Heroes, Salesforce has reported an customer breach event, Anthropic details Ai-enabled autonomous attacks, and more. Here's a look at the current cybersecurity landscape for November 21, 2025.
Salesforce has issued a security advisory confirming that customer data was compromised due to a breach in a connected third-party application from Gainsight. The advisory states that unusual activity was detected in Gainsight applications connected to Salesforce customer environments. This incident highlights the persistent and significant risk posed by third-party vendors in the supply chain.
Business impact:
The breach could expose sensitive customer relationship management (CRM) data, including contact information, sales pipelines, and proprietary business intelligence. This can lead to regulatory fines, reputational damage, and loss of customer trust. The incident underscores the need for rigorous third-party risk management and security assessments for all integrated applications.
Recommended action:
Salesforce customers using the Gainsight application should immediately review the security advisory, follow Salesforce's recommended mitigation steps, and audit access logs for any signs of unauthorized activity. Review and enforce least-privilege access for all third-party applications connected to your Salesforce environment.
Fortinet has disclosed two critical vulnerabilities in its FortiWeb Web Application Firewall (WAF). The first, an authentication bypass (CVE-2025-64446), can be chained with a second command injection flaw (CVE-2025-58034). Successful combined exploitation allows an unauthenticated attacker to execute arbitrary code on the target device with root privileges, granting full control over a key network security appliance.
Business impact:
A compromised WAF can expose all protected web applications to data theft, manipulation, or complete service disruption. Attackers could bypass security controls, inject malware, or use the compromised device as a pivot point to attack the internal network. This poses a severe risk to data integrity, regulatory compliance, and business continuity.
Recommended action:
Immediately apply the security updates provided by Fortinet. If patching is not immediately possible, restrict access to the FortiWeb management interface to a trusted network and dedicated user group. Hunt for any signs of compromise, such as unexpected outbound connections or unauthorized configuration changes.
Zscaler ThreatLabz has identified a critical remote code execution (RCE) vulnerability, CVE-2025-50165, in the Windows Graphics Component. The flaw, which has a CVSS score of 9.8, resides in `windowscodecs.dll`, a core library used by numerous applications for handling graphics. An attacker could exploit this by tricking a user into opening a specially crafted file, leading to arbitrary code execution on the victim's system.
Business impact:
This vulnerability affects a wide range of Windows systems and applications, making it a high-priority threat. Successful exploitation could lead to system compromise, data breaches, or the deployment of ransomware. The dependency of many applications on this library significantly broadens the attack surface.
Recommended action:
Prioritize the deployment of the patch released by Microsoft for this vulnerability across all affected Windows endpoints and servers. Use asset inventory and vulnerability management tools to identify all systems with the vulnerable `windowscodecs.dll` library.
A new self-spreading cryptomining botnet, dubbed ShadowRay 2.0, is actively exploiting a two-year-old, unpatched vulnerability in the Ray open-source AI framework. The attacks specifically target clusters with NVIDIA GPUs to hijack their processing power for cryptocurrency mining. The botnet's self-replicating nature allows it to spread rapidly across vulnerable systems.
Business impact:
Infected AI/ML infrastructure will suffer from significant performance degradation, leading to increased operational costs (power, cooling) and disruption of critical business computations. The unauthorized access could also expose sensitive training data or proprietary models hosted on the compromised clusters.
Recommended action:
Immediately identify all instances of the Ray AI framework within your environment and apply necessary patches or compensating controls if a patch is unavailable. Monitor GPU utilization and network traffic from Ray clusters for anomalies indicative of cryptomining activity.
AI safety and research company Anthropic disclosed it was the target of a highly sophisticated espionage campaign where attackers used "agentic" AI capabilities to an unprecedented degree. The AI was not just used as an advisory tool but was given autonomy to execute cyberattacks. This marks a significant evolution in the use of AI by threat actors, moving from assistance to autonomous operation.
Business impact:
The use of autonomous AI agents for attacks can dramatically increase the speed, scale, and complexity of cyber threats, potentially overwhelming traditional security defenses. This new paradigm requires a shift in defensive strategies, focusing on detecting and containing autonomous agents rather than just blocking known indicators of compromise.
Recommended action:
Security leaders should begin strategic discussions on how to adapt security monitoring, incident response, and threat modeling to account for AI-driven autonomous attacks. Review security controls for AI/ML environments and enhance monitoring for anomalous API usage or system interactions.
In a significant development for cybersecurity governance, the U.S. Securities and Exchange Commission (SEC) has dropped its lawsuit against SolarWinds and its CISO. The case alleged the company misled investors about its security practices prior to the 2020 supply chain attack. The dismissal of this case will have wide-ranging implications for CISO liability and corporate disclosure requirements related to cybersecurity risks.
Business impact:
This outcome may influence how public companies and their security executives approach cybersecurity disclosures and manage personal liability. While this specific case is dropped, the SEC's focus on cybersecurity as a matter of investor protection remains. Legal and security teams must continue to collaborate closely on accurate and timely risk disclosures.
Recommended action:
CISOs and legal counsel should review their organization's cybersecurity disclosure policies in light of this development. Continue to maintain robust documentation of security programs, risk assessments, and incident response decisions to demonstrate due diligence.
CERT/CC has issued a vulnerability note (VU#268029) for Tenda N300 and 4G03 Pro series routers. A command injection vulnerability across multiple firmware versions allows an attacker to execute arbitrary commands as root. Currently, no patch or solution is available from the vendor.
The OWASP Foundation has published the release candidate for the 2025 OWASP Top 10 list of critical web application security risks. This update offers an early look at the evolving application security landscape, providing a crucial framework for developers and security professionals to prioritize their efforts against modern threats.
Today's intelligence from Anthropic and Talos confirms a strategic shift in the threat landscape: the emergence of agentic AI as an autonomous attacker. Unlike AI-assisted attacks, these new threats involve AI agents making independent decisions and executing complex attack chains. This fundamentally changes the speed and scale at which threats can operate, challenging human-led defense teams. Executives and boards must recognize that AI is no longer just a tool for defense but is now a weapon for offense, requiring strategic investment in AI-driven security platforms and a re-evaluation of incident response plans to counter machine-speed attacks.
Spotlight Rationale: Tenable is selected due to the critical need for rapid, automated vulnerability management highlighted by multiple critical flaws disclosed today. These include the Windows Graphics Component RCE ([CVE-2025-50165](https://nvd.nist.gov/vuln/detail/CVE-2025-50165)), Fortinet FortiWeb flaws ([CVE-2025-64446](https://nvd.nist.gov/vuln/detail/CVE-2025-64446)), and the exploitation of a two-year-old unpatched Ray framework flaw by the ShadowRay botnet.
In a landscape where critical vulnerabilities are being actively exploited, manual patching processes are too slow and risky. Tenable Patch Management provides an automated solution that allows security teams to rapidly identify and remediate critical vulnerabilities like CVE-2025-50165 across the enterprise without risking business disruption. By using customizable rules and guardrails, organizations can accelerate their response to threats like ShadowRay and the Fortinet RCEs, significantly reducing their window of exposure.
Actionable Platform Guidance: Use Tenable to create dynamic asset groups for all Windows systems and FortiWeb appliances. Build a dedicated dashboard to track the remediation progress for CVE-2025-50165, CVE-2025-64446, and CVE-2025-58034. Configure automated patching policies with phased rollouts for these specific vulnerabilities, prioritizing externally-facing and critical systems for immediate deployment.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Tenable
# Tenable.io Policy Configuration for Prioritizing Today's Critical Threats
1. **Create a Dynamic Tag for Windows RCE:**
- Name: VULN-CVE-2025-50165
- Rule: `CVE ID` `is equal to` `CVE-2025-50165`
2. **Create a Dynamic Tag for Fortinet RCE:**
- Name: VULN-FortiWeb-RCE-Nov25
- Rule: `CVE ID` `contains` `CVE-2025-64446,CVE-2025-58034`
3. **Create a Scan Policy for Critical Vulnerabilities:**
- In your Advanced Network Scan policy, navigate to the 'Plugins' tab.
- Create a new filter: `CVE` `is equal to` `CVE-2025-50165,CVE-2025-64446,CVE-2025-58034`.
- Save this as a new policy named "Critical Threat Scan - Nov 21 2025".
4. **Prioritize and Scan:**
- Target scans using the new policy against critical asset groups (e.g., Domain Controllers, External-Facing Servers).
- Monitor dashboards filtered by the new tags to track remediation progress.
2. YARA Rule for CVE-2025-50165 (Windows Graphics Component)
rule Detect_Suspicious_WindowsCodecs_Usage_CVE_2025_50165 {
meta:
description = "Detects potential exploitation attempts related to the Windows Graphics Component vulnerability (CVE-2025-50165) by looking for suspicious process chains involving windowscodecs.dll."
author = "Threat Rundown"
date = "2025-11-21"
reference = "https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-flaw-windows-graphics-component"
severity = "high"
tlp = "white"
strings:
// This is a conceptual rule. Specific exploit artifacts would be needed for a high-fidelity signature.
$dll = "windowscodecs.dll" nocase
$proc1 = "msedge.exe" nocase
$proc2 = "chrome.exe" nocase
$proc3 = "outlook.exe" nocase
$child = "cmd.exe" nocase
$child2 = "powershell.exe" nocase
condition:
(uint16(0) == 0x5a4d) and // Is a PE file
(1 of ($proc*)) and (1 of ($child*)) and $dll
}
// Splunk Query to detect potential FortiWeb Authentication Bypass and RCE
index=fortinet sourcetype="fortiweb"
(url="/*" OR url="/api/*") http_method="POST" status=200
| search action="blocked" action="passthrough" // Look for both successful and blocked attempts
| rex field=_raw "cmd=[^&]+" // Extract command injection attempts from raw log
| search cmd=*
| stats count by src_ip, user, url, cmd, status
| where count > 3
| eval risk_score=case(
match(cmd, "(cat|wget|curl|uname|id)"), 100,
status=200, 75,
1==1, 50)
| where risk_score >= 75
| table _time, src_ip, user, url, cmd, status, risk_score
| sort -_time
4. PowerShell Script — Find Vulnerable Windows Systems
# This script checks for the existence and version of the vulnerable DLL.
# NOTE: The specific vulnerable version numbers are not in the intelligence.
# Replace 'X.X.X.X' with the actual vulnerable version range when available.
$vulnerableDll = "C:\Windows\System32\windowscodecs.dll"
$computers = Get-Content -Path "C:\temp\computers.txt" # List of computer names
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
try {
Write-Host "Checking $computer..." -ForegroundColor Yellow
$fileInfo = Invoke-Command -ComputerName $computer -ScriptBlock {
param($path)
if (Test-Path $path) {
Get-Item -Path $path | Select-Object -ExpandProperty VersionInfo
}
} -ArgumentList $vulnerableDll -ErrorAction Stop
if ($fileInfo) {
# Hypothetical version check - update with real data
# if ($fileInfo.ProductVersion -lt "X.X.X.X") {
# Write-Host " [VULNERABLE] $computer has version $($fileInfo.ProductVersion)" -ForegroundColor Red
# } else {
# Write-Host " [OK] $computer has version $($fileInfo.ProductVersion)" -ForegroundColor Green
# }
Write-Host " [FOUND] $computer has DLL version $($fileInfo.ProductVersion)" -ForegroundColor Cyan
} else {
Write-Host " [INFO] DLL not found on $computer." -ForegroundColor Gray
}
}
catch {
Write-Host " [ERROR] Could not connect to or query $computer. $($_.Exception.Message)" -ForegroundColor DarkRed
}
} else {
Write-Host "[OFFLINE] Cannot reach $computer." -ForegroundColor Gray
}
}
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--8855b667-1349-4e74-bc4f-42c657c0c41f",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--514b62df-a3dc-4edf-b27e-a98b25a3d5dd",
"created": "2025-11-21T12:29:41.078Z",
"modified": "2025-11-21T12:29:41.078Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--2525d5c1-f71c-4828-a6bc-1b2c88b90c77",
"created": "2025-11-21T12:29:41.078Z",
"modified": "2025-11-21T12:29:41.078Z",
"name": "Threat Intelligence Report - 2025-11-21",
"description": "Threat Intelligence Report - 2025-11-21\n\nThis report consolidates actionable cybersecurity intelligence from 90 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Morpheus on Microsoft: AI SOC Platform for MSSPs Managing Sentinel, Defender, Entra, and More (Score: 100)\n• Can enterprises freely choose scalable Agentic AI solutions (Score: 100)\n• Hundreds of Salesforce customers hit by yet another third-party vendor breach (Score: 99.9)\n• It’s not personal, it’s just business (Score: 99.9)\n• VU#268029: Tenda N300 Wi-Fi 4G LTE Router 4G03 Pro impacted by vulnerabilities (Score: 99.2)\n\nEXTRACTED ENTITIES:\n• 24 Attack Pattern(s)\n• 2 Malware(s)\n• 1 Marking Definition(s)\n• 6 Relationship(s)\n• 3 Threat Actor(s)\n• 2 Tool(s)\n• 4 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-21T12:29:41.078Z",
"object_refs": [
"identity--514b62df-a3dc-4edf-b27e-a98b25a3d5dd",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3",
"identity--8c1fecc5-666c-4007-be86-c4b6d149231b",
"identity--e364ad90-7577-414f-b4c3-873c5e843001",
"identity--e5be0d04-5c47-487d-9781-fdb0a0acbf05",
"identity--a728a080-82ff-441a-9f7b-f80ed1280225",
"identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"malware--d79262f4-9d58-48a0-87c4-9a18b6d2aabf",
"tool--81c013c8-6886-4a1d-a232-084220d7b777",
"identity--1655e90f-83bb-4f01-bb00-23ac275464ce",
"identity--71f85f3a-f375-4433-bbe5-13c5996244f2",
"vulnerability--5380297d-2fc0-4a52-912b-80d302275115",
"vulnerability--6643f5db-a06a-43cf-b9d0-39b421db4cf8",
"identity--ffcf87e6-8276-4f43-89bf-a83477a40ad0",
"identity--a46e663a-8e9f-4dbd-b12b-8e7de5526190",
"identity--cd5564af-2686-480b-9eca-798b85290b2b",
"identity--6841df40-efe3-4f12-aac4-ad6f2e05dc33",
"identity--6c344584-a2ac-4778-ae3e-78d536a25f6f",
"identity--5c036cb4-ad90-42a9-9b28-b15e19e9ef4f",
"identity--a30a3bde-3b8c-4e9d-a191-261b2004d09f",
"identity--8d6017d3-15e7-4698-a33c-59e06c628ea1",
"identity--8be14d0d-464e-4bc0-9ac4-04d6772fe100",
"vulnerability--d7d53bb3-ad8a-4e3c-89d4-ab53dcf48bc4",
"identity--cd5ed758-3f50-4269-947a-07bbfc1783c0",
"threat-actor--86e4d679-b5fa-4512-9470-4602474f160f",
"identity--0d0217a8-c26c-4c49-b592-cf62f063efa3",
"identity--808befef-50a2-4662-93fb-72d77116b132",
"identity--2fd15de4-b5c0-40f4-999c-8118065d1c40",
"tool--6e9d3c62-6229-4522-8080-cd8887e5c5d4",
"identity--3a089752-87d7-4006-88f7-34cb0e4c589f",
"identity--7bb33173-9386-40cf-a0f7-cce6903ff1ca",
"identity--7a30a891-1da8-4009-973c-b794a087a6a0",
"threat-actor--e24a2ac5-5d94-4752-b0f5-0598a46ec721",
"identity--19a47e75-bfa8-4832-b1dd-4959d7d4a190",
"identity--a48e0290-d263-4c64-b7b4-cd6013491146",
"identity--8fbcee23-b20d-48f8-a8a8-a518b2e9d520",
"identity--4b7fe0eb-2a21-4582-b904-359c8b023bda",
"identity--d2ef45c2-8dbc-4d22-935f-5ff8ec8de775",
"identity--e2943957-c6cf-41e1-9427-6adf4b18f8a6",
"vulnerability--4c60379b-1de8-4209-a6c9-53f351ceed6d",
"identity--091678cf-8741-4208-91c9-9ab79a0f2c96",
"identity--04f957d6-678c-4416-a1e2-48caefc91dc5",
"identity--8e1f490a-c4ed-4c79-ae40-67241dff4037",
"identity--90fea5b1-3d86-4f69-9c2b-4e877ef12b80",
"identity--b7d9f61c-c206-4c6e-8e57-b8ba19350d36",
"identity--0db1ac45-c147-48be-b6b8-0ba5bf05108b",
"identity--bd559890-8096-4618-a4e3-d7248ef49afe",
"identity--0186ae1b-86aa-44d7-b12e-8dd8db99009b",
"identity--76de3514-f624-410e-848e-95fd9d518a35",
"threat-actor--8587f106-7cb6-432d-a1d6-96b518ad99b2",
"malware--78991d00-28dc-47f1-900c-7da594270fbc",
"identity--cfa2e10f-978d-46f7-9803-61841babb448",
"identity--f8d151d1-08a1-4ae6-b29a-2c0fdb5b801e",
"identity--0c6e123d-1bb4-4ecc-b3a7-a0a09abd3add",
"identity--41c07c05-0c4c-4f60-bb7a-e44f7bb46592",
"identity--ae0abef5-fe25-4a56-901f-d29390d1dd2c",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9",
"attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"attack-pattern--de783d22-2fe5-48dd-936a-6f833a9e28d5",
"attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584",
"attack-pattern--98ea09f5-f454-4fe3-80c6-22f2238e1817",
"attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--ead76771-d986-429f-ba98-86ad1d586dd2",
"relationship--5fb227d4-ed20-45ce-9857-6c7ca9a14d59",
"relationship--0f3c4b4b-664e-490b-a513-45e3e11897be",
"relationship--2affacca-e264-4227-ac83-7ad3f9562fb7",
"relationship--908bf871-0040-4c80-814a-f88afd65b315",
"relationship--91dc8ce8-e751-4e38-9a25-c48c07097fd3",
"relationship--6598cca0-f373-485b-978a-0a23d748f020"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--514b62df-a3dc-4edf-b27e-a98b25a3d5dd",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.072Z",
"modified": "2025-11-21T12:29:41.072Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.072Z",
"modified": "2025-11-21T12:29:41.072Z",
"confidence": 95,
"type": "identity",
"id": "identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3",
"name": "Fortinet",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Fortinet is a company that specializes in developing and providing cybersecurity solutions, including network security, threat protection, and network access control, to protect organizations from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.072Z",
"modified": "2025-11-21T12:29:41.072Z",
"confidence": 95,
"type": "identity",
"id": "identity--8c1fecc5-666c-4007-be86-c4b6d149231b",
"name": "FortiWeb",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "FortiWeb is a web application firewall (WAF) that protects web applications from various types of cyber threats, including SQL injection, cross-site scripting (XSS), and denial-of-service (DoS) attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.072Z",
"modified": "2025-11-21T12:29:41.072Z",
"confidence": 95,
"type": "identity",
"id": "identity--e364ad90-7577-414f-b4c3-873c5e843001",
"name": "SolarWinds",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "SolarWinds is a company that provides network management software and tools for IT professionals to monitor, manage, and optimize their IT infrastructure.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.072Z",
"modified": "2025-11-21T12:29:41.072Z",
"confidence": 95,
"type": "identity",
"id": "identity--e5be0d04-5c47-487d-9781-fdb0a0acbf05",
"name": "Amazon Web Services",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Amazon Web Services is a cloud computing platform that provides a wide range of services for computing, storage, databases, analytics, machine learning, and more, enabling businesses to build, deploy, and manage applications and workloads in the cloud.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.072Z",
"modified": "2025-11-21T12:29:41.072Z",
"confidence": 95,
"type": "identity",
"id": "identity--a728a080-82ff-441a-9f7b-f80ed1280225",
"name": "Salesforce",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Salesforce is a cloud-based software company that provides customer relationship management (CRM) solutions for businesses to manage sales, marketing, and customer service operations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.072Z",
"modified": "2025-11-21T12:29:41.072Z",
"confidence": 95,
"type": "identity",
"id": "identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"name": "Creators & Presenters",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Creators & Presenters is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "malware",
"id": "malware--d79262f4-9d58-48a0-87c4-9a18b6d2aabf",
"name": "LockBit",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "LockBit is a ransomware family that encrypts files on victims' systems and demands payment in exchange for the decryption key. LockBit gains initial access to networks by exploiting vulnerabilities or through phishing emails. Once inside, it spreads laterally and encrypts files, changing their extensions. The group behind LockBit is known for stealing data before encrypting it and threatening to release it if the ransom demand is not met.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "tool",
"id": "tool--81c013c8-6886-4a1d-a232-084220d7b777",
"name": "Firefox",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "Firefox is a popular open-source web browser developed by Mozilla, widely used for internet browsing and online activities. In the context provided, a user has created an extension for Firefox, indicating its relevance in the cybersecurity and online community.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--1655e90f-83bb-4f01-bb00-23ac275464ce",
"name": "AppOmni",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "AppOmni is a cloud security platform that provides visibility, detection, and response to cloud security risks and misconfigurations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--71f85f3a-f375-4433-bbe5-13c5996244f2",
"name": "Oracle",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Oracle is a multinational technology corporation that provides enterprise software and database management systems for various industries, including cloud computing, artificial intelligence, and cybersecurity.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--5380297d-2fc0-4a52-912b-80d302275115",
"name": "CVE-2025-64446",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-64446",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64446"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-64446",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64446"
}
],
"description": "is a Swiss multinational electronics company that sells hardware and software",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--6643f5db-a06a-43cf-b9d0-39b421db4cf8",
"name": "CVE-2025-58034",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-58034",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58034"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-58034",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58034"
}
],
"description": "By integrating Varonis signals into Purview, data security teams gain unified visibility into sensitive data across third-party platforms like Salesforce alongside their Microsoft data. “This security integration be",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--ffcf87e6-8276-4f43-89bf-a83477a40ad0",
"name": "Microsoft Sentinel",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Microsoft Sentinel is a cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--a46e663a-8e9f-4dbd-b12b-8e7de5526190",
"name": "Entra ID",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Entra ID is a Microsoft identity and access management solution that provides secure authentication and authorization for users and applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--cd5564af-2686-480b-9eca-798b85290b2b",
"name": "D3 Security",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "D3 Security is a company that provides cybersecurity solutions and expertise.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 30,
"type": "identity",
"id": "identity--6841df40-efe3-4f12-aac4-ad6f2e05dc33",
"name": "Gainsight",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Gainsight is a customer success and relationship management platform that helps businesses maximize customer value and retention through data-driven insights and automation.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--6c344584-a2ac-4778-ae3e-78d536a25f6f",
"name": "Tenda",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Tenda is a Chinese networking equipment manufacturer that produces routers, switches, and other network devices for home and business use.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--5c036cb4-ad90-42a9-9b28-b15e19e9ef4f",
"name": "Tenda 4G03 Pro",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Tenda 4G03 Pro is a 4G mobile Wi-Fi router.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--a30a3bde-3b8c-4e9d-a191-261b2004d09f",
"name": "Tenable Patch Management",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Tenable Patch Management is a solution that helps organizations identify, prioritize, and remediate vulnerabilities by providing real-time visibility into patch status and automating the patching process.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--8d6017d3-15e7-4698-a33c-59e06c628ea1",
"name": "Oligo Security",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Oligo Security is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--8be14d0d-464e-4bc0-9ac4-04d6772fe100",
"name": "Zscaler ThreatLabz",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Zscaler ThreatLabz is a threat research and analysis division that identifies and mitigates emerging threats through research, detection, and prevention.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--d7d53bb3-ad8a-4e3c-89d4-ab53dcf48bc4",
"name": "CVE-2025-50165",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-50165",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50165"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-50165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50165"
}
],
"description": "log pipeline where all normalization, enrichment, and detection logic runs as WASM plugins. We kept seeing the same problems in the OCSF ( https://ocsf.io ) community: 1) Schemas change cons",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.073Z",
"modified": "2025-11-21T12:29:41.073Z",
"confidence": 95,
"type": "identity",
"id": "identity--cd5ed758-3f50-4269-947a-07bbfc1783c0",
"name": "NSFOCUS CERT",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "NSFOCUS CERT is a cybersecurity research and response team that identifies and mitigates vulnerabilities in software and systems to protect against cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--86e4d679-b5fa-4512-9470-4602474f160f",
"name": "OWASP",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "OWASP (Open Web Application Security Project) is a nonprofit organization that aims to improve the security of web applications. They release a list of the top 10 most critical risks for web applications each year, which helps organizations prioritize their security efforts. The OWASP Top 10 2025 release candidate marks an important milestone in the evolution of application security best practices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--0d0217a8-c26c-4c49-b592-cf62f063efa3",
"name": "Techstrong Group",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Techstrong Group is a company",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--808befef-50a2-4662-93fb-72d77116b132",
"name": "DigiCert",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "DigiCert is a global provider of digital certificates and cybersecurity solutions, helping organizations secure online communications, identities, and transactions through SSL/TLS certificates, IoT security, and other digital trust services.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--2fd15de4-b5c0-40f4-999c-8118065d1c40",
"name": "NSO Group",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "NSO Group is a private Israeli company that develops and sells spyware and surveillance technology to governments worldwide.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "tool",
"id": "tool--6e9d3c62-6229-4522-8080-cd8887e5c5d4",
"name": "WhatsApp",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "WhatsApp is a popular messaging application and service owned by Meta Platforms, Inc. It provides end-to-end encrypted messaging, voice and video calls, and multimedia messaging. The app has faced multiple security vulnerabilities and attacks over the years, which necessitate constant patching and updates.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--3a089752-87d7-4006-88f7-34cb0e4c589f",
"name": "Bain & Company",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Bain & Company is a global management consulting firm that helps organizations improve performance and achieve their goals through strategy, operations, and technology expertise.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--7bb33173-9386-40cf-a0f7-cce6903ff1ca",
"name": "Windows 11",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Windows 11 is a personal computer operating system developed by Microsoft.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--7a30a891-1da8-4009-973c-b794a087a6a0",
"name": "Georgia Institute of Technology",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "The Georgia Institute of Technology is a public research university located in Atlanta, Georgia, and is recognized for its academic programs in engineering, computer science, and cybersecurity. In the provided context, researchers from the Georgia Institute of Technology are presenting on mobile security topics, indicating the institution's involvement in cybersecurity research and education.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--e24a2ac5-5d94-4752-b0f5-0598a46ec721",
"name": "Omar Alrawi",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Omar Alrawi is a researcher at the Georgia Institute of Technology, presenting a session on mobile security and authors papers related to cybersecurity and threat research. The context does not suggest Omar Alrawi is a threat actor in the malicious sense, but rather a cybersecurity researcher.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--19a47e75-bfa8-4832-b1dd-4959d7d4a190",
"name": "Kaspersky",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Kaspersky is a cybersecurity company that provides antivirus software and threat detection services to protect computers and mobile devices from malware and other online threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--a48e0290-d263-4c64-b7b4-cd6013491146",
"name": "Eric Yuan",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Eric Yuan is the CEO of Zoom, a video conferencing company. He recently used his AI avatar to open a quarterly earnings call, sparking discussion about the potential security implications of AI-generated content.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--8fbcee23-b20d-48f8-a8a8-a518b2e9d520",
"name": "Chinese Academy of Sciences",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "The Chinese Academy of Sciences is a research institution that is part of the People's Republic of China's State Council. It has various institutes and research centers, including the Institute of Information Engineering, which is mentioned in the context as being affiliated with the authors of a mobile security presentation.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--4b7fe0eb-2a21-4582-b904-359c8b023bda",
"name": "Mozilla",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Mozilla is a non-profit organization that develops and promotes free, open-source software, particularly the Firefox web browser.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.074Z",
"modified": "2025-11-21T12:29:41.074Z",
"confidence": 95,
"type": "identity",
"id": "identity--d2ef45c2-8dbc-4d22-935f-5ff8ec8de775",
"name": "EasyDMARC",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "EasyDMARC is a company that specializes in email authentication and security solutions, helping businesses protect their brands and prevent email phishing attacks through DMARC (Domain-based Message Authentication, Reporting, and Conformance) implementation and management.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--e2943957-c6cf-41e1-9427-6adf4b18f8a6",
"name": "Searchlight Cyber",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Searchlight Cyber is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--4c60379b-1de8-4209-a6c9-53f351ceed6d",
"name": "CVE-2025-61757",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-61757",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61757"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-61757",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61757"
}
],
"description": "y Amanda E. Clark . In 2025, compliance is key to remaining in",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--091678cf-8741-4208-91c9-9ab79a0f2c96",
"name": "GitHub Copilot",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "GitHub Copilot is an artificial intelligence-powered code completion tool that assists developers in writing code by suggesting lines of code based on the context of their project.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--04f957d6-678c-4416-a1e2-48caefc91dc5",
"name": "BleepingComputer",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "BleepingComputer is a popular online news website focused on technology, cybersecurity, and malware analysis. It provides in-depth coverage of various cyber threats, vulnerabilities, and security-related topics, serving as a valuable resource for the cybersecurity community.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--8e1f490a-c4ed-4c79-ae40-67241dff4037",
"name": "GuardScan - Static Application Security Testing (SAST",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "GuardScan - Static Application Security Testing (SAST is a comprehensive platform that utilizes static application security testing to identify and remediate vulnerabilities in software applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--90fea5b1-3d86-4f69-9c2b-4e877ef12b80",
"name": "Takeaways Barracuda",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Takeaways Barracuda is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--b7d9f61c-c206-4c6e-8e57-b8ba19350d36",
"name": "Hack The Box",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Hack The Box is an online platform that provides a virtual environment for cybersecurity training and penetration testing, allowing users to practice and improve their hacking skills in a safe and controlled environment.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--0db1ac45-c147-48be-b6b8-0ba5bf05108b",
"name": "Andrew Prince",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Andrew Prince is a cybersecurity expert and member of the TCM Security crew, a group of ethical hackers, defenders, and cybersecurity instructors dedicated to making cybersecurity education affordable and practical.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--bd559890-8096-4618-a4e3-d7248ef49afe",
"name": "TCM Security",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "TCM Security is a company",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--0186ae1b-86aa-44d7-b12e-8dd8db99009b",
"name": "SonicWall",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "SonicWall is a cybersecurity company that provides network security solutions, including firewalls, intrusion prevention systems, and VPNs, to protect against cyber threats and data breaches.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--76de3514-f624-410e-848e-95fd9d518a35",
"name": "Huntress",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Huntress is a company",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--8587f106-7cb6-432d-a1d6-96b518ad99b2",
"name": "APT24",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "APT24 is a Chinese cyberespionage group known for its sophisticated attacks on various industries. They have been linked to several high-profile breaches and are believed to be sponsored by the Chinese government. APT24 is known for its use of advanced malware and social engineering tactics to gain access to sensitive information.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "malware",
"id": "malware--78991d00-28dc-47f1-900c-7da594270fbc",
"name": "Android trojan",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "Android trojan is a type of malware that targets Android devices, often to steal sensitive information or take control of the device. In the context provided, the Android trojan Sturnus is specifically mentioned, which targets communications from secure messaging apps like WhatsApp, Telegram, and Signal, and has full device-takeover abilities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--cfa2e10f-978d-46f7-9803-61841babb448",
"name": "github.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "github.com is a web-based platform for version control and collaboration, allowing users to host and share software projects, including open-source code and documentation.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--f8d151d1-08a1-4ae6-b29a-2c0fdb5b801e",
"name": "ocsf.io",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "ocsf.io is a community focused on security information and event management (SIEM) solutions.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--0c6e123d-1bb4-4ecc-b3a7-a0a09abd3add",
"name": "cside.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "cside.com is a command-and-control (C2) server.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--41c07c05-0c4c-4f60-bb7a-e44f7bb46592",
"name": "www.packtpub.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "www.packtpub.com is a technology and book publisher offering a wide range of books, articles, and online courses on various subjects including IT, cybersecurity, and programming.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae0abef5-fe25-4a56-901f-d29390d1dd2c",
"name": "www.svix.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "www.svix.com is a cloud-based API gateway and event routing platform.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.075Z",
"modified": "2025-11-21T12:29:41.075Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"name": "Command and Scripting Interpreter",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/",
"external_id": "T1059"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"name": "Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1071",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1071/",
"external_id": "T1071"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"name": "Non-Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1095",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1095/",
"external_id": "T1095"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 82,
"type": "attack-pattern",
"id": "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"name": "Browser Session Hijacking",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1185",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1185/",
"external_id": "T1185"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 79,
"type": "attack-pattern",
"id": "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9",
"name": "Compromise Hardware Supply Chain",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/003/",
"external_id": "T1195.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 78,
"type": "attack-pattern",
"id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"name": "Vulnerabilities",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/006/",
"external_id": "T1588.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 75,
"type": "attack-pattern",
"id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"name": "Botnet",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1584.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1584/005/",
"external_id": "T1584.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 73,
"type": "attack-pattern",
"id": "attack-pattern--de783d22-2fe5-48dd-936a-6f833a9e28d5",
"name": "Poisoned Pipeline Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1677",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1677/",
"external_id": "T1677"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 72,
"type": "attack-pattern",
"id": "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584",
"name": "Wi-Fi Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1016.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1016/002/",
"external_id": "T1016.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 71,
"type": "attack-pattern",
"id": "attack-pattern--98ea09f5-f454-4fe3-80c6-22f2238e1817",
"name": "Transfer Data to Cloud Account",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"x_mitre_id": "T1537",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1537/",
"external_id": "T1537"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 71,
"type": "attack-pattern",
"id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"name": "Artificial Intelligence",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.007",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/007/",
"external_id": "T1588.007"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"name": "Scheduled Task",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/005/",
"external_id": "T1053.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"name": "Socket Filters",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1205.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1205/002/",
"external_id": "T1205.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"name": "Malicious Shell Modification",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1156",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1156/",
"external_id": "T1156"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.076Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.076Z",
"modified": "2025-11-21T12:29:41.077Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.077Z",
"modified": "2025-11-21T12:29:41.077Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-21T12:29:41.077Z",
"modified": "2025-11-21T12:29:41.077Z",
"confidence": 69,
"type": "attack-pattern",
"id": "attack-pattern--ead76771-d986-429f-ba98-86ad1d586dd2",
"name": "Exploits",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/005/",
"external_id": "T1588.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5fb227d4-ed20-45ce-9857-6c7ca9a14d59",
"created": "2025-11-21T12:29:41.077Z",
"modified": "2025-11-21T12:29:41.077Z",
"relationship_type": "uses",
"source_ref": "threat-actor--86e4d679-b5fa-4512-9470-4602474f160f",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: owasp uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0f3c4b4b-664e-490b-a513-45e3e11897be",
"created": "2025-11-21T12:29:41.077Z",
"modified": "2025-11-21T12:29:41.077Z",
"relationship_type": "uses",
"source_ref": "threat-actor--86e4d679-b5fa-4512-9470-4602474f160f",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: owasp uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2affacca-e264-4227-ac83-7ad3f9562fb7",
"created": "2025-11-21T12:29:41.077Z",
"modified": "2025-11-21T12:29:41.077Z",
"relationship_type": "uses",
"source_ref": "threat-actor--e24a2ac5-5d94-4752-b0f5-0598a46ec721",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: omar alrawi uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--908bf871-0040-4c80-814a-f88afd65b315",
"created": "2025-11-21T12:29:41.077Z",
"modified": "2025-11-21T12:29:41.077Z",
"relationship_type": "uses",
"source_ref": "threat-actor--e24a2ac5-5d94-4752-b0f5-0598a46ec721",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: omar alrawi uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--91dc8ce8-e751-4e38-9a25-c48c07097fd3",
"created": "2025-11-21T12:29:41.077Z",
"modified": "2025-11-21T12:29:41.077Z",
"relationship_type": "uses",
"source_ref": "threat-actor--8587f106-7cb6-432d-a1d6-96b518ad99b2",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: apt24 uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6598cca0-f373-485b-978a-0a23d748f020",
"created": "2025-11-21T12:29:41.077Z",
"modified": "2025-11-21T12:29:41.077Z",
"relationship_type": "uses",
"source_ref": "threat-actor--8587f106-7cb6-432d-a1d6-96b518ad99b2",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: apt24 uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
}
]
}
California-based Organizations (CCPA)
ELEVATED
General Enterprise (General Enterprise)
QUIET
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT