx xxxxxx xxxxxxx) xxx x+xxxx (xxxxx-xx-xxxx xxxxxxx)predictiveHigh
70Input Value\xxx../../../../xxx/xxxxxxpredictiveHigh
71Input Value\xxx\xxxpredictiveMedium
72Network Portxxx/xxxxpredictiveMedium
73Network Portxxx/xxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!