GRU Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (400)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en284
ru70
de16
es14
fr6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

ru162
us138
ro44
fr10
de4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

GRU8
Cobalt Strike2
DNSBirthday1
LeetHozer1
Fake Interview1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined112
Operating System18
Chip Software16
Programming Language Software14
Router Operating System14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined78
Microsoft16
Adobe14
Cisco12
Oracle10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

AMD CPU10
Microsoft Windows8
Apple macOS6
Apache HTTP Server6
PHP6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2Cisco CX Cloud Agent permission7.17.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2023-20044
3nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002411.62CVE-2020-12440
4Zyxel ATP/USG FLEX/VPN Logs Page cross site scripting3.63.6$0-$5k$0-$5kNot DefinedNot Defined0.000490.02CVE-2023-27990
5PHP PHAR phar_dir_read buffer overflow8.28.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000830.08CVE-2023-3824
6AMD CPU ASP memory corruption5.45.4$0-$5k$0-$5kNot DefinedNot Defined0.000630.03CVE-2022-23813
7Fortinet FortiClientEMS hard-coded key6.66.5$0-$5k$0-$5kNot DefinedOfficial Fix0.000620.00CVE-2021-41028
8Microsoft Excel/Office/PowerPoint/Publisher/Visio/Word/Skype Remote Code Execution7.36.7$5k-$25k$0-$5kUnprovenOfficial Fix0.000500.00CVE-2024-20673
9AMD CPU random values2.62.6$0-$5k$0-$5kNot DefinedNot Defined0.000430.00CVE-2021-26407
10Fortinet FSSO Collector UDP Login Notification Packet improper authentication6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000680.00CVE-2021-26088
11Asus RT-AX56U Profile Configuration out-of-bounds write8.88.6$0-$5k$0-$5kNot DefinedNot Defined0.000730.00CVE-2022-23973
12ISC BIND named allocation of resources7.57.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.000520.05CVE-2023-6516
13Microsoft Windows DNS Client denial of service7.56.8$25k-$100k$5k-$25kUnprovenOfficial Fix0.000900.04CVE-2024-21342
14TRENDnet TEW-815DAP POST Request do_setNTP command injection8.38.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000580.00CVE-2024-0919
15Linux-PAM pam_namespace.so protect_dir denial of service3.33.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2024-22365
16Oracle MySQL Server Options denial of service4.44.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.03CVE-2024-20968
17Oracle MySQL Server RAPID denial of service6.56.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.02CVE-2024-20960
18Google Go net-http information disclosure4.84.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.000520.02CVE-2023-39326
19AMI AptioV BMP Logo unrestricted upload7.27.2$0-$5k$0-$5kNot DefinedNot Defined0.000430.04CVE-2023-39538
201C:Enterprise URL Parameter information disclosure5.95.6$0-$5k$0-$5kNot DefinedOfficial Fix0.001680.06CVE-2021-3131

IOC - Indicator of Compromise (10)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
177.83.247.81GRU02/16/2022verifiedHigh
293.115.28.161GRU02/16/2022verifiedHigh
3XX.XXX.XX.XXXxxxxxxx.xxxxxxx.xxXxx02/16/2022verifiedHigh
4XXX.XX.XXX.XXxxxxxx-xx.xxx.xx.xxx.xxxxxx.xxxXxx02/16/2022verifiedHigh
5XXX.XXX.XX.XXXxx02/16/2022verifiedHigh
6XXX.XXX.XXX.XXXxx02/16/2022verifiedHigh
7XXX.XXX.XX.XXxxx.xxxxxxxxxxx.xxxXxx02/16/2022verifiedHigh
8XXX.XXX.XXX.XXXxx02/16/2022verifiedHigh
9XXX.XX.XXX.XXxxxx-xxxxx.xxxxxxxxx.xxxXxx02/16/2022verifiedHigh
10XXX.XXX.XXX.XXxxx-xxx-xxx-xx.xxx.xxxxxxxxxxxx.xxXxx02/16/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-112CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-466CWE-XXXXxxxxxx Xxxxxxxxxx Xx Xxx-xxxxxxxxpredictiveHigh
14TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-20CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-112CWE-XXX, CWE-XXX, CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
18TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (118)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/?ajax-request=jnewspredictiveHigh
3File/admin/students/view_student.phppredictiveHigh
4File/admin_ping.htmpredictiveHigh
5File/CommunitySSORedirect.jsppredictiveHigh
6File/loginLess/../../etc/passwdpredictiveHigh
7File/see_more_details.phppredictiveHigh
8File/system/proxypredictiveHigh
9File/uncpath/predictiveMedium
10File/usr/local/nagios/bin/npcdpredictiveHigh
11Fileaccountancy/customer/card.phppredictiveHigh
12Fileaddentry.phppredictiveMedium
13Fileadd_comment.phppredictiveHigh
14Fileadmin.phppredictiveMedium
15Fileadmin/create-package.phppredictiveHigh
16Filexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
17Filexxxxxxx.xxxpredictiveMedium
18Filexxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
19Filexxxxxx.xxxpredictiveMedium
20Filexxxxxxx.xxxpredictiveMedium
21Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
22Filexxxxxxx.xxxxx.xxxpredictiveHigh
23Filexxxxxxxxxxxx.xxxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexxxxxxxxxxxxx/xxxxxx/xxxxxxxxxxx/xxxx_xxx.xxxpredictiveHigh
26Filexxxxxxxxxxxxx/xxxxxx/xxxx/xxxx.xxxpredictiveHigh
27Filexxx/xxxxxx/xxxxxx.xpredictiveHigh
28Filexxxxxxxxx.xxxpredictiveHigh
29Filexxx/xxxxxxxxx-xxxxx.xxxpredictiveHigh
30Filexxx/xxxxxx.xxxpredictiveHigh
31Filexxxxx.xxxpredictiveMedium
32Filexxxx_xxxx.xxxpredictiveHigh
33Filexxxx_xxxxxx/xxxxxxxxx.xxpredictiveHigh
34Filexxxxxxxxx/xxxxxxx/xxxxxx/xxxxxxxxxx.xxxpredictiveHigh
35Filexxxxxxxxx/xxxxxx/xxxxxxxx.xxx.xxxpredictiveHigh
36Filexxxxx.xxxpredictiveMedium
37Filexxxxx.xxxxpredictiveMedium
38Filexxx_xxx.xpredictiveMedium
39Filexxxx_xxxxxx.xxxpredictiveHigh
40Filexxx_xxxxxxxxx.xxpredictiveHigh
41Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
42Filexxxx.xxxpredictiveMedium
43Filexxxxx_xxxxxx_xxx.xxxpredictiveHigh
44Filexxxxxxxx.xxxpredictiveMedium
45Filexxxxxxx.xxxpredictiveMedium
46Filexxxxxx_xxxxxxx.xxxpredictiveHigh
47Filexxxx_xxxxxx.xxxpredictiveHigh
48Filexxxxxxxxx xxxxxpredictiveHigh
49Filexxxxx/xxxxxxxxxxxx/xxxxx.xxxxpredictiveHigh
50Filexxxxxx_xxx/xxxxpredictiveHigh
51Filexxxxxx_xxxxxxxx.xxxpredictiveHigh
52Filexxxxxxxx.xxxpredictiveMedium
53Filexxxxxxxxx.xxxpredictiveHigh
54Filexxxxxxxx.xxxpredictiveMedium
55Filexxxx_xxx_xxx_xxxx.xxxpredictiveHigh
56Filexxxxxxxxxxxxx.xxxpredictiveHigh
57Filexxxxxx/xxxxxxxxxxx/xxxxx_xxxxxx.xxxpredictiveHigh
58Filexx-xxxxx/xxxxx.xxxpredictiveHigh
59Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
60Filexx-xxxxx.xxxpredictiveMedium
61Filexx-xxxxxxxxxxx.xxxpredictiveHigh
62File~/xxxx-xxxxxxx.xxxpredictiveHigh
63Libraryxxxxxxx.xxxpredictiveMedium
64Libraryxxx.xxxpredictiveLow
65Libraryxxx/xxxx.xxpredictiveMedium
66Libraryxxx/xxxxx/xxxxxxxx.xxpredictiveHigh
67Argument$xxx_xxxx_xxxx)predictiveHigh
68Argument*xxxxpredictiveLow
69ArgumentxxxxxxxxxxxpredictiveMedium
70ArgumentxxxxxxpredictiveLow
71Argumentxxx_xxxxx_xxxxpredictiveHigh
72ArgumentxxxxxxxxpredictiveMedium
73ArgumentxxxpredictiveLow
74ArgumentxxxxxpredictiveLow
75Argumentxxx_xxpredictiveLow
76ArgumentxxxxpredictiveLow
77ArgumentxxxpredictiveLow
78Argumentxxxx_xxpredictiveLow
79ArgumentxxxxxxxpredictiveLow
80ArgumentxxxxxxxxxpredictiveMedium
81ArgumentxxxpredictiveLow
82ArgumentxxxxxxxxpredictiveMedium
83Argumentxxxx_xxxxpredictiveMedium
84ArgumentxxxxxxpredictiveLow
85ArgumentxxxxpredictiveLow
86ArgumentxxxxpredictiveLow
87ArgumentxxpredictiveLow
88Argumentxxxx_xxxx/xxxx_xxxxpredictiveHigh
89ArgumentxxxxxxxxpredictiveMedium
90Argumentxxxxxxxx_xxxxpredictiveHigh
91Argumentxxxxxx_xxxx_xxxpredictiveHigh
92Argumentxxxxxx_xxpredictiveMedium
93ArgumentxxxpredictiveLow
94ArgumentxxxxpredictiveLow
95Argumentxxxx[]predictiveLow
96ArgumentxxxpredictiveLow
97Argumentxxxxxxxxxxx/xxxxxxxxxpredictiveHigh
98Argumentxxxxx_xxpredictiveMedium
99Argumentxxxxx_xx/xxxxxpredictiveHigh
100ArgumentxxxpredictiveLow
101ArgumentxxxxxpredictiveLow
102ArgumentxxxxxxxxxxxpredictiveMedium
103Argumentxxxxxx_xxpredictiveMedium
104ArgumentxxxxxxxxxpredictiveMedium
105Argumentxxxxxx_xxpredictiveMedium
106Argumentxxx-xxxxxxpredictiveMedium
107ArgumentxxxpredictiveLow
108Argumentxxxxxxxxx_xxxxxx_xxxpredictiveHigh
109ArgumentxxxxpredictiveLow
110ArgumentxxxpredictiveLow
111ArgumentxxxxxxpredictiveLow
112ArgumentxxxxxxxxpredictiveMedium
113Argumentxxxxxx_xxxxxxpredictiveHigh
114Input Value../predictiveLow
115Input Value<xxxxxx>xxxxx(x)</xxxxxx>predictiveHigh
116Input Valuexxx%xx(xxxxxx*xxxx(xxxxxx(xxxxx(x)))x)predictiveHigh
117Network Portxxx/xx (xxxxxx)predictiveHigh
118Network Portxxx/xx (xxx)predictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!