0APT

RANSOMWARE

0APT primarily targets enterprise infrastructure and critical IT services, focusing on high-value assets such as network security appliances and business management systems. Their initial access vector often involves exploiting public-facing applications, leveraging vulnerabilities like CVE-2024-3400 in Palo Alto Networks PAN-OS to gain a foothold within the target environment. Once inside, 0APT employs a combination of exfiltration techniques such as moving data to cloud storage and creates persistent backdoors using systemd services to maintain access. This group is distinctive for its strategic targeting of critical infrastructure components and sophisticated evasion tactics that allow them to bypass detection while operating undetected.

From a technical standpoint, 0APT exploits vulnerabilities primarily in network security products and enterprise management systems, with a focus on remote code execution (RCE) and authentication bypass flaws. The use of native API calls and debugger evasion techniques indicates a high level of operational sophistication, suggesting that the group possesses advanced knowledge of system internals and defensive mechanisms. Defenders should prioritize patching critical vulnerabilities in targeted products such as Ivanti ICS and Oracle E-Business Suite, while also implementing robust network monitoring to detect anomalous behavior indicative of these sophisticated attack vectors.

Confirmed CVEs (4)

Exploited by this group as confirmed by threat intelligence sources.

CVE-2024-3400 CRITICAL Palo Alto Networks PAN-OS 10.0 CVE-2025-61882 CRITICAL Oracle Corporation Oracle Concurrent Processing 9.8 CVE-2025-22457 CRITICAL Ivanti Connect Secure 9.8 CVE-2024-21887 CRITICAL Ivanti ICS 9.1

Predicted CVEs (68) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2025-20337 CRITICAL Cisco Identity Services Engine Software low 10.0 CVE-2020-2021 CRITICAL Palo Alto Networks PAN-OS predicted 10.0 CVE-2021-22893 CRITICAL Ivanti Pulse Connect Secure predicted 10.0 CVE-2024-3400 CRITICAL Palo Alto Networks PAN-OS predicted 10.0 CVE-2026-10520 CRITICAL ivanti Sentry predicted 10.0 CVE-2021-22893 CRITICAL Ivanti Pulse Connect Secure predicted 10.0 CVE-2024-36401 CRITICAL geoserver low 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery low 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS low 9.8 CVE-2024-4577 CRITICAL PHP Group PHP low 9.8 CVE-2024-50603 CRITICAL Aviatrix Controller low 9.8 CVE-2025-31324 CRITICAL SAP_SE SAP NetWeaver (Visual Composer development server) low 9.8 CVE-2025-3248 CRITICAL langflow-ai langflow low 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 low 9.8 CVE-2024-53704 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2023-46604 CRITICAL Apache Software Foundation Apache ActiveMQ predicted 9.8 CVE-2025-61882 CRITICAL Oracle Corporation Oracle Concurrent Processing predicted 9.8 CVE-2022-21587 CRITICAL Oracle Corporation Web Applications Desktop Integrator predicted 9.8 CVE-2025-22457 CRITICAL Ivanti Connect Secure predicted 9.8 CVE-2025-3248 CRITICAL langflow-ai langflow predicted 9.8 CVE-2023-35082 CRITICAL Ivanti EPMM predicted 9.8 CVE-2024-7593 CRITICAL Ivanti vTM predicted 9.8 CVE-2026-1281 CRITICAL Ivanti Endpoint Manager Mobile predicted 9.8 CVE-2020-15505 CRITICAL Ivanti MobileIron Multiple Products predicted 9.8 CVE-2021-44529 CRITICAL Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) predicted 9.8 CVE-2023-38035 CRITICAL Ivanti MobileIron Sentry predicted 9.8 CVE-2023-22527 CRITICAL Atlassian Confluence Data Center low 9.8 CVE-2023-46604 CRITICAL Apache Software Foundation Apache ActiveMQ low 9.8 CVE-2024-0012 CRITICAL Palo Alto Networks Cloud NGFW low 9.8 CVE-2025-31324 CRITICAL SAP_SE SAP NetWeaver (Visual Composer development server) predicted 9.8 CVE-2023-38035 CRITICAL Ivanti MobileIron Sentry predicted 9.8 CVE-2021-44529 CRITICAL Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) predicted 9.8 CVE-2023-35078 CRITICAL Ivanti Endpoint Manager Mobile predicted 9.8 CVE-2023-22527 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2023-22515 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2023-22518 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2024-4577 CRITICAL PHP Group PHP predicted 9.8 CVE-2023-35082 CRITICAL Ivanti EPMM predicted 9.8 CVE-2024-0012 CRITICAL Palo Alto Networks Cloud NGFW predicted 9.8 CVE-2022-26501 CRITICAL Veeam Backup & Replication predicted 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery predicted 9.8 CVE-2026-1340 CRITICAL Ivanti Endpoint Manager Mobile predicted 9.8 CVE-2023-35078 CRITICAL Ivanti Endpoint Manager Mobile predicted 9.8 CVE-2024-21887 CRITICAL Ivanti ICS predicted 9.1 CVE-2024-8963 CRITICAL Ivanti CSA (Cloud Services Appliance) predicted 9.1 CVE-2025-0282 CRITICAL Ivanti Connect Secure predicted 9.0 CVE-2025-0282 CRITICAL Ivanti Connect Secure predicted 9.0 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2025-4428 HIGH Ivanti Endpoint Manager Mobile low 8.8 CVE-2022-26500 HIGH Veeam Backup & Replication predicted 8.8 CVE-2024-29824 HIGH Ivanti EPM predicted 8.8 CVE-2024-21893 HIGH Ivanti ICS predicted 8.2 CVE-2023-46805 HIGH Ivanti ICS predicted 8.2 CVE-2024-21893 HIGH Ivanti ICS predicted 8.2 CVE-2023-46805 HIGH Ivanti ICS predicted 8.2 CVE-2024-13160 HIGH Ivanti Endpoint Manager predicted 7.5 CVE-2025-5777 HIGH NetScaler ADC predicted 7.5 CVE-2024-13159 HIGH Ivanti Endpoint Manager predicted 7.5 CVE-2023-27532 HIGH Veeam Backup & Replication predicted 7.5 CVE-2025-5777 HIGH NetScaler ADC low 7.5 CVE-2025-61884 HIGH Oracle Corporation Oracle Configurator predicted 7.5 CVE-2024-13161 HIGH Ivanti Endpoint Manager predicted 7.5 CVE-2025-4427 HIGH Ivanti Endpoint Manager Mobile low 7.5 CVE-2024-9474 HIGH Palo Alto Networks Cloud NGFW predicted 7.2 CVE-2024-38094 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2025-49706 MEDIUM Microsoft SharePoint Enterprise Server 2016 predicted 6.5

ATT&CK Techniques (48)

T1078 Valid Accounts Initial Access T1133 External Remote Services Initial Access T1190 Exploit Public-Facing Application Initial Access T1566 Phishing Initial Access T1566.001 Phishing: Spearphishing Attachment Initial Access T1047 Windows Management Instrumentation Execution T1059.001 Command and Scripting Interpreter: PowerShell Execution T1106 Native API Execution T1204.002 User Execution: Malicious File Execution T1053.005 Scheduled Task/Job: Scheduled Task Persistence T1543.002 Create or Modify System Process: Systemd Service Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys Persistence T1014 Rootkit Defense Evasion T1027 Obfuscated Files or Information Defense Evasion T1036 Masquerading Defense Evasion T1055 Process Injection Defense Evasion T1070 Indicator Removal Defense Evasion T1140 Deobfuscate/Decode Files or Information Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools Defense Evasion T1564 Hidden Artifacts Defense Evasion T1622 Debugger Evasion Defense Evasion T1672 Email Spoofing Defense Evasion T1678 Delay Execution Defense Evasion T1003 OS Credential Dumping Credential Access T1003.001 OS Credential Dumping: LSASS Memory Credential Access T1555 Credentials from Password Stores Credential Access T1046 Network Service Scanning Discovery T1082 System Information Discovery Discovery T1083 File and Directory Discovery Discovery T1135 Network Share Discovery Discovery T1526 Cloud Service Discovery Discovery T1021.001 Remote Services: Remote Desktop Protocol Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares Lateral Movement T1570 Lateral Tool Transfer Lateral Movement T1005 Data from Local System Collection T1039 Data from Network Shared Drive Collection T1056 Input Capture Collection T1119 Automated Collection Collection T1560 Archive Collected Data Collection T1041 Exfiltration Over C2 Channel Exfiltration T1567 Exfiltration Over Web Service Exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration T1071.001 Application Layer Protocol: Web Protocols Command and Control T1573 Encrypted Channel Command and Control T1485 Data Destruction Impact T1486 Data Encrypted for Impact Impact T1489 Service Stop Impact T1490 Inhibit System Recovery Impact