UNC1151
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 21:44
- Modified
- 20/12/2025 21:44
- Updated at
- 20/12/2025 21:44
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 29 attack patterns (mitre), 4 malware, 3 sectors, 2 countries, 38 indicators, 2 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
2 CVEs 6 MITREs 3 Observables 1 APT
Attack patterns (MITRE) (29)
-
T1078 usesValid Accounts MITRE
-
T1176 usesSoftware Extensions MITRE
-
T1555.003 usesCredentials from Web Browsers MITRE
-
T1190 usesExploit Public-Facing Application MITRE
-
T1586 usesCompromise Accounts MITRE
-
T1552.001 usesCredentials In Files MITRE
-
T1114.002 usesRemote Email Collection MITRE
-
T1566.001 usesSpearphishing Attachment MITRE
-
T1055 usesProcess Injection MITRE
-
T1082 usesSystem Information Discovery MITRE
-
T1560.001 usesArchive via Utility MITRE
-
T1083 usesFile and Directory Discovery MITRE
Malware (4)
-
MICROBACKDOOR uses
-
Cobalt Strike usesFamily
-
GrimPlant usesFamily
-
GraphSteel usesFamily
Sectors (3)
-
Defense targets
-
Government targets
-
Media targets
Countries (2)
-
Ukraine targets
-
Poland targets
Indicators (38)
-
stix 100/100 Revoked
GoLandBuildPE SHA256 of 36ff9ec87c458d6d76b2afbd5120dfae
· Valid until 25/10/2023 · Source: AlienVault -
stix 100/100 Revoked· Valid until 07/09/2022 · Source: AlienVault
-
stix 100/100 Revoked
blowfish_constants SHA256 of ea47d88d73fecb1fad1e737f1b373d7f
· Valid until 25/10/2023 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/06/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 07/09/2022 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 07/09/2022 · Source: AlienVault
-
stix 100/100 Revoked
Doc.Dropper.HexEncodedEXEHeader-9789587-1 SHA256 of da305627acf63792acb02afaf83d94d1
· Valid until 25/10/2023 · Source: AlienVault -
stix 100/100 Revoked
ConventionEngine_Term_Users SHA256 of 2fdf9f3a25e039a41e743e19550d4040
· Valid until 25/10/2023 · Source: AlienVault -
stix 100/100 Revoked
Html.Exploit.CVE_2019_0541-6806972-0 SHA256 of e34d6387d3ab063b0d926ac1fca8c4c4
· Valid until 25/10/2023 · Source: AlienVault -
stix 100/100 Revoked
ALF:Trojan:Win64/CobaltStrike.RTB!MTB SHA256 of b8b7a10dcc0dad157191620b5d4e5312
· Valid until 25/10/2023 · Source: AlienVault
Vulnerabilities (CVE) (2)
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL …
- Attack vector
- NETWORK
- Published
- 02/06/2025
- Modified
- 26/02/2026
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …
- Attack vector
- Network
- Published
- 09/06/2025
- Modified
- 21/12/2025