lightSpy Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (64)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en36
zh28

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn46
us18

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Cobalt Strike3
PlugX2
APT412
Space Pirates1
lightSpy1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined30
Mail Server Software4
Firewall Software4
Router Operating System4
Programming Language Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined14
ONLYOFFICE10
Alt-N4
Barracuda Networks2
Synacor2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Alt-N MDaemon4
ONLYOFFICE Document Server4
PHP4
PHPMailer2
Barracuda Networks Barracuda Spam Firewall2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1vsftpd deny_file unknown vulnerability3.73.6$0-$5k$0-$5kNot DefinedOfficial Fix0.003120.09CVE-2015-1419
2Google Chrome V8 Remote Code Execution6.36.0$25k-$100k$5k-$25kNot DefinedOfficial Fix0.243800.02CVE-2020-16040
3Synacor Zimbra Collaboration Suite WebEx Zimlet server-side request forgery8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.706480.00CVE-2020-7796
4Cisco Unity Connection unrestricted upload8.18.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.001270.06CVE-2024-20272
5Devilz Clanportal sql injection7.37.0$0-$5k$0-$5kHighOfficial Fix0.006840.03CVE-2006-6339
6Ikuai Router OS webman.lua ActionLogin command injection7.67.5$0-$5k$0-$5kNot DefinedNot Defined0.008030.04CVE-2023-34849
7Keycloak mTLS Authentication certificate validation4.64.6$0-$5k$0-$5kNot DefinedNot Defined0.000860.04CVE-2023-2422
8KeyCloak Password Reset password recovery6.56.4$0-$5k$0-$5kNot DefinedOfficial Fix0.002930.00CVE-2017-12161
9ONLYOFFICE Document Server FontFileBase.h heap-based overflow5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.002110.00CVE-2022-29777
10ONLYOFFICE Server User Name input validation4.54.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.000710.03CVE-2021-43448
11ONLYOFFICE Server Document Editor Service server-side request forgery6.86.5$0-$5k$0-$5kProof-of-ConceptNot Defined0.001000.04CVE-2021-43449
12ONLYOFFICE Document Server Example editor cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001160.03CVE-2022-24229
13ONLYOFFICE Document Server WebSocket API sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.001740.00CVE-2020-11537
14ONLYOFFICE Server Document Editor improper authentication6.96.6$0-$5k$0-$5kProof-of-ConceptNot Defined0.000760.04CVE-2021-43447
15ONLYOFFICE Community Server UploadProgress.ashx unrestricted upload8.07.9$0-$5k$0-$5kNot DefinedOfficial Fix0.006330.04CVE-2023-34939
16Microsoft Windows BitLocker Local Privilege Escalation6.15.3$25k-$100k$0-$5kUnprovenOfficial Fix0.000540.00CVE-2021-38632
17MyBatis PageHelper sql injection5.04.8$0-$5k$0-$5kNot DefinedNot Defined0.005990.05CVE-2022-28111
18mingSoft MCMS IContentDao.xml sql injection6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.016100.04CVE-2022-23898
19Git Plugin Build authorization6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.011560.03CVE-2022-36883
20HelpSystems Cobalt Strike cross site scripting4.84.7$0-$5k$0-$5kHighOfficial Fix0.007670.04CVE-2022-39197

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • LightSpy

IOC - Indicator of Compromise (3)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
146.17.43.74APT41LightSpy10/29/2023verifiedHigh
2XXX.XX.XXX.XXXXxxxxXxxxxxxx10/29/2023verifiedHigh
3XXX.XX.XXX.XXXXxxxxxxx04/16/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-137CWE-88, CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-58CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-50CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (30)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/example/editorpredictiveHigh
2Fileadmin/killsourcepredictiveHigh
3Filecgi-bin/webfile_mgr.cgipredictiveHigh
4Filedata/gbconfiguration.datpredictiveHigh
5Filexxxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxx/xxxxxxxxxxxx.xpredictiveHigh
6Filexxxxxxxxxxx.xxxpredictiveHigh
7Filexxx.xxpredictiveLow
8Filexxxxx.xxx/xxxx/x/predictiveHigh
9Filexxxxxxx.xpredictiveMedium
10Filexxx/xxxxxxxx.xpredictiveHigh
11Filexxxxxxxxxxxxxx.xxxxpredictiveHigh
12Filexxxxxx.xxxpredictiveMedium
13Filexx-xxxxx/xxxxx.xxx?xxxx=xxxxxxxxx_xxxxxxxx_xxxxxxx&xxx=xxxxxxxx_xxxxxpredictiveHigh
14Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
15Libraryxxxxxxxxxxx.xxxpredictiveHigh
16ArgumentxxxxxxxxxxpredictiveMedium
17ArgumentxxxxxxxpredictiveLow
18ArgumentxxxxxxxpredictiveLow
19ArgumentxxxxxpredictiveLow
20ArgumentxxxxpredictiveLow
21ArgumentxxpredictiveLow
22ArgumentxxxxxpredictiveLow
23ArgumentxxxxpredictiveLow
24ArgumentxxxxxxxpredictiveLow
25ArgumentxxxxxxxpredictiveLow
26ArgumentxxxxxxxxpredictiveMedium
27Argumentxxxx->xxxxxxxpredictiveHigh
28Argument_xxxxxpredictiveLow
29Input Value/xxxx.xxxpredictiveMedium
30Input Value{xxxxx:xx(xxxx($_xxx[x]))}x{/xxxxx:xx}predictiveHigh

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!