216.73.217.22

GhostEmperor

· Published 21/12/2025 06:19 · Modified 21/12/2025 06:19 · Source: AlienVault

Essential information

Confidence
100/100
Published
21/12/2025 06:19
Modified
21/12/2025 06:19
Updated at
21/12/2025 06:19
Revoked
No
Author / Source
AlienVault
Resource level
Primary motivation
Related entities
2 reports, 31 attack patterns (mitre), 4 malware, 1 sectors, 1 countries, 5 indicators, 6 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (2)

Attack patterns (MITRE) (31)

  • T1543.003 uses
    Windows Service
  • T1112 uses
    Modify Registry
  • T1505.003 uses
    Web Shell
  • T1543 uses
    Create or Modify System Process
  • T1014 uses
    Rootkit
  • T1562 uses
    Impair Defenses
  • T1132 uses
    Data Encoding
  • T1055.012 uses
    Process Hollowing
  • T1569.002 uses
    Service Execution
  • T1055 uses
    Process Injection
  • T1190 uses
    Exploit Public-Facing Application
  • T1021.001 uses
    Remote Desktop Protocol
  • T1003 uses
    OS Credential Dumping
  • T1059 uses
    Command and Scripting Interpreter
  • BITS Jobs uses
    T1197
  • T1218 uses
    System Binary Proxy Execution
  • T1105 uses
    Ingress Tool Transfer
  • T1082 uses
    System Information Discovery
  • T1129 uses
    Shared Modules
  • T1059.001 uses
    PowerShell
  • T1578 uses
    Modify Cloud Compute Infrastructure
  • T1071.001 uses
    Web Protocols
  • T1574.002 uses
  • T1036 uses
    Masquerading
  • T1140 uses
    Deobfuscate/Decode Files or Information
  • T1547 uses
    Boot or Logon Autostart Execution
  • T1070 uses
    Indicator Removal
  • T1027 uses
    Obfuscated Files or Information
  • T1497 uses
    Virtualization/Sandbox Evasion
  • T1021.002 uses
    SMB/Windows Admin Shares
  • T1570 uses
    Lateral Tool Transfer

Malware (4)

  • Mofu uses
    Family
    Published 20/05/2026 11:10 · Modified 20/05/2026 11:10
  • Terndoor uses
    Family
    Published 20/05/2026 11:10 · Modified 20/05/2026 11:10
  • DEMODEX uses
    Family
    Published 03/12/2024 15:34 · Modified 03/12/2024 15:34
  • Deed RAT uses
    Family
    Published 20/05/2026 11:10 · Modified 20/05/2026 11:10

Sectors (1)

  • Energy targets

Countries (1)

  • Azerbaijan targets

Indicators (5)

  • f81a2e8a2a272e0bdae4e267fa220d6d40e23214087f33bdcdab6c7ad10b60b8 indicates
  • http://sentinelonepro.com:443 indicates
  • imap.dateupdata.com indicates
  • https://sentinelonepro.com:443 indicates
  • sentinelonepro.com indicates

Vulnerabilities (CVE) (6)

CVE-2021-31207 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published
03/11/2021
Modified
20/12/2025
CVE-2024-20399 KEV
6.0 Medium

Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute …

Attack vector
Local
Published
02/07/2024
Modified
21/12/2025
CVE-2021-34473 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published
03/11/2021
Modified
29/05/2026
CVE-2022-41082 KEV
8.0 High

Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …

Attack vector
Adjacent
Published
30/09/2022
Modified
20/12/2025
CVE-2021-34523 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published
03/11/2021
Modified
20/12/2025
CVE-2022-41040 KEV
8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector
Network
Published
30/09/2022
Modified
20/12/2025