UNC1151
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 21:44
- Modified
- 20/12/2025 21:44
- Updated at
- 20/12/2025 21:44
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 29 attack patterns (mitre), 4 malware, 3 sectors, 2 countries, 38 indicators, 2 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
2 CVEs 6 MITREs 3 Observables 1 APT
Attack patterns (MITRE) (29)
-
T1078 usesValid Accounts MITRE
-
T1176 usesSoftware Extensions MITRE
-
T1555.003 usesCredentials from Web Browsers MITRE
-
T1190 usesExploit Public-Facing Application MITRE
-
T1586 usesCompromise Accounts MITRE
-
T1552.001 usesCredentials In Files MITRE
-
T1114.002 usesRemote Email Collection MITRE
-
T1566.001 usesSpearphishing Attachment MITRE
-
T1055 usesProcess Injection MITRE
-
T1082 usesSystem Information Discovery MITRE
-
T1560.001 usesArchive via Utility MITRE
-
T1083 usesFile and Directory Discovery MITRE
Malware (4)
-
MICROBACKDOOR uses
-
Cobalt Strike usesFamily
-
GrimPlant usesFamily
-
GraphSteel usesFamily
Sectors (3)
-
Defense targets
-
Government targets
-
Media targets
Countries (2)
-
Ukraine targets
-
Poland targets
Indicators (38)
-
stix 100/100 Revoked
GoLandBuildPE SHA256 of 6b413beb61e46241481f556bb5cdb69c
· Valid until 25/10/2023 · Source: AlienVault -
http://45.84.0.116:443/mindicatesstix 100/100 Revoked· Valid until 07/09/2022 · Source: AlienVault -
stix 100/100 Revoked
TA471 SHA256 of 06124da5b4d6ef31dbfd7a6094fc52a6
· Valid until 25/10/2023 · Source: AlienVault -
stix 100/100 Revoked
Other:Malware-gen\ [Trj] SHA256 of cf204319f7397a6a31ecf76c9531a549
· Valid until 25/10/2023 · Source: AlienVault -
stix 100/100 Revoked
Other:Malware-gen\ [Trj] SHA256 of bd65d0d59f6127b28f0af8a7f2619588
· Valid until 25/10/2023 · Source: AlienVault -
https://a.mpk-krakow.pl/credsindicatesstix 100/100 Revoked· Valid until 23/07/2025 · Source: AlienVault -
stix 100/100 Revoked
TA471 SHA256 of 15c525b74b7251cfa1f7c471975f3f95
· Valid until 25/10/2023 · Source: AlienVault -
stix 100/100 Revoked· Valid until 07/09/2022 · Source: AlienVault
-
stix 100/100 Revoked
TEL:Constructor:Win32/HiddenRMS.A!RAT SHA256 of 2bb5d5aa07fa2c8e9874c117c8fa51d6
· Valid until 25/10/2023 · Source: AlienVault -
http://194.31.98.124:443/iindicatesstix 100/100 Revoked· Valid until 07/09/2022 · Source: AlienVault -
http://194.31.98.124:443/cindicatesstix 100/100 Revoked· Valid until 07/09/2022 · Source: AlienVault
Vulnerabilities (CVE) (2)
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL …
- Attack vector
- NETWORK
- Published
- 02/06/2025
- Modified
- 26/02/2026
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …
- Attack vector
- Network
- Published
- 09/06/2025
- Modified
- 21/12/2025