Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Essential information
- Published
- 03/12/2024 15:34
- Modified
- 03/12/2024 16:24
- Tags
- 2024-12-03 chinese apt crowdoor demodex government masol rat snappybee sparrowdoor telecommunications
- Related entities
- 8 vulnerabilities (cve), 57 observables, 1 intrusion sets (apt), 20 techniques (mitre), 6 malware, 18 others
Description
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (8)
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.
- Attack vector
- Network
- Published
- 23/09/2022
- Modified
- 27/05/2026
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Observables (57)
-
96.9.211.27 -
91.245.253.27 -
45.125.67.144 -
43.226.126.165 -
43.226.126.164 -
205.189.160.3 -
185.105.1.243 -
172.93.165.14 -
172.93.165.10 -
146.70.79.18 -
146.70.79.105 -
143.198.92.175
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Techniques (MITRE) (20)
-
SMB/Windows Admin Shares MITRE
-
Web Shell MITRE
-
Bidirectional Communication MITRE
-
Standard Encoding MITRE
-
Asymmetric Cryptography MITRE
-
PowerShell MITRE
-
Web Protocols MITRE
-
System Network Configuration Discovery MITRE
-
System Information Discovery MITRE
-
File and Directory Discovery MITRE
-
Process Injection MITRE
-
Deobfuscate/Decode Files or Information MITRE
Malware (6)
-
Family
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Family
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Family
Others (18)
-
Eswatini
-
British Indian Ocean Territory
-
South Africa
-
Afghanistan
-
India
-
Taiwan
-
Thailand
-
Malaysia
-
Indonesia
-
Philippines
-
Pakistan
-
Brazil