Researchers have discovered a critical blind spot in Microsoft Teams where users joining external tenants as guests effectively bypass their home organization's Microsoft Defender for Office 365 protections. This cross-tenant gap means security policies from the home environment do not travel with the user, leaving them vulnerable to attacks launched from the hosting tenant.
Business impact:
If exploited, employees collaborating externally could be compromised by malware or phishing without your security tools detecting it - expect potential lateral movement back into your network and bypass of compliance controls.
Recommended action:
Ask your IT team: "Do we have visibility into which external tenants our users are joining, and have we configured tenant restrictions to limit guest access to trusted partners only?"
ASUS has released urgent firmware updates to fix a critical authentication bypass vulnerability in routers with the AiCloud feature enabled. This flaw allows unauthorized attackers to bypass security mechanisms and gain control over the device.
Business impact:
If exploited, attackers could intercept corporate traffic from remote workers or pivot into home networks to access corporate assets - expect potential data theft and compromise of remote access credentials.
Recommended action:
Ask your IT team: "Have we identified all remote employees using ASUS routers and verified they have applied the latest firmware update to mitigate the AiCloud vulnerability?"
A critical vulnerability has been identified in the firmware of SDMC NE6037 routers (prior to version 7.1.12.2.44) involving a network diagnostics tool vulnerable to shell command injection. This allows attackers to execute arbitrary commands on the device.
Business impact:
If exploited, attackers could take full control of network infrastructure - expect network downtime, data interception, and potential use of your hardware in botnet attacks.
Recommended action:
Ask your IT team: "Do we have any SDMC NE6037 routers in our inventory, and have they been updated to firmware version 7.1.12.2.44 or later?"
The Asahi Group has confirmed that a ransomware attack in September resulted in the theft of personal data belonging to approximately 2 million customers and employees. The attack severely disrupted operations in Japan.
Business impact:
If this happened to us, we would face massive regulatory fines, class-action lawsuits, and severe reputational damage - expect millions in recovery costs and lost customer trust.
Recommended action:
Ask your IT team: "Have we tested our ransomware recovery plan this quarter, and are our backups immutable and isolated from the main network?"
Research reveals that developers using online formatting tools like JSONFormatter and CodeBeautify have inadvertently leaked thousands of sensitive secrets, including API keys and credentials. These platforms often save "public" snippets by default.
Business impact:
If exploited, attackers could use these leaked credentials to access our cloud infrastructure or customer data - expect immediate data breaches and unauthorized access to critical systems.
Recommended action:
Ask your IT team: "Can we block access to public code formatting sites and provide a secure, internal alternative for our developers to sanitize data?"
The French Soccer Federation (FFF) suffered a data breach where hackers used a compromised account to steal member data. This incident highlights the risks associated with compromised user credentials leading to broader data theft.
Business impact:
If this happened to us, we would face GDPR fines and loss of member trust - expect regulatory scrutiny and mandatory breach notifications.
Recommended action:
Ask your IT team: "Do we enforce Multi-Factor Authentication (MFA) on all accounts to prevent compromised credentials from leading to a data breach?"
The Tomiris threat actor has launched new operations targeting foreign ministries and government entities with updated malicious tools. The group focuses on high-value political and diplomatic infrastructure, utilizing novel techniques to evade detection.
Business impact:
If targeted, organizations could suffer state-sponsored espionage and theft of highly sensitive strategic data - expect long-term persistence in the network and loss of intellectual property.
Recommended action:
Ask your IT team: "Have we updated our threat intelligence feeds to include the latest indicators of compromise (IOCs) associated with the Tomiris APT group?"
A vulnerability has been discovered in the Wirtualna Uczelnia software where the application incorrectly processes the `redirectUrlParameter`. This flaw could be exploited to redirect users to malicious sites or facilitate phishing attacks.
Business impact:
If exploited, users could be tricked into revealing credentials on fake login pages - expect increased phishing success rates and potential account compromise.
Recommended action:
Ask your IT team: "Do we use Wirtualna Uczelnia software, and if so, have we applied the patch for CVE-2025-12140?"
The Bloody Wolf threat actor is expanding its campaigns to target organizations in Uzbekistan, delivering the NetSupport Remote Access Trojan (RAT). This Java-based attack vector allows attackers to gain remote control over infected systems.
Business impact:
If infected, attackers gain full remote control of employee workstations - expect data exfiltration, surveillance, and potential deployment of further malware like ransomware.
Recommended action:
Ask your IT team: "Are we blocking the execution of unauthorized remote access tools like NetSupport, and do we scan for Java-based malware payloads?"
Researchers have found that structuring Large Language Model (LLM) prompts as poetry can function as a universal jailbreak mechanism. This technique bypasses safety filters, allowing the model to generate restricted or harmful content.
As hybrid work scales, traditional perimeter security is failing, driving organizations toward Remote Privileged Access Management (RPAM). This shift addresses the security needs of distributed IT administrators and third-party vendors who require secure, privileged access from outside the corporate network.
Following the government shutdown, the Cybersecurity Coalition is urging the Trump Administration to accelerate efforts to strengthen national cybersecurity. The focus is on countering intensifying threats from foreign adversaries like China and Russia.
Spotlight Rationale: CrowdStrike is selected due to its capability to detect the sophisticated behavioral patterns exhibited by the Tomiris APT and the Bloody Wolf campaign's use of legitimate tools like NetSupport RAT, which often bypass traditional signature-based detection.
CrowdStrike Falcon leverages advanced behavioral analysis and threat intelligence to identify anomalous activities associated with APT groups and "living off the land" binaries. Its ability to correlate cross-domain telemetry is critical for detecting the subtle lateral movement techniques used by groups like Tomiris and the unauthorized deployment of remote access tools.
Actionable Platform Guidance: The Falcon console provides specific modules to hunt for the indicators associated with these threats. Users should focus on the "Insight" and "Discover" modules to verify process execution and network connections.
# GUIDANCE STATUS: SUCCESS (Confidence: 0.9)
# Based on standard Falcon console interface.
IMMEDIATE ACTIONS:
1. Navigate to 'Configuration' > 'Prevention Policies' and ensure 'Sensor Visibility' is set to 'Aggressive' for process injection and suspicious registry modification.
2. In the 'Investigate' module, run a search for 'FileName="client32.exe"' (NetSupport RAT) to identify potential unauthorized remote access tools.
3. Enable 'OverWatch' notifications for 'Hands-on-Keyboard' activity to detect APT-style lateral movement described in the Tomiris report.
VERIFICATION STEPS:
1. Verify that the 'Sensor Update' policy is set to 'Auto-Update' to ensure the latest behavioral logic is applied.
2. Check 'Detections' dashboard for any 'Low' or 'Medium' severity alerts related to 'Remote Access Tool' that may have been overlooked.
2. YARA Rule for NetSupport RAT (Bloody Wolf Campaign)
4. PowerShell Script — Check for NetSupport RAT Presence
$computers = "localhost", "SERVER01", "WKSTN01"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Invoke-Command -ComputerName $computer -ScriptBlock {
$process = Get-Process -Name "client32" -ErrorAction SilentlyContinue
$path = Test-Path "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe"
if ($process -or $path) {
Write-Host "ALERT: NetSupport RAT detected on $env:COMPUTERNAME" -ForegroundColor Red
} else {
Write-Host "Clean: $env:COMPUTERNAME" -ForegroundColor Green
}
}
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--c952e3c7-3994-4529-8f59-e66518704e93",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--371f2af8-bbfd-4b91-9fac-5a56d81f2158",
"created": "2025-11-29T14:12:48.669Z",
"modified": "2025-11-29T14:12:48.669Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5c5eebf3-e054-40e1-b11d-09d819202271",
"created": "2025-11-29T14:12:48.669Z",
"modified": "2025-11-29T14:12:48.669Z",
"name": "Threat Intelligence Report - 2025-11-29",
"description": "Threat Intelligence Report - 2025-11-29\n\nThis report consolidates actionable cybersecurity intelligence from 52 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants (Score: 100)\n• MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants (Score: 100)\n• Tomiris wreaks Havoc: New tools and techniques of the APT group (Score: 99.3)\n• Need advice on a project (Score: 93.4)\n• Show HN: GemGuard – a security auditing tool for Linux and Windows (Score: 91.0)\n\nEXTRACTED ENTITIES:\n• 19 Attack Pattern(s)\n• 7 File:Hashes.Md5(s)\n• 6 File:Hashes.Sha 1(s)\n• 7 File:Hashes.Sha 256(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 19 Relationship(s)\n• 1 Threat Actor(s)\n• 4 Tool(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-29T14:12:48.669Z",
"object_refs": [
"identity--371f2af8-bbfd-4b91-9fac-5a56d81f2158",
"identity--161fc746-cd49-4615-ab48-81a93a1b16b4",
"tool--83bfa7e8-f4a9-4d1d-9d48-f3498961665e",
"tool--3e7455ac-6c4a-4981-a44a-babfdbe825d5",
"malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"tool--45b60ede-8791-440e-8416-0885e9a75e35",
"tool--a23048f9-12bb-4dae-afd9-35a4efac8807",
"identity--bcd951b4-f03e-4714-b415-0ea800d25751",
"identity--ef97cf23-50f0-49cc-a258-051bc838c859",
"identity--bf84b069-6c48-45b2-85a7-7a8fab60ce74",
"identity--22c66671-ba73-4cb2-a10e-dbe3ed53197b",
"identity--562e37e9-4a8b-4e03-bfb5-df3d48cdbac2",
"identity--d59a8e18-aa4e-4ac7-9035-9bf231b1d053",
"identity--91bd596b-a03c-45e8-9d22-17b9f0cabb49",
"identity--bd8321bb-6350-4fc4-87b3-a79e5b964fb6",
"identity--e6513c85-0662-49f7-b5e5-8e9a04319bd6",
"identity--fa1d77a3-059c-4f22-8b1e-3ceedd7a3eb1",
"threat-actor--61b92c00-2a2e-4b30-9b3b-e2b3148cd0f7",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9",
"attack-pattern--c3286059-b33e-4b64-9fda-22075baf9afa",
"attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b",
"attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716",
"attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509",
"attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d",
"attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"relationship--aef23e3b-c234-4a92-a54d-4a083d175c33",
"relationship--418a8cbd-1172-477d-ad37-a154779f37e7",
"relationship--c0ebc080-3cac-46d1-8123-257d53c3e36e",
"relationship--8cde31fc-23b1-46d7-a31c-94f438b2547e",
"relationship--1e737657-b5ad-4c03-a2cf-2d7b71b44102",
"relationship--9c55bdb1-2a26-4a9d-aa23-7ec7bd7b43af",
"relationship--31011fd3-13b1-4c97-bc16-a8c09da736ab",
"relationship--560fa9e6-8345-4643-b379-74a399ebe52e",
"relationship--d5e51eb4-1c3d-49c1-919b-11cd1df1c54b",
"relationship--1be8ad43-cfa0-4b2e-96ed-1a0d63afde39",
"relationship--cd8ea456-a913-4c3a-b91d-6934401f6d2e",
"relationship--b678b043-2193-4ba9-a8d8-5bb28be4e6fe",
"relationship--041ecaf3-45ce-481a-83bc-f059731bce97",
"relationship--82c84c43-b828-4c29-b01c-d6c92ab4a84a",
"relationship--22e240d1-4e27-4c25-846c-c967f71e7d2b",
"relationship--38f2f5b5-8806-4f31-9c12-6f0d1e0136dd",
"relationship--3fcda18c-14d3-4ccc-a8e7-8d4932c4ac8d",
"relationship--7377d7b8-a6b5-4542-823b-99975f55671a",
"relationship--a56db206-85d1-43d4-8c8b-16d679c4e38b",
"file:hashes.SHA-256--6d5a1183-d4fd-4f1d-8ed8-e9a5cfc7a299",
"file:hashes.SHA-256--4bef3f58-9cb7-4b42-ac4a-62d32061bc1c",
"file:hashes.SHA-256--3f5b2b84-a39f-4cfb-b44f-ae62364e9b4b",
"file:hashes.SHA-256--f490ba0e-abf0-49fd-8cd7-2ce5f11c0b24",
"file:hashes.SHA-256--f152fa03-624a-453a-88df-e3da04b08945",
"file:hashes.SHA-256--380ee2ff-e8eb-4449-adf5-efdb50974988",
"file:hashes.SHA-256--f1ff7f17-a37c-4b4b-b0e3-431a7764d57f",
"file:hashes.MD5--f4eded5d-0aa5-4eaf-a30b-12519291d2da",
"file:hashes.MD5--0ee24e46-76dc-42ad-afcf-5bd9285b6f6c",
"file:hashes.MD5--59ba68de-efd4-4a22-bb69-d2969592a5b9",
"file:hashes.MD5--f8e1daef-0611-42ea-9a92-719948a932e3",
"file:hashes.MD5--af008df4-6935-40be-ae9e-65da8323cfb2",
"file:hashes.MD5--48fba532-bfb3-4ef7-aa2e-6e483706c4ad",
"file:hashes.MD5--c7e06ba0-5a0f-40f5-aa3b-531113f3af0d",
"file:hashes.SHA-1--0ff67ad2-698a-4fd3-9a7d-626590a80e63",
"file:hashes.SHA-1--f843b240-12d5-4e4d-b4f2-b820afb98363",
"file:hashes.SHA-1--b60fcc16-d890-4113-9f3d-642c66e9bb13",
"file:hashes.SHA-1--5d7f89d6-a2a7-4517-bce4-25897079a7aa",
"file:hashes.SHA-1--ea1d5f85-9cc0-431c-a543-3ab172af5dd8",
"file:hashes.SHA-1--6398e3a9-60a0-4f02-88d8-0a5d31e27a64"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--371f2af8-bbfd-4b91-9fac-5a56d81f2158",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.820Z",
"modified": "2025-11-29T14:12:47.820Z",
"confidence": 95,
"type": "identity",
"id": "identity--161fc746-cd49-4615-ab48-81a93a1b16b4",
"name": "GitHub",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "GitHub is a web-based platform for version control and collaboration on software development projects, allowing users to store, manage, and share their code with others.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "tool",
"id": "tool--83bfa7e8-f4a9-4d1d-9d48-f3498961665e",
"name": "CodeBeautify",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "CodeBeautify is an online tool used to format and validate code, but in the context of cybersecurity, it has been found to be used by organizations in sensitive sectors to paste passwords and credentials, potentially exposing them to security risks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "tool",
"id": "tool--3e7455ac-6c4a-4981-a44a-babfdbe825d5",
"name": "NetSupport",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "NetSupport is a software company that provides remote support and management solutions for IT professionals to troubleshoot and manage computer systems, but it is also known for its NetSupport Manager product being used as a Remote Access Trojan (RAT) in cyber attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "malware",
"id": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"name": "ClickFix",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "ClickFix is a new type of malware that disguises itself as a critical Windows security update, leading users to fake adult websites to deceive them into running malicious commands. The name suggests it may be related to the helpdesk software ClickFix, but it's unclear if there's a direct connection.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "tool",
"id": "tool--45b60ede-8791-440e-8416-0885e9a75e35",
"name": "Microsoft Defender for Office",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "Microsoft Defender for Office is a cloud-based email and collaboration security solution that protects against advanced threats and malware in Microsoft Office 365.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "tool",
"id": "tool--a23048f9-12bb-4dae-afd9-35a4efac8807",
"name": "Google’s Gemini",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "Google’s Gemini is a machine learning model used for generating human-readable assessments based on system information.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--bcd951b4-f03e-4714-b415-0ea800d25751",
"name": "ReversingLabs",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "ReversingLabs is a software supply chain security company that specializes in identifying and mitigating threats within software and other digital assets.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--ef97cf23-50f0-49cc-a258-051bc838c859",
"name": "WatchTowr",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "WatchTowr is a cybersecurity company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--bf84b069-6c48-45b2-85a7-7a8fab60ce74",
"name": "FortiGuard Labs",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "FortiGuard Labs is a threat intelligence and research division that identifies and analyzes emerging cyber threats to provide protection and security solutions to its clients.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--22c66671-ba73-4cb2-a10e-dbe3ed53197b",
"name": "Central Bureau for Combating Cybercrime",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "The Central Bureau for Combating Cybercrime (CBZC) is a Polish law enforcement agency responsible for investigating and combating cybercrime in Poland. It has been involved in several high-profile cases, including the arrest of a Russian national suspected of breaching the IT systems of local companies. The CBZC plays a critical role in protecting Poland's digital infrastructure and combating cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--562e37e9-4a8b-4e03-bfb5-df3d48cdbac2",
"name": "TechRepublic",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "TechRepublic is a technology news and information website that provides articles, blogs, and other resources on various technology topics, including cybersecurity and data breaches.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--d59a8e18-aa4e-4ac7-9035-9bf231b1d053",
"name": "Comcast",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Comcast is a multinational telecommunications conglomerate that provides internet, television, and phone services to residential and commercial customers.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--91bd596b-a03c-45e8-9d22-17b9f0cabb49",
"name": "Crowdstrike",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Crowdstrike is a cybersecurity company that provides cloud-delivered endpoint security solutions, including threat detection, incident response, and vulnerability management, to protect against advanced cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--bd8321bb-6350-4fc4-87b3-a79e5b964fb6",
"name": "Qualys",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Qualys is a cloud-based security and compliance platform that provides vulnerability management, threat protection, and compliance solutions for organizations to identify and remediate security risks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--e6513c85-0662-49f7-b5e5-8e9a04319bd6",
"name": "Froedtert ThedaCare Health",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Froedtert ThedaCare Health is a healthcare organization based in Wisconsin, providing various healthcare services. Chris Stucker, deputy CISO at this organization, predicts that New York State's new cybersecurity requirements will raise the security bar for healthcare providers across many other states.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "identity",
"id": "identity--fa1d77a3-059c-4f22-8b1e-3ceedd7a3eb1",
"name": "BitSight",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "BitSight is a cybersecurity company that provides risk management and security ratings to organizations through data analytics and threat intelligence.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--61b92c00-2a2e-4b30-9b3b-e2b3148cd0f7",
"name": "Threat actors hit Asahi with a",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Threat actors hit Asahi with a ransomware attack.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:47.821Z",
"modified": "2025-11-29T14:12:47.821Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39",
"name": "Compromise Software Supply Chain",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/002/",
"external_id": "T1195.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9",
"name": "PowerShell",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/001/",
"external_id": "T1059.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c3286059-b33e-4b64-9fda-22075baf9afa",
"name": "Ingress Tool Transfer",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1105",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1105/",
"external_id": "T1105"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"name": "Command and Scripting Interpreter",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/",
"external_id": "T1059"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 82,
"type": "attack-pattern",
"id": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b",
"name": "Cloud Secrets Management Stores",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"x_mitre_id": "T1555.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1555/006/",
"external_id": "T1555.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 81,
"type": "attack-pattern",
"id": "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716",
"name": "Python",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/006/",
"external_id": "T1059.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 81,
"type": "attack-pattern",
"id": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509",
"name": "LSA Secrets",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"x_mitre_id": "T1003.004",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1003/004/",
"external_id": "T1003.004"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"name": "Vulnerabilities",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/006/",
"external_id": "T1588.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 68,
"type": "attack-pattern",
"id": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d",
"name": "Search Threat Vendor Data",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_id": "T1681",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1681/",
"external_id": "T1681"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"confidence": 67,
"type": "attack-pattern",
"id": "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"name": "Browser Session Hijacking",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1185",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1185/",
"external_id": "T1185"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--aef23e3b-c234-4a92-a54d-4a083d175c33",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Exploit Public-Facing Application (T1190) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--418a8cbd-1172-477d-ad37-a154779f37e7",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Exploitation for Client Execution (T1203) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c0ebc080-3cac-46d1-8123-257d53c3e36e",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Supply Chain Compromise (T1195) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8cde31fc-23b1-46d7-a31c-94f438b2547e",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Compromise Software Supply Chain (T1195.002) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1e737657-b5ad-4c03-a2cf-2d7b71b44102",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Spearphishing Attachment (T1566.001) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9c55bdb1-2a26-4a9d-aa23-7ec7bd7b43af",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Spearphishing Link (T1566.002) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--31011fd3-13b1-4c97-bc16-a8c09da736ab",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Spearphishing via Service (T1566.003) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--560fa9e6-8345-4643-b379-74a399ebe52e",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9",
"confidence": 55,
"description": "Co-occurrence: ClickFix and PowerShell (T1059.001) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d5e51eb4-1c3d-49c1-919b-11cd1df1c54b",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--c3286059-b33e-4b64-9fda-22075baf9afa",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Ingress Tool Transfer (T1105) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1be8ad43-cfa0-4b2e-96ed-1a0d63afde39",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Command and Scripting Interpreter (T1059) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cd8ea456-a913-4c3a-b91d-6934401f6d2e",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Cloud Secrets Management Stores (T1555.006) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b678b043-2193-4ba9-a8d8-5bb28be4e6fe",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Python (T1059.006) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--041ecaf3-45ce-481a-83bc-f059731bce97",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509",
"confidence": 55,
"description": "Co-occurrence: ClickFix and LSA Secrets (T1003.004) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--82c84c43-b828-4c29-b01c-d6c92ab4a84a",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Vulnerabilities (T1588.006) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--22e240d1-4e27-4c25-846c-c967f71e7d2b",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.668Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Archive via Utility (T1560.001) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--38f2f5b5-8806-4f31-9c12-6f0d1e0136dd",
"created": "2025-11-29T14:12:48.668Z",
"modified": "2025-11-29T14:12:48.669Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Screen Capture (T1113) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3fcda18c-14d3-4ccc-a8e7-8d4932c4ac8d",
"created": "2025-11-29T14:12:48.669Z",
"modified": "2025-11-29T14:12:48.669Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Adversary-in-the-Middle (T1557) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7377d7b8-a6b5-4542-823b-99975f55671a",
"created": "2025-11-29T14:12:48.669Z",
"modified": "2025-11-29T14:12:48.669Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Search Threat Vendor Data (T1681) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a56db206-85d1-43d4-8c8b-16d679c4e38b",
"created": "2025-11-29T14:12:48.669Z",
"modified": "2025-11-29T14:12:48.669Z",
"relationship_type": "uses",
"source_ref": "malware--52c1192f-9bee-4f58-ab86-1c55430bdc17",
"target_ref": "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"confidence": 55,
"description": "Co-occurrence: ClickFix and Browser Session Hijacking (T1185) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "file:hashes.SHA-256",
"value": "5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "A Social Engineering Tactic to Deploy Malware",
"id": "file:hashes.SHA-256--6d5a1183-d4fd-4f1d-8ed8-e9a5cfc7a299"
},
{
"type": "file:hashes.SHA-256",
"value": "e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "A Social Engineering Tactic to Deploy Malware",
"id": "file:hashes.SHA-256--4bef3f58-9cb7-4b42-ac4a-62d32061bc1c"
},
{
"type": "file:hashes.SHA-256",
"value": "8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "A Social Engineering Tactic to Deploy Malware",
"id": "file:hashes.SHA-256--3f5b2b84-a39f-4cfb-b44f-ae62364e9b4b"
},
{
"type": "file:hashes.SHA-256",
"value": "7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "A Social Engineering Tactic to Deploy Malware",
"id": "file:hashes.SHA-256--f490ba0e-abf0-49fd-8cd7-2ce5f11c0b24"
},
{
"type": "file:hashes.SHA-256",
"value": "07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "A Social Engineering Tactic to Deploy Malware",
"id": "file:hashes.SHA-256--f152fa03-624a-453a-88df-e3da04b08945"
},
{
"type": "file:hashes.SHA-256",
"value": "6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "A Social Engineering Tactic to Deploy Malware",
"id": "file:hashes.SHA-256--380ee2ff-e8eb-4449-adf5-efdb50974988"
},
{
"type": "file:hashes.SHA-256",
"value": "e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "A Social Engineering Tactic to Deploy Malware",
"id": "file:hashes.SHA-256--f1ff7f17-a37c-4b4b-b0e3-431a7764d57f"
},
{
"type": "file:hashes.MD5",
"value": "35205de239cdef9ef9d0e324a21d8d0e",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.MD5--f4eded5d-0aa5-4eaf-a30b-12519291d2da"
},
{
"type": "file:hashes.MD5",
"value": "62a705c41fd982f241d348e11b65fca9",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.MD5--0ee24e46-76dc-42ad-afcf-5bd9285b6f6c"
},
{
"type": "file:hashes.MD5",
"value": "74652854a125d4395122e1afddf3615a",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.MD5--59ba68de-efd4-4a22-bb69-d2969592a5b9"
},
{
"type": "file:hashes.MD5",
"value": "895531f9d849155e054903e7cc466888",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.MD5--f8e1daef-0611-42ea-9a92-719948a932e3"
},
{
"type": "file:hashes.MD5",
"value": "a77becccca5571c00ebc9e516fd96ce8",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.MD5--af008df4-6935-40be-ae9e-65da8323cfb2"
},
{
"type": "file:hashes.MD5",
"value": "eb69150e0f3bfc15abea38fdf4df95cf",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.MD5--48fba532-bfb3-4ef7-aa2e-6e483706c4ad"
},
{
"type": "file:hashes.MD5",
"value": "f2e4351aa516a1f2e59ade5d9e7aa1d6",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.MD5--c7e06ba0-5a0f-40f5-aa3b-531113f3af0d"
},
{
"type": "file:hashes.SHA-1",
"value": "1b751a2ee3af91c4cdf020914de19169fceb51ac",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.SHA-1--0ff67ad2-698a-4fd3-9a7d-626590a80e63"
},
{
"type": "file:hashes.SHA-1",
"value": "238e3da6ee00ef8162bb866ef42ee818d42c99dd",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.SHA-1--f843b240-12d5-4e4d-b4f2-b820afb98363"
},
{
"type": "file:hashes.SHA-1",
"value": "4271c3690af27765533a3f1eb30a40d5aebf90bc",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.SHA-1--b60fcc16-d890-4113-9f3d-642c66e9bb13"
},
{
"type": "file:hashes.SHA-1",
"value": "838581a9ce8e41432b1581363aa8c2b55a5ea733",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.SHA-1--5d7f89d6-a2a7-4517-bce4-25897079a7aa"
},
{
"type": "file:hashes.SHA-1",
"value": "c8eae0a24785d7e7cceaa4eb4c5b25114b5f91c9",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.SHA-1--ea1d5f85-9cc0-431c-a543-3ab172af5dd8"
},
{
"type": "file:hashes.SHA-1",
"value": "d060e074371eedfc3f7c2c1f7a782b6f4979c8f4",
"source": "OTX",
"malware_family": "ClickFix",
"pulse_name": "“ClickFix” Malware Delivery Method",
"id": "file:hashes.SHA-1--6398e3a9-60a0-4f02-88d8-0a5d31e27a64"
}
]
}
California-based Organizations (CCPA)
QUIET
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT