Skip to main content
Investigate Faster. Decide With Confidence. Act with Intelligence.

ANOMALI AGENTIC AI

AI-guided security decisions — powered by complete data and real threat intelligence — across detection, investigation, and response.

Request a Demo
Tell me about IP 118.248.255.174
What is cl0p ransomware?
What are the top threats to my organization?
ASK ANOMALI AGENTIC AI
Cl0p is a Ransomware-as-a-Service (RaaS) operation first observed in 2019, known for its advanced anti-analysis and anti-virtual machine detection capabilities. The group rose to prominence in Q2 2023 by automating the exploitation of file transfer vulnerabilities, including MOVEit Transfer and GoAnywhere MFT.  The group has been known to exploit zero-day vulnerabilities, such as the CVE-2023-34362 vulnerability in Progress Software's MOVEit Transfer solution. In this campaign, they used a SQL injection vulnerability to install a web shell called LEMURLOOT, enabling data theft from underlying databases.The IP address 118.248.255.174 is identified as a malicious IP (mal_ip), an APT IP (apt_ip), and a scanning IP (scan_ip) with high confidence levels ranging from 98 to 100. It has been tagged with various sources such as Mandiant, Anomali Adversary Intelligence, and cinsscore:ci-badguys OSINT.   It is located in China and is part of the China Unicom Shandong province network. The IP is associated with the threat actor APT28, known for state-sponsored activities and information theft. Tags related to APT28 include Fancy Bear and Iron Twilight.Cl0p is a Ransomware-as-a-Service (RaaS) operation first observed in 2019, known for its advanced anti-analysis and anti-virtual machine detection capabilities. The group rose to prominence in Q2 2023 by automating the exploitation of file transfer vulnerabilities, including MOVEit Transfer and GoAnywhere MFT.  The group has been known to exploit zero-day vulnerabilities, such as the CVE-2023-34362 vulnerability in Progress Software's MOVEit Transfer solution. In this campaign, they used a SQL injection vulnerability to install a web shell called LEMURLOOT, enabling data theft from underlying databases.The top threats to your organization over the last 30 days include:  Actors: Chaos, FSB, Federal Security Service, Hamas, Laravel, Opsec, Payouts, Scam_Guard, Silent Crow, World Leaks.  Attack Patterns: Application Layer Protocol, Command and Scripting Interpreter, Deobfuscate/Decode Files or Information, Exploitation for Client Execution, Exploitation for Privilege Escalation, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Masquerading, System Information Discovery, Valid Accounts.  |

Why Anomali Agentic AI

300x Faster detection and investigation

Analysts pivot across years of data and intelligence in seconds.

96% Reduced time for threat investigations

Context-driven prioritization reduces false positives and alert fatigue.

50% analyst time saved with operationlized intel

Threat intel informs every stage of the SOC workflow, not just reports.

60% reduced siem bill and operational cost

Eliminate SIEM tax and manual effort while scaling data retention.

Built for Security Decisions – Not Just Automation

Most AI security tools focus on automating tasks. Anomali Agentic AI is designed to guide security decisions. It reasons over complete telemetry enriched with threat intelligence to recommend and execute the right actions at the right time.

AI-assisted reasoning

across detection, investigation, and response workflows

Context-aware decisioning

grounded in real security data

Human-guided automation

analysts stay in control

Actions informed by years

of historical and real-time context

Core Capabilities

AI-Guided Detection & Prioritization

Combine analytics and intelligence to surface high-confidence threats.

Guided Investigations

AI assists analysts with recommended pivots, context, and next steps.

Agentic Response Workflows

Automate enrichment, triage, and response while keeping humans in control.

Intelligence-Driven Decisions

Threat intelligence informs every stage of detection, investigation, and response.

SOC-Native Experience

Designed for analysts — fast, intuitive, and operational.

Dark ModeLight Mode

AI-Ready Insights Powered by Complete Data

Act faster, investigate smarter, and respond with confidence.

How it works

1. Detect and Prioritize

Analytics and intelligence identify what matters now.

2. Investigate With Guidance

AI recommends investigative paths using complete context.

3. Respond and Automate

Execute automated or guided actions across your security stack.

RELATIONSHIP TO THE PLATFORM

Three Layers. One Operational System.

Unified Security Data Lake

data foundation

ThreatStream Next-Gen

intelligence and context

Agentic SOC Platform

execution and action

Deploy together or adopt incrementally.

Customer Proof

"Having Copilot is like having another mature analyst. We went from 3-hour IOC collection to 3 minutes"
 
— SOC Manager, Global Enterprise

Move From Information to Action

Enable AI-assisted security operations built on complete context.

Request a Demo