IOC Radar
IPMediumSignal 100/100

47.103.218.35

Location
ChinaChina
Shanghai, Shanghai
ASN
AS37963
Aliyun Computing Co., LTD
First Seen
Mar 3, 2024
Last Seen
Jun 5, 2026
Mar 3
First Seen
833d ago
Jun 5
Last Seen
9d ago
20
Reports
source reports
99%
Confidence
medium
Found in 20 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

88 techniques

Network Information

CountryCNChina
RegionShanghai, Shanghai
ASNAS37963
OrganizationAliyun Computing Co., LTD

IP Category

Hosting
Hosting provider

Feed Intelligence Summary

20 reports99% confidence
20
Source reports
99%
Confidence score
Category tags
active scanningaerospace & defenseaerospace sectorand technology organizationsand technology sectorsaptapt grouparmasciiasiaasyncratatlantidastealerattackautomotive manufacturingbankingbatbinblacklisted ipblackmatterbotnetbotnetdomainbrute forcebrute_forcec2c2 ipc2 ip addressc2 servercertchaos_ransomwarechinachinese state-sponsoredchinese state-sponsored actorcivil servicescncobalt strikecobalt strike frameworkcobaltstrikecoinminercommand and controlcommunication technologiescompromised hostcompromised hostscompromised system indicatorscompromised systemscredential accesscredential harvestingcredential stuffingcredential_accesscredit card servicescutwailcyber espionagecyber threatscyber-espionagedata exfiltrationddos attacksdefencedefensedefense contractingdefense contractorsdefense logisticsdefense sectordefense systemsdefense technologydistributed attacksdlldocument luresdonald trumpdonutloaderelectronics manufacturingelfencodedenergyenergy distributioneurope/asiaexefake_pythonfinancefinancial servicesfinancial technologyfleet managementforeign affairsfreight servicesftpftp brute forcefuturego programming languagego-based malwaregovernment agenciesgovernment sectorgovernment technologyguloadergunra ransomwarehajimehigher educationicsindicatorindustrial automationindustrial iotindustrial productioninformation technologyinfrastructure acquisitionreconnaissanceinitial accessinsiktinsikt groupinternet of thingsiociot botnetiot/ics attackit infrastructureivantikey-09-04-05koiloaderlateral movementleslieloaderlnklockbitlokilumma staelerlummastealermalicious activitymalicious linksmalicious softwaremalwaremalware campaignmalware distributionmanualmanufacturing technologymarinemaritime transportmediametasploitmeterpretermilitary operationsmipsmirai botnetmobile carriersmobile networksmodelmodiloadermoobotmotorolamozinational securitynetworknetwork intrusionnetwork scanningnetwork securitynetwork_reconnaissanceoil & gasoil and gasopendirpalo alto networkspanama targetspantegana backdoorpassenger transportationpayment processingpdf lureperimeter appliance exploitationperimeter appliancesphishingphishing attackpossible ddos activitypower generationpower systemspowerpcprocess injectionprocess manufacturingproof-of-conceptprotocol exploitationps1public administrationpublic infrastructurepublic policypythonstealerqakbotquakbotquality controlrail transportratreconnaissancereconnaissance activityrecorded futurerednovemberregulatory agenciesremote accessremote servicesrenesasrenewable energyresearchedrev-base64-loadersaint helena, ascension and tristan da cunhascannersocial engineeringsoftware developmentsouth koreasouth korea targetssoutheast asiaspam-itasparcsparkratsparkrat trojanssh attackstealcstrelastealerstrike c2supply chain managementt1003t1005t1016t1018t1021t1021.001t1021.002t1027t1027.001t1027.002t1027.007t1033t1036t1040t1046t1047t1055t1057t1059t1059.001t1059.003t1059.004t1068t1069t1070t1071t1071.001t1071.002t1076t1078t1082t1083t1087t1098t1105t1110t1110.002t1136t1189t1190t1195t1204t1204.001t1204.002t1210t1486t1496t1499.001t1499.002t1499.003t1530t1543t1547.001t1552t1553t1555t1556t1562t1563t1565t1566t1566.001t1566.002t1566.003t1569t1569.002t1571t1573t1583t1583.003t1584t1586t1587t1587.001t1588t1588.002t1588.004t1589t1590t1590.001t1590.006t1592t1594t1595t1595.001t1595.002t1595.003t1598tag-100taiwantaiwan targetstechnology sectortelecom servicestelecommunicationstelnet threatthreat actortoolstradetransportation and warehousingtransportation infrastructuretransportation technologyturkeytxtua-wgetunauthorized access attempturlsus targetsvipkeyloggerwealth managementweaponized proof-of-conceptweb securityword documentwsowebshellxoredxwormxworm campaignzip file

Activity Timeline

1 total obs
Jun 5Jun 5

Threat Activity Heatmap

· Peak: 2026-06-05
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
20
Reports
First seenMar 3, 2024
Last seenJun 5, 2026
GeolocationCN
CountryChina
LocationShanghai, Shanghai
ASNAS37963
OrgAliyun Computing Co., LTD
Coords31.2222, 121.4581
Hosting

VirusTotal

Not checked

WHOIS

description
RedNovember, a Chinese state-sponsored threat group, has expanded its cyber-espionage activities globally. The group targets high-profile government, intergovernmental, and private sector organizations, focusing on defense, aerospace, and technology sectors. It uses the Go-based backdoor Pantegana and Cobalt Strike for intrusions, exploiting vulnerabilities in perimeter appliances. RedNovember's tactics include combining weaponized proof-of-concept exploits with open-source tools, allowing for scalable operations and attribution obfuscation. The group has shown particular interest in targets across the US, Taiwan, South Korea, and Panama, often aligning its activities with geopolitical events and Chinese strategic interests.
raw
inetnum: 47.100.0.0 - 47.103.255.255 netname: ALISOFT descr: Aliyun Computing Co., LTD descr: 5F, Builing D, the West Lake International Plaza of S&T descr: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099 country: CN admin-c: ZM1015-AP tech-c: ZM877-AP tech-c: ZM876-AP tech-c: ZM875-AP abuse-c: AC1601-AP status: ALLOCATED PORTABLE mnt-by: MAINT-CNNIC-AP mnt-irt: IRT-ALISOFT-CN last-modified: 2023-11-28T00:58:17Z source: APNIC irt: IRT-ALISOFT-CN address: No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099 e-mail: [email protected] abuse-mailbox: [email protected] auth: # Filtered admin-c: ZM877-AP tech-c: ZM877-AP mnt-by: MAINT-CNNIC-AP last-modified: 2021-09-05T23:38:36Z source: APNIC role: ABUSE CNNICCN country: ZZ address: Beijing, China phone: +000000000 e-mail: [email protected] admin-c: IP50-AP tech-c: IP50-AP nic-hdl: AC1601-AP remarks: Generated from irt object IRT-CNNIC-CN remarks: [email protected] is invalid abuse-mailbox: [email protected] mnt-by: APNIC-ABUSE last-modified: 2025-09-19T17:20:32Z source: APNIC person: Li Jia address: NO.969 West Wen Yi Road, Yu Hang District, Hangzhou country: CN phone: +86-0571-85022088 e-mail: [email protected] nic-hdl: ZM1015-AP mnt-by: MAINT-CNNIC-AP last-modified: 2025-07-01T07:12:42Z source: APNIC person: Guoxin Gao address: 5F, Builing D, the West Lake International Plaza of S&T address: No.391 Wen'er Road, Hangzhou City address: Zhejiang, China, 310099 country: CN phone: +86-0571-85022600 fax-no: +86-0571-85022600 e-mail: [email protected] nic-hdl: ZM875-AP mnt-by: MAINT-CNNIC-AP last-modified: 2014-07-30T01:56:01Z source: APNIC person: security trouble e-mail: [email protected] address: 5th,floor,Building D,the West Lake International Plaza of S&T,391#Wen??r Road address: Hangzhou, Zhejiang, China phone: +86-0571-85022600 country: CN mnt-by: MAINT-CNNIC-AP nic-hdl: ZM876-AP last-modified: 2025-07-01T07:06:11Z source: APNIC person: Guowei Pan address: 5F, Builing D, the West Lake International Plaza of S&T address: No.391 Wen'er Road, Hangzhou City address: Zhejiang, China, 310099 country: CN phone: +86-0571-85022088-30763 fax-no: +86-0571-85022600 e-mail: [email protected] nic-hdl: ZM877-AP mnt-by: MAINT-CNNIC-AP last-modified: 2025-07-01T07:05:46Z source: APNIC route: 47.103.218.0/24 descr: Alibaba (US) Technology Co., Ltd. origin: AS37963 mnt-by: MAINT-CNNIC-AP last-modified: 2020-06-28T00:42:17Z source: APNIC route: 47.103.218.0/24 descr: Alibaba (US) Technology Co., Ltd. origin: AS45102 mnt-by: MAINT-CNNIC-AP last-modified: 2020-06-28T00:42:21Z source: APNIC
references
https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations, Sep week4.pdf, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://urlhaus.abuse.ch/browse/, https://twitter.com/drb_ra/status/1769703554359398554, https://twitter.com/drb_ra/status/1769703623108264072, https://twitter.com/drb_ra/status/1769709909535289634, https://twitter.com/drb_ra/status/1769709962224083333, https://twitter.com/drb_ra/status/1769709988987994430, https://twitter.com/drb_ra/status/1769710040657641558, https://twitter.com/drb_ra/status/1769710061591429569, https://twitter.com/drb_ra/status/1769710120210989314, https://twitter.com/drb_ra/status/1769710155367584107, https://twitter.com/drb_ra/status/1769710189706444817, https://twitter.com/drb_ra/status/1769710222833021306, https://twitter.com/drb_ra/status/1769710271088435414, https://twitter.com/drb_ra/status/1769710291527356464, https://twitter.com/drb_ra/status/1769710301543330046, https://twitter.com/drb_ra/status/1769710325828304955, https://twitter.com/drb_ra/status/1769710383806165027, https://twitter.com/drb_ra/status/1769710473211969645, https://twitter.com/drb_ra/status/1769710511212396676, https://twitter.com/drb_ra/status/1769710536281784535, https://twitter.com/drb_ra/status/1769710611796029855, https://twitter.com/drb_ra/status/1769710674173694415, https://twitter.com/drb_ra/status/1769710735301476761, https://twitter.com/drb_ra/status/1769710769397027103, https://twitter.com/drb_ra/status/1769710839181828526, https://twitter.com/drb_ra/status/1769710923743183093, https://twitter.com/drb_ra/status/1769784793875509517, https://twitter.com/drb_ra/status/1769784810652729700, https://twitter.com/drb_ra/status/1769797361969021059, https://twitter.com/drb_ra/status/1769797838458781772, https://twitter.com/drb_ra/status/1769797932226658528, https://twitter.com/drb_ra/status/1769849389839798293, https://twitter.com/drb_ra/status/1769849418998591664, https://twitter.com/drb_ra/status/1769849441232544182, https://twitter.com/drb_ra/status/1769849462724186385, https://twitter.com/drb_ra/status/1769860209944469523

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 9 days ago
Appeared in 20 threat reports