PKPLUG Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (238)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en160
zh76
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn172
us66

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

PlugX10
Cobalt Strike7
Mustang Panda5
Earth Preta4
Sogu3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined90
Content Management System20
Operating System10
Customer Relationship Management System8
Firewall Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined70
Apache10
Microsoft10
SonicWALL6
Trend Micro6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

WordPress8
Trend Micro Apex One6
Microsoft Windows6
chatwoot4
Apple watchOS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Sophos Firewall User Portal/Webadmin improper authentication8.58.5$0-$5k$0-$5kHighNot Defined0.974340.00CVE-2022-1040
2XoruX LPAR2RRD/STOR2RRD hard-coded credentials6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.002620.00CVE-2021-42371
3Komodia Redirector SDK Web Companion cryptographic issues5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.002200.00CVE-2015-2078
4SourceCodester Doctors Appointment System login.php sql injection7.47.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.000640.00CVE-2023-4219
5IBM Security Guardium Request os command injection9.29.2$5k-$25k$5k-$25kNot DefinedNot Defined0.000660.00CVE-2023-35893
6Piwigo pwg.users.php sql injection6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.000880.03CVE-2022-26266
7Pluck Theme Upload unrestricted upload4.74.6$0-$5k$0-$5kNot DefinedNot Defined0.028930.05CVE-2022-26965
8Apache Struts ParameterInterceptor unknown vulnerability5.35.3$5k-$25k$0-$5kHighNot Defined0.084840.03CVE-2010-1870
9Synacor Zimbra Collaboration Memcache Command injection6.36.0$0-$5k$0-$5kHighOfficial Fix0.096650.04CVE-2022-27924
10OpenSSL c_rehash os command injection5.55.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.106490.04CVE-2022-1292
11AfterLogic Aurora/WebMail Pro DAV DAVServer.php pathname traversal7.67.6$0-$5k$0-$5kNot DefinedNot Defined0.002900.02CVE-2021-26293
12Artifex MuJS heap-based overflow5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.002210.00CVE-2021-45005
13Discuz! DiscuzX Access Restriction index.php access control8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.003030.02CVE-2018-5377
14Juniper Junos Pulse Secure Access Service SSL VPN Web Server cross site scripting6.36.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.001350.04CVE-2013-5649
15Matomo safemode.twig Path information disclosure4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2019-12215
16Google Chrome V8 out-of-bounds write7.57.4$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000800.04CVE-2024-0517
17tough-cookie Cookies prototype pollution7.97.8$0-$5k$0-$5kNot DefinedOfficial Fix0.001070.09CVE-2023-26136
18ASUS RT-AC51U Network Request cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.000620.00CVE-2023-29772
19Asus RT-AC2900 input validation8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.085970.02CVE-2018-8826
20Pligg cloud.php sql injection6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.000000.78

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • THOR

IOC - Indicator of Compromise (20)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
142.99.117.92PKPLUGTHOR08/29/2021verifiedHigh
242.99.117.95PKPLUGTHOR08/29/2021verifiedHigh
343.254.217.165PKPLUGTHOR08/29/2021verifiedHigh
445.142.166.112PKPLUGTHOR08/29/2021verifiedHigh
5XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedHigh
6XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedHigh
7XX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedHigh
8XX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedHigh
9XXX.XX.XX.XXxxx.xx.xx.xx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedHigh
10XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedHigh
11XXX.XX.XX.XXXXxxxxxXxxx08/29/2021verifiedHigh
12XXX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedHigh
13XXX.XXX.XXX.XXXxxx.xxx.xxx.xxx.xxxxxx.xxxx.xxxXxxxxxXxxx08/29/2021verifiedHigh
14XXX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedHigh
15XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxx.xxxXxxxxxXxxx08/29/2021verifiedMedium
16XXX.XXX.XX.XXXXxxxxxXxxx08/29/2021verifiedHigh
17XXX.XXX.XXX.XXXXxxxxxXxxx08/29/2021verifiedHigh
18XXX.XX.XXX.XXXxxxxxXxxx08/29/2021verifiedHigh
19XXX.XX.XXX.XXXXxxxxxXxxx08/29/2021verifiedHigh
20XXX.XXX.XXX.XXXxxxxxXxxx08/29/2021verifiedHigh

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94, CWE-1321Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-CWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-466CWE-XXXXxxxxxx Xxxxxxxxxx Xx Xxx-xxxxxxxxpredictiveHigh
14TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
16TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-112CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
19TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (91)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin.php?action=themeinstallpredictiveHigh
2File/admin/ajax/avatar.phppredictiveHigh
3File/admin/uploads.phppredictiveHigh
4File/admin/users.php?source=edit_user&id=1predictiveHigh
5File/cgi-bin/portalpredictiveHigh
6File/etc/passwdpredictiveMedium
7File/etc/shadowpredictiveMedium
8File/htmlcode/html/indexdefault.asppredictiveHigh
9File/include/config.cache.phppredictiveHigh
10File/include/helpers/upload.helper.phppredictiveHigh
11File/patient/appointment.phppredictiveHigh
12File/xxxxxxx/xxxxxxpredictiveHigh
13File/xxxpredictiveLow
14Filexxxxx.xxxpredictiveMedium
15Filexxxxx/xxxx.xxxpredictiveHigh
16Filexxxx.xxxpredictiveMedium
17Filexxxxxxxxxxx.xxxpredictiveHigh
18Filexxx\xxxxx\xxxxxxxxxx\xxxxxxxxxxxxxxx.xxxpredictiveHigh
19Filexxxxxxxx\xxxxx.xxxpredictiveHigh
20Filexxx/xxxxxxx.xxpredictiveHigh
21Filexxxxx.xxxpredictiveMedium
22Filexxx.xxxpredictiveLow
23Filexxxxxx.xxxpredictiveMedium
24Filex_xxxxxxpredictiveMedium
25Filexxxxxxxxx.xxxpredictiveHigh
26Filexxxxxxx/xxxxx/xxxxxxxx/xxxxxpredictiveHigh
27Filexxxx-xxxxxxxx-xxxxxx.xxxpredictiveHigh
28Filexx/xx-xx.xpredictiveMedium
29Filexxx/xxxxxx.xxxpredictiveHigh
30Filexxxxxxx\xxxxxxx\xxxxxxx_xxxxx.xxxpredictiveHigh
31Filexxxxx.xxxpredictiveMedium
32Filexxxxx.xxx/xxxxxxxxxxxxx/xxxpredictiveHigh
33Filexxx/xxx.xpredictiveMedium
34Filexxxxxx/xxx/xxxxxxxx.xpredictiveHigh
35Filexxxxxxxxxx/xxx/xxxxxx_xxxx.xxxpredictiveHigh
36Filexxxxxxxxx/xxxx_xxxxxxx.xxx.xxxpredictiveHigh
37Filexxxxx.xxxpredictiveMedium
38Filexxxxx.xxxpredictiveMedium
39Filexxxxxxx.xxxpredictiveMedium
40Filexxxxxxx/xxxx/xxxxx/xxxxxxxxxxx.xxxpredictiveHigh
41Filexxxxxxx/xxxxx/xxxxxxx/xxxx.xxxpredictiveHigh
42Filexxxxxxx.xxpredictiveMedium
43Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
44Filexxxx/xxxxxxxxx.xxxpredictiveHigh
45Filexxxxxx/xxxxx_xxxxxxxx/xxxxxxx.xxxxpredictiveHigh
46Filexxxxx.xxxpredictiveMedium
47Filexxx.xxxxx.xxxpredictiveHigh
48Filexxx.xxxpredictiveLow
49Filexxx.xxxxxxxxxpredictiveHigh
50Filexxx/xxx/xxx.xpredictiveHigh
51Filexxxxxxxx/xxxxxxxxpredictiveHigh
52Filexxxxxxxxx.xxxpredictiveHigh
53Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
54Filexx-xxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
55Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
56Filexxxxxxxxxxxxx.xxxxpredictiveHigh
57Libraryxxx/xxxxxx/xxxxxxxxx/xxxxxxx.xxpredictiveHigh
58Libraryxxxxxxx/xxxxxxx/xxxxxx/xxx/xxxxx.xxxxxxx.xxxpredictiveHigh
59Argument$_xxxxxpredictiveLow
60ArgumentxxxxxxxpredictiveLow
61ArgumentxxxpredictiveLow
62ArgumentxxxxxxpredictiveLow
63ArgumentxxxxxpredictiveLow
64ArgumentxxxxxpredictiveLow
65ArgumentxxxxxxxxpredictiveMedium
66ArgumentxxxxxxxxxxpredictiveMedium
67ArgumentxxxxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
68ArgumentxxxxxxpredictiveLow
69ArgumentxxxxxpredictiveLow
70ArgumentxxxxxxpredictiveLow
71ArgumentxxpredictiveLow
72ArgumentxxpredictiveLow
73Argumentxx_xxxxxxxxpredictiveMedium
74ArgumentxxxxxxpredictiveLow
75ArgumentxxxxxxxpredictiveLow
76Argumentxxx_xxxpredictiveLow
77ArgumentxxxxxxxpredictiveLow
78Argumentxxxxxx_xxxxpredictiveMedium
79ArgumentxxxxxxxxxxxpredictiveMedium
80ArgumentxxxxpredictiveLow
81ArgumentxxxpredictiveLow
82ArgumentxxxxxxxxpredictiveMedium
83ArgumentxxxpredictiveLow
84ArgumentxxxxxxxxpredictiveMedium
85Argumentxxxxxx[]predictiveMedium
86ArgumentxxxxxxxxxpredictiveMedium
87ArgumentxxxxxxxxpredictiveMedium
88ArgumentxxxxxxxxpredictiveMedium
89Input Value..predictiveLow
90Input Value../predictiveLow
91Pattern|xx|xx|xx|predictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!