APT39 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (341)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en294
es20
it6
zh6
fr4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us200
ru28
es24
cn18
ir10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Chafer5
APT395
Cobalt Strike2
MyKings1
Rhadamanthys1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined90
Content Management System24
Web Server20
Operating System20
WordPress Plugin16

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined112
Microsoft24
Apache18
Netwave6
Oracle6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows16
Apache HTTP Server8
WordPress8
Netwave IP Camera6
PHP6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002411.64CVE-2020-12440
3Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.14CVE-2017-0055
4VMware vRealize Orchestrator Path redirect3.02.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.001210.00CVE-2021-22036
5vm2 injection9.99.7$0-$5k$0-$5kNot DefinedOfficial Fix0.012360.06CVE-2023-32314
6OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.107370.28CVE-2016-6210
7PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.007480.00CVE-2020-36326
8jQuery Property extend Pollution cross site scripting6.66.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.035350.04CVE-2019-11358
9Rust Programming Language Standard Library type_id memory corruption7.77.5$0-$5k$0-$5kNot DefinedOfficial Fix0.002610.04CVE-2019-12083
10WordPress sql injection6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.004670.08CVE-2022-21664
11Apple iOS WebKit buffer overflow6.36.0$25k-$100k$5k-$25kHighOfficial Fix0.005180.04CVE-2021-30666
12WordPress path traversal5.75.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.004000.00CVE-2023-2745
13Canon IJ Network Tool Wi-Fi Connection Setup missing password field masking5.45.4$0-$5k$0-$5kNot DefinedNot Defined0.000520.00CVE-2023-1763
14ciubotaru share-on-diaspora new_window.php cross site scripting4.44.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000630.04CVE-2017-20176
15Postfix Admin functions.inc.php sql injection7.37.0$5k-$25k$0-$5kHighOfficial Fix0.002530.00CVE-2014-2655
16D-Link DCS-2530L/DCS-2670L ddns_enc.cgi command injection7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.001350.05CVE-2020-25079
17Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.14CVE-2014-4078
18SourceCodester Library Management System bookdetails.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.003220.03CVE-2022-2214
19Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.005260.04CVE-2011-0643
20Lotus Domino Request information disclosure5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.008770.00CVE-2002-0245

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Chafer

IOC - Indicator of Compromise (17)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
183.142.230.113APT3912/12/2020verifiedHigh
286.105.227.224APT3912/12/2020verifiedHigh
387.117.204.113APT3912/12/2020verifiedHigh
487.117.204.115APT3912/12/2020verifiedHigh
5XX.XX.XX.XXXxx-xx-xx-xxx.xxxxxx-xx-xxxxxxxxxxx.xxxXxxxx12/12/2020verifiedHigh
6XX.XX.XX.XXX Xxxxx12/12/2020verifiedHigh
7XX.XXX.XXX.XXXXxxxx12/12/2020verifiedHigh
8XX.XXX.XXX.XXXXxxxx12/12/2020verifiedHigh
9XX.XXX.XX.XXXxxx.xx.xxx.xx.xxxx-xxxxx.xxxxxx.xxXxxxx12/12/2020verifiedHigh
10XX.XXX.XX.XXXxx-xxx-xx-xxx.xxxxxx.xxxx.xxXxxxx12/12/2020verifiedHigh
11XXX.XXX.XX.XXxxx.xxx.xx.xx.xxxxx.xxxXxxxx12/12/2020verifiedMedium
12XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxx.xxxXxxxx12/15/2020verifiedMedium
13XXX.XXX.XXX.XXXxxxx12/12/2020verifiedHigh
14XXX.XXX.XXX.XXXxxxxXxxxxx12/12/2020verifiedHigh
15XXX.XXX.XXX.XXXxxx-xx.xxxxxx.xxXxxxx12/12/2020verifiedHigh
16XXX.XX.XXX.XXxxx.xxxxxxxxxxxxxxx.xxxxXxxxx12/12/2020verifiedHigh
17XXX.XXX.XX.XXXxxxxXxxxxx12/12/2020verifiedHigh

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294, CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-16CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh
20TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (145)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File//etc/RT2870STA.datpredictiveHigh
2File/admin/index.php?id=themes&action=edit_template&filename=blogpredictiveHigh
3File/api/loginpredictiveMedium
4File/appConfig/userDB.jsonpredictiveHigh
5File/bin/boapredictiveMedium
6File/cgi-bin/wapopenpredictiveHigh
7File/CPEpredictiveLow
8File/cwp_{SESSION_HASH}/admin/loader_ajax.phppredictiveHigh
9File/jquery_file_upload/server/php/index.phppredictiveHigh
10File/librarian/bookdetails.phppredictiveHigh
11File/magnoliaPublic/travel/members/login.htmlpredictiveHigh
12File/Main_AdmStatus_Content.asppredictiveHigh
13File/public/login.htmpredictiveHigh
14File/requests.phppredictiveHigh
15File/self.keypredictiveMedium
16File/server-statuspredictiveHigh
17File/xxxxxxx/predictiveMedium
18File/xxx/xxx/xxxxxpredictiveHigh
19File/xxxxxxxx/xxxx_xxxxx.xxxpredictiveHigh
20Filexxxxxxx.xxxpredictiveMedium
21Filexxxxx.xxxpredictiveMedium
22Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveHigh
23Filexxxxx/xxxxx.xxxpredictiveHigh
24Filexxxxxxxxxxxxx/xxxxxxxxxx/xxx_xxxxx/xxxxxxx/xxxxx.xxxpredictiveHigh
25Filexxxxxxxxxx.xxxpredictiveHigh
26Filexxxxxxxxxxx.xxxpredictiveHigh
27Filexx_xxxxxxxxxx.xxxpredictiveHigh
28Filexxx:.xxxpredictiveMedium
29Filexxx/xxx.xxxpredictiveMedium
30Filexxxxxxx.xxxpredictiveMedium
31Filexxxxxx_xxxxxx.xxxpredictiveHigh
32Filexxxxxxxx.xxxpredictiveMedium
33Filexxx-xxx/xxxx_xxx.xxxpredictiveHigh
34Filexxxxxx.xxxpredictiveMedium
35Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
36Filexxxxxx.xxxpredictiveMedium
37Filexxx.xxxpredictiveLow
38Filexxxxx.xxxpredictiveMedium
39Filexxx/xxxxxxxx/xxx_xxxxxxxxxxxx.xxpredictiveHigh
40Filexxxxxxxxx.xxx.xxxpredictiveHigh
41Filexxxxxxxxxxxx_xxxx.xxxpredictiveHigh
42Filexxx_xxxxxx.xxxpredictiveHigh
43Filexxxx_xxxxxxx.xxx.xxxpredictiveHigh
44Filexxxx_xxxx.xpredictiveMedium
45Filexxxxxxxxx.xxxpredictiveHigh
46Filexxxxxxxx/xxxxx.xxxx-xxx.xxxpredictiveHigh
47Filexxxxx.xxxpredictiveMedium
48Filexxxxxx.xpredictiveMedium
49Filexxxx/xxx_xxx.xpredictiveHigh
50Filexxxxxxxx.xxxpredictiveMedium
51Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveHigh
52Filexxx_xxxxxx.xxpredictiveHigh
53Filexxxx/xxxx/xxxxx.xxxpredictiveHigh
54Filexxx_xxxxxx.xxxpredictiveHigh
55Filexxxxxx.xxxpredictiveMedium
56Filexxxxxxxxxxxxxx.xxxpredictiveHigh
57Filexxxxxxx.xxxpredictiveMedium
58Filexxxxx.xxxxx.xxxpredictiveHigh
59Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
60Filexxxx/xxxxxpredictiveMedium
61Filexxxxx.xxxpredictiveMedium
62Filexxxxxxxx.xxxpredictiveMedium
63Filexxxxxxxxxx.xxxpredictiveHigh
64Filexxxxxxxx_xxxx.xxxpredictiveHigh
65Filexxxxxxxx.xxx?x=xxxxxx&x=xxxxxxxxxxpredictiveHigh
66Filexxxxxxx.xpredictiveMedium
67Filexxxxxx.xxxpredictiveMedium
68Filexxxx.xxxpredictiveMedium
69Filexxxxx/xxx/xxxx.xpredictiveHigh
70Filexxxxxx_xxx_xxxxx_xxx.xxxpredictiveHigh
71Filexxxxxx.xpredictiveMedium
72Filexxx_xxx_xxxxx.xxxpredictiveHigh
73Filexxxx/xxxxxxxxxxxxxxx.xxxxxxpredictiveHigh
74Filexxxxxxx_xxxxx.xxxpredictiveHigh
75Filexxxxxxx_xxxxxxxxxx.xxxpredictiveHigh
76Filexxx.xxxpredictiveLow
77Filexxxxxx.xxxpredictiveMedium
78Filexxxxxx.xxxpredictiveMedium
79Filexxxxxxxxxxxxxx.xxxpredictiveHigh
80Filexxxxxxx.xxxpredictiveMedium
81Filexx-xxxxx/xxxx-xxx.xxxpredictiveHigh
82Filexx-xxxxxxx/xxxxxxx/xxxx-xx-xxxx/predictiveHigh
83Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
84Filexx-xxxxxxxx/xxxxx-xx-xxxxxx-xxxxxx.xxxpredictiveHigh
85Filexx-xxxxxxxxxxx.xxxpredictiveHigh
86Libraryxxxxxxx/xxx/xxxxxx.xxx.xxxpredictiveHigh
87Libraryxxxxxx.xxxpredictiveMedium
88Argument$xxxxx_xxxxxxxxxxpredictiveHigh
89Argument$_xxxxxxxpredictiveMedium
90ArgumentxxxxxxxpredictiveLow
91ArgumentxxxxxpredictiveLow
92ArgumentxxxxxxpredictiveLow
93ArgumentxxxpredictiveLow
94ArgumentxxxxxpredictiveLow
95ArgumentxxxxxxxxxxxxxxxpredictiveHigh
96Argumentxxxx/xxxxpredictiveMedium
97ArgumentxxxxxxxxpredictiveMedium
98ArgumentxxxxpredictiveLow
99ArgumentxxxxxxxxxxpredictiveMedium
100ArgumentxxxxpredictiveLow
101ArgumentxxxxxxxxxxpredictiveMedium
102Argumentxxxx_xxxxxxxxpredictiveHigh
103Argumentxx_xxpredictiveLow
104Argumentxxxx[xxx]predictiveMedium
105ArgumentxxpredictiveLow
106ArgumentxxxxxxxxpredictiveMedium
107ArgumentxxxxpredictiveLow
108ArgumentxxxxxpredictiveLow
109Argumentxxxxx_xxpredictiveMedium
110Argumentxxxx_xxxxxxxpredictiveMedium
111ArgumentxxpredictiveLow
112ArgumentxxxxpredictiveLow
113Argumentxxxxxxxxxxxxx/xxxxxxxxxxxxxxpredictiveHigh
114Argumentx/xx/xxxpredictiveMedium
115Argumentxxxx_xxxxpredictiveMedium
116Argumentxx_xxxxxxxpredictiveMedium
117ArgumentxxxpredictiveLow
118Argumentxxxxxxxxx/xxxxxx/xxxxxxxxxpredictiveHigh
119ArgumentxxxxxxxxxxpredictiveMedium
120ArgumentxxxxxxxxxxxxxpredictiveHigh
121Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
122ArgumentxxxxxxpredictiveLow
123Argumentxxxxx_xxxxpredictiveMedium
124ArgumentxxxxxxxxpredictiveMedium
125ArgumentxxxxxxxxpredictiveMedium
126ArgumentxxxxxxxxpredictiveMedium
127ArgumentxxxxxxxpredictiveLow
128Argumentxxxx xxxxxpredictiveMedium
129Argumentxxxx_xxxxxpredictiveMedium
130ArgumentxxxxpredictiveLow
131ArgumentxxxxxxpredictiveLow
132ArgumentxxxxxxxxxxpredictiveMedium
133Argumentx/xxxxxxxxxxxxpredictiveHigh
134ArgumentxxxxpredictiveLow
135ArgumentxxxxxxxxpredictiveMedium
136Argumentxxxxx/xxxpredictiveMedium
137ArgumentxxxxxxxxxxpredictiveMedium
138ArgumentxxxpredictiveLow
139ArgumentxxxxxxpredictiveLow
140ArgumentxxxxxxxxpredictiveMedium
141Argumentxxxxxxxxx_xxxxxx_xx_[xxxx]predictiveHigh
142Input Value' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx)-- xxxxpredictiveHigh
143Input Value../..predictiveLow
144Network Portxxx/xxxxpredictiveMedium
145Network Portxxx/xxx (xxx)predictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!