Vicious Panda Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (118)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en84
zh20
de8
es4
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us52
cn30
vn14
ru4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Vicious Panda8
RedLine Stealer2
Purple Fox2
Zeus1
Quasar RAT1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined42
Content Management System10
Virtualization Software4
Database Software4
Connectivity Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined54
Apache6
Linux Foundation2
Oracle2
IBM2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress4
Linux Foundation Xen2
UliCMS2
Nagios2
Oracle Database Server2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2Tiki Wiki CMS Groupware tiki-jsplugin.php input validation8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.026750.05CVE-2010-4239
3Tabit API information disclosure4.54.5$0-$5k$0-$5kNot DefinedNot Defined0.001500.00CVE-2022-34776
4Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.005260.04CVE-2011-0643
5PHPWind goto.php redirect6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.003480.52CVE-2015-4134
6FasterXML jackson-databind Default Typing information disclosure7.46.9$0-$5k$0-$5kNot DefinedOfficial Fix0.004150.03CVE-2019-12086
7DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.76CVE-2010-0966
8UliCMS index.php cross site scripting5.75.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.006610.04CVE-2019-11398
9D-Link DIR-865L register_send.php improper authentication7.57.1$5k-$25k$5k-$25kProof-of-ConceptNot Defined0.001090.04CVE-2013-3096
10WebCalendar settings.php file inclusion7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.030930.00CVE-2005-2717
11Cisco ASR901 IPv4 Packet resource management5.34.6$5k-$25k$0-$5kUnprovenOfficial Fix0.022640.00CVE-2014-3293
12Earl Miles Views Filters sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.003610.00CVE-2011-4113
13Microsoft IIS Frontpage Server Extensions shtml.dll Username information disclosure5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.159580.05CVE-2000-0114
14MikroTik RouterOS confused deputy7.47.2$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.059230.00CVE-2019-3924
15Google Chrome Downloads Remote Code Execution7.57.4$25k-$100k$5k-$25kNot DefinedOfficial Fix0.004970.03CVE-2023-5857
16DHIS 2 API Endpoint trackedEntityInstances sql injection7.77.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000870.00CVE-2021-41187
17DHIS2 Core Web API session expiration5.45.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000600.00CVE-2023-31139
18ALPACA improper authentication5.65.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001100.00CVE-2021-3618
19Bomgar Remote Support Portal JavaStart.jar Applet path traversal9.19.1$0-$5k$0-$5kNot DefinedNot Defined0.001950.03CVE-2017-12815
20Drupal File Download access control5.05.0$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2023-31250

Campaigns (2)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (10)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.76.34.14745.76.34.147.vultrusercontent.comVicious PandaRussian Research Institutes05/01/2022verifiedHigh
295.179.156.9795.179.156.97.vultr.comVicious PandaCOVID-1902/10/2022verifiedMedium
3XX.XXX.XXX.XXxx.xxx.xxx.xx.xxxxx.xxxXxxxxxx XxxxxXxxxx-xx02/10/2022verifiedMedium
4XX.XXX.XXX.Xxx.xxx.xxx.x.xxxxx.xxxXxxxxxx XxxxxXxxxx-xx02/10/2022verifiedMedium
5XX.XXX.XXX.XXxx.xxx.xxx.xx.xxxxx.xxxXxxxxxx XxxxxXxxxx-xx02/10/2022verifiedMedium
6XXX.XX.XX.XXXxxx-xxxxxxxxx.xxxxxxx.xxxXxxxxxx XxxxxXxxxxxx Xxxxxxxx Xxxxxxxxxx05/01/2022verifiedHigh
7XXX.XX.XXX.XXXxx-xxx.xxxxxxx.xxXxxxxxx XxxxxXxxxxxx Xxxxxxxx Xxxxxxxxxx05/01/2022verifiedHigh
8XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxxxxx.xxxXxxxxxx XxxxxXxxxxxx Xxxxxxxx Xxxxxxxxxx05/01/2022verifiedHigh
9XXX.XX.XXX.XXXXxxxxxx XxxxxXxxxxxx Xxxxxxxx Xxxxxxxxxx05/01/2022verifiedHigh
10XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxx.xxxXxxxxxx XxxxxXxxxx-xx02/10/2022verifiedMedium

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXX.XXXCAPEC-CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-CWE-XXXXxxxxxxx Xxxxxx XxxxpredictiveHigh
11TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (64)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/api/trackedEntityInstancespredictiveHigh
2File/cgi-bin/luci/api/diagnosepredictiveHigh
3File/cgi-bin/mesh.cgi?page=upgradepredictiveHigh
4File/guest_auth/cfg/upLoadCfg.phppredictiveHigh
5File/phppath/phppredictiveMedium
6File/uncpath/predictiveMedium
7File/WEB-INF/web.xmlpredictiveHigh
8Fileabook_database.phppredictiveHigh
9Filexxxxxxx.xxxpredictiveMedium
10Filexxxxx.xxxpredictiveMedium
11Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveHigh
12Filexxxxx/xxxxx.xxxpredictiveHigh
13Filexxxxxxxxxxxxx/xxxxxxxxxx/xxx_xxxxx/xxxxxxx/xxxxx.xxxpredictiveHigh
14Filexxxx.xxxpredictiveMedium
15Filexxxxxxxx.xxxpredictiveMedium
16Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
17Filexx_xxxxxx.xxxpredictiveHigh
18Filexxxx_xxxx.xxxxpredictiveHigh
19Filexxxxxxxxxx.xxxpredictiveHigh
20Filexxxxx.xxxpredictiveMedium
21Filexxx_xxxxxxx.xxxpredictiveHigh
22Filexxxx.xxxpredictiveMedium
23Filexxxx_xxxxxxx.xxx.xxxpredictiveHigh
24Filexxxx/xxx-xxxxxxxx.xxxpredictiveHigh
25Filexxx/xxxxxx.xxxpredictiveHigh
26Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
27Filexxxxx.xxxpredictiveMedium
28Filexxxxx.xxx/xxxx/xxxxx/xxxx/xxxx.xxxpredictiveHigh
29Filexxxxx.xxx?xxx=xxxx&xxx=xxxx_xxxxxxxpredictiveHigh
30Filexxxxxxxx/xxxx?xxxxxx=xxpredictiveHigh
31Filexxxxxxx.xxxpredictiveMedium
32Filexxxxxx.xpredictiveMedium
33Filexxxxxxxx_xxxx.xxxpredictiveHigh
34Filexxxx/xxx/xxx_xxxx.xpredictiveHigh
35Filexxxxxxxx.xxxpredictiveMedium
36Filexxxxx.xxxpredictiveMedium
37Filexxxx-xxxxxxxx.xxxpredictiveHigh
38Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
39Filexx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxxpredictiveHigh
40Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
41Libraryxxxxxxx/xxx/xxxxxx.xxx.xxxpredictiveHigh
42Argument$_xxxxxx['xxxxx_xxxxxx']predictiveHigh
43Argumentxxxxxxx_xxpredictiveMedium
44Argumentxxxxxxxxxxxxxx[xxx][x][xxxxxxxx]predictiveHigh
45ArgumentxxxxxxxxpredictiveMedium
46ArgumentxxxpredictiveLow
47Argumentxxx_xxxxxxx_xxxpredictiveHigh
48ArgumentxxxxpredictiveLow
49ArgumentxxxxxxxxpredictiveMedium
50ArgumentxxxxxpredictiveLow
51ArgumentxxpredictiveLow
52ArgumentxxpredictiveLow
53ArgumentxxpredictiveLow
54ArgumentxxxpredictiveLow
55ArgumentxxxxxxxxpredictiveMedium
56Argumentxxxx_xxxxpredictiveMedium
57ArgumentxxpredictiveLow
58ArgumentxxxxxxxxpredictiveMedium
59ArgumentxxxxxxxxpredictiveMedium
60ArgumentxxxpredictiveLow
61Input Value-xpredictiveLow
62Pattern|xx xx xx xx xx xx xx xx|predictiveHigh
63Network Portxxx/xx (xxx xxxxxxxx)predictiveHigh
64Network Portxxx/xxxxxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!