GhostEmperor Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (348)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en240
zh96
de8
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn210
us130
gb6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

GhostEmperor5
Andariel4
APT101
Cobalt Strike1
Lazarus1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined106
Operating System26
Router Operating System22
Content Management System16
Firewall Software10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined102
Microsoft26
Cisco14
Apache14
Oracle10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows22
Cisco IOS XE14
Cobham Explorer 7106
Zoom On-Premise Meeting Connector Controller6
WordPress6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1jforum User input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.002890.04CVE-2019-7550
2ipTIME NAS-I Bulletin Manage unrestricted upload7.17.1$0-$5k$0-$5kNot DefinedNot Defined0.009880.05CVE-2020-7847
3Cisco IOS XE hard-coded credentials8.58.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.003660.03CVE-2018-0150
4Cisco Secure Access Control System EAP-FAST Authentication Module improper authentication9.89.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.005030.00CVE-2013-3466
5Codoforum New Topic cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2020-9007
6LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable0.000003.62
7Zoom On-Premise Meeting Connector Controller Network Proxy Page os command injection4.74.5$0-$5k$0-$5kNot DefinedOfficial Fix0.001410.00CVE-2021-34414
8ThinkPHP index.php sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.001790.02CVE-2018-10225
9KingView stgopenstorage API integer overflow6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000440.00CVE-2018-7471
10Zoho ManageEngine ADManager Plus Privilege Escalation5.75.6$0-$5k$0-$5kNot DefinedOfficial Fix0.001300.00CVE-2023-38743
11Palo Alto PAN-OS unknown vulnerability4.94.9$0-$5k$0-$5kNot DefinedNot Defined0.000750.07CVE-2023-0004
12Serendipity exit.php privileges management6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000000.19
13spring-boot-actuator-logview LogViewEndpoint.view path traversal5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000490.04CVE-2023-29986
14Synacor Zimbra Collaboration Memcache Command injection6.36.0$0-$5k$0-$5kHighOfficial Fix0.096650.04CVE-2022-27924
15PHPMailer validateAddress injection5.65.4$0-$5k$0-$5kNot DefinedOfficial Fix0.003440.03CVE-2021-3603
16Dahua IPC-HX3XXX Data Packet improper authentication8.17.7$0-$5k$0-$5kNot DefinedOfficial Fix0.303590.03CVE-2021-33044
17Dahua IPC-HX3XXX Data Packet improper authentication8.17.7$0-$5k$0-$5kNot DefinedOfficial Fix0.064140.00CVE-2021-33045
18SoftEther VPN Server See.sys Kernel 7pk security6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000440.02CVE-2019-11868
19Cisco IOS XE Privileges access control7.37.0$25k-$100k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2020-3215
20Winmail Server PHP File netdisk.php copy_folder_file path traversal7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.004400.04CVE-2018-5700

IOC - Indicator of Compromise (7)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
127.102.113.57yukonpick.netGhostEmperor03/22/2022verifiedHigh
227.102.113.240power.playtimeins.netGhostEmperor03/22/2022verifiedHigh
3XX.XXX.XXX.XXXxxxxxxxxxxx03/22/2022verifiedHigh
4XX.XXX.XXX.XXXxxxxxxxxxxx03/22/2022verifiedHigh
5XX.XXX.XXX.XXXXxxxxxxxxxxx03/22/2022verifiedHigh
6XXX.XXX.XXX.XXXxxxxx.xxxxxxx.xxxXxxxxxxxxxxx03/22/2022verifiedHigh
7XXX.XXX.XXX.XXXXxxxxxxxxxxx03/22/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-104CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXX, CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
13TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
14TXXXXCAPEC-102CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (112)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.envpredictiveLow
2File/admin/comment.phppredictiveHigh
3File/admin/index.phppredictiveHigh
4File/api/v1/terminal/sessions/?limit=1predictiveHigh
5File/blogpredictiveLow
6File/cgi-bin/login.cgipredictiveHigh
7File/etc/postfix/sender_loginpredictiveHigh
8File/forum/away.phppredictiveHigh
9File/lists/index.phppredictiveHigh
10File/login.htmlpredictiveMedium
11File/mobilebroker/ServiceToBroker.svc/Json/ConnectpredictiveHigh
12File/newpredictiveLow
13File/secure/QueryComponent!Default.jspapredictiveHigh
14File/xxxxxx?xxxxxx=xxxxxxxxxxxxpredictiveHigh
15File/xxxxxx.xxxpredictiveMedium
16File/xxxxxxx/xxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
17File/xxx/xxx/xxxxxpredictiveHigh
18File/xx-xxxxpredictiveMedium
19Filexxxxxxx.xxxpredictiveMedium
20Filexxx_xxxxx.xxxpredictiveHigh
21Filexxxxx/xxxxx.xxx?x=xxxxxxxx&x=xxxpredictiveHigh
22Filexxxxx/xxxxxx.xxx?xxxxxx=xxx_xxxxpredictiveHigh
23Filexxxxx/xxxxxxx/xxxxxxxxxxpredictiveHigh
24Filexxxxxxxx.xxxpredictiveMedium
25Filexxxx/xxxxxx/xxxxxx_xxxpredictiveHigh
26Filexxxx_xxxxxxxxxx.xpredictiveHigh
27Filexxx_xxxxxxx.xxxpredictiveHigh
28Filexxxxxx/xx_xxx.xpredictiveHigh
29Filexxxxx.xxxpredictiveMedium
30Filexxxxxxx_xxxxxxx.xxpredictiveHigh
31Filexxxx.xxxpredictiveMedium
32Filexxxxxxxxxxxx.xxxpredictiveHigh
33Filexxxxxxxx.xxpredictiveMedium
34Filexxxx/xxxxxxxxxxxxxxxxpredictiveHigh
35Filexx/xx_xxxxx.xpredictiveHigh
36Filexxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
37Filexxxxxx_xxx_xxxx_xxxxx_xx_xxxxx.xpredictiveHigh
38Filexxxxxxxxxx/xxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
39Filexxx/xxxxxx.xxxpredictiveHigh
40Filexxxxx.xxxpredictiveMedium
41Filexxxxxxxxxxxxx.xxxpredictiveHigh
42Filexxx/xxx_xxxxxxxxxx.xpredictiveHigh
43Filexxxxxx/xxxxxx.xpredictiveHigh
44Filexxxxxxxxxxx/xxxxx.xpredictiveHigh
45Filexxxxxxx/xxxxx/xx/xxxxxx/xxxxx.xxxxx.xxxpredictiveHigh
46Filexxxxxxxxx.xxxpredictiveHigh
47Filexxxxxxx.xxxpredictiveMedium
48Filexxxxxxx/xxxx_xxx_xxxxx.xxxpredictiveHigh
49Filexxxxxxx.xxxpredictiveMedium
50Filexxxxxxx.xxxpredictiveMedium
51Filexxxxxxx.xxxpredictiveMedium
52Filexxx/xxxxxx/xxxxxxxx/xxxxx/xxxxxxxxx.xxxxpredictiveHigh
53Filexxxxxxxxxxxxx.xxxpredictiveHigh
54Filexxxxx_xxxx.xpredictiveMedium
55Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
56Filexxxxxxxx.xxxpredictiveMedium
57Filexxxx.xxxpredictiveMedium
58Filexxxxxxx.xxpredictiveMedium
59Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
60Filexx_xxx.xxpredictiveMedium
61Filexxxx-xxxxxx.xpredictiveHigh
62Filexxxxxx/xxxxxxx.xxxpredictiveHigh
63Filexxxx.xxpredictiveLow
64Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
65Filexxxxxxx/xxxxxxxx_xxxx_xx_xxx.xpredictiveHigh
66Filexx-xxxx.xxxpredictiveMedium
67Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
68Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
69Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
70Filexx-xxxxx.xxxpredictiveMedium
71File__xxxx_xxxxxxxx.xxxpredictiveHigh
72Libraryxxxxxxxxx.xxxpredictiveHigh
73Libraryxxx/xxxxxxxx.xxpredictiveHigh
74Libraryxxxxxxxx.xxxpredictiveMedium
75Libraryxxx.xxxpredictiveLow
76Libraryxxxxxx.xxxxx.xxxxxxxxpredictiveHigh
77ArgumentxxxxxxxxpredictiveMedium
78ArgumentxxxpredictiveLow
79Argumentxxxxxxxxxx_xxxxx_xxxxxxpredictiveHigh
80Argumentxxxxxxx_xxx/xxxxxpredictiveHigh
81ArgumentxxxxxpredictiveLow
82Argumentxxxx/xxxxxxxxxxpredictiveHigh
83ArgumentxxxxxxxxpredictiveMedium
84Argumentxxxx xxxxpredictiveMedium
85ArgumentxxxxpredictiveLow
86ArgumentxxxxpredictiveLow
87ArgumentxxpredictiveLow
88Argumentxx xxxxxxxpredictiveMedium
89ArgumentxxxpredictiveLow
90ArgumentxxxxxxxxxpredictiveMedium
91Argumentxxxxx_xxxxxx_xxx/xxxxx_xxxx_xxxxxxxxpredictiveHigh
92Argumentxxxxx_xxxxpredictiveMedium
93Argumentxxxx_xxpredictiveLow
94ArgumentxxxxxxxxpredictiveMedium
95ArgumentxxxxxxxxxxxxxpredictiveHigh
96Argumentxxxxxxxxx_predictiveMedium
97ArgumentxxxxxxpredictiveLow
98ArgumentxxxpredictiveLow
99ArgumentxxxxpredictiveLow
100ArgumentxxxxxxxxpredictiveMedium
101ArgumentxxxpredictiveLow
102ArgumentxxxpredictiveLow
103Argumentxxxxxxxxxxxx[xxxx]predictiveHigh
104Argumentx-xxxx-xxxxxpredictiveMedium
105Argument_x_xxxxxxxxxxpredictiveHigh
106Input Value@xxxxxxx.xxx.xxxxxxx.xxxpredictiveHigh
107Input Valuexxxx.xxx::$xxxxpredictiveHigh
108Input Valuexxxxx&#xx;xxxx:predictiveHigh
109Input Value\xxx\xxxpredictiveMedium
110Network Portxxx/xx & xxx/xxxpredictiveHigh
111Network Portxxx/xxxxpredictiveMedium
112Network Portxxx/xxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!