Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

Advanced IP Scanner

Advanced IP Scanner is a legitimate network scanning utility that appears in multiple intrusion and ransomware investigations as an attacker-used discovery and network mapping tool. The provided content specifically describes its use for identifying available network hosts and conducting active scanning. It was observed in operations associated with the hacktivist/destructive group Twelve, alongside tools such as Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, and PsExec, for credential theft, discovery, network mapping, and privilege escalation. In one intrusion tied to exploitation of CVE-2023-46604 on Apache ActiveMQ and subsequent ransomware deployment assessed as LockBit-builder-derived, the attacker used a renamed copy of Advanced IP Scanner masquerading as SoftPerfect Network Scanner during the second intrusion phase before ransomware execution. It was also listed by Field Effect as a tool/file IOC in coordinated Akira ransomware intrusions involving SonicWall SSL VPN access, where attacker tradecraft included network service discovery, lateral movement, staging, attempted exfiltration, and ransomware deployment. High-confidence behavior from the content is limited to host discovery and active network scanning; no malware-specific persistence or payload functionality beyond its use as a scanner is described.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Twelve

Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence1
TacticResource Development

T1588.002 Obtain Capabilities: Tool Various third-party tools are regularly used by the gangs’ affiliates.

Discovery

4 techniques
T1016System Network Configuration DiscoveryEvidence6
TacticDiscovery

Advanced Port Scanner — an off-the-shelf tool to identify open ports and determine the versions of software running on the system

T1018Remote System DiscoveryEvidence8
TacticDiscovery

Several actors used discovery tools such as BloodHound, AdFind, Advanced IP Scanner, SoftPerfect Network Scanner, NBTscan, RustScan, and SNScan for user, system, and network discovery.

T1046Network Service DiscoveryEvidence14
TacticDiscovery

Network Service Scanning (T1046): Primarily consists of abusing Advanced IP Scanners to identify what network hosts are available.

T1482Domain Trust DiscoveryEvidence1
TacticDiscovery

the other internal network discovery via tools such as Advanced IP Scanner and Netscan to obtain Active Directory information.

Lateral Movement

2 techniques
T1021Remote ServicesEvidence1
TacticLateral Movement

The attackers later deployed Slopoly and tools such as AzCopy and Advanced IP Scanner to expand access and move laterally within the network.

T1570Lateral Tool TransferEvidence1
TacticLateral Movement

The attackers later deployed Slopoly and tools such as AzCopy and Advanced IP Scanner to expand access and move laterally within the network.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2
TacticCommand and Control

INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
dfir reportNews
Feb 23, 2026
Apache ActiveMQ Exploit Leads to LockBit Ransomware - The DFIR Report

Used for internal network enumeration/port scanning during the second phase of the intrusion to support lateral movement and targeting prior to ransomware deployment.

Read more
fieldeffect blogNews
Aug 5, 2025
Update: Akira ransomware group targets SonicWall VPN appliances

Legitimate network scanning utility used by the intruder for network service discovery during post-compromise discovery.

Read more
the hacker newsNews
Sep 21, 2024
Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

Network scanning tool used to discover hosts and services in victim environments.

Read more
coveware blogNews
Jul 21, 2023
Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments

Network scanning tool referenced as being abused for discovery/network service scanning during intrusions.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.