Cybersecurity Latest Rundown

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

SOX: 12 HIPAA: 3 General Enterprise: 2 SOC 2: 1 PCI DSS: 1

Industry Watch

EU Financial Services (DORA) ELEVATED

Threat activity 2.0x above normal

Key threat: US sanctions North Korean bankers linked to cybercrime, IT worker fraud

Action: Volume spike detected but no critical threats yet - monitor closely for emerging risks

California-based Organizations (CCPA) QUIET

Below average activity (0.2x baseline)

Technology Service Providers (SOC 2) STEADY

CyberSecurity Latest Rundown

Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for November 9, 2025.

CRITICAL ITEMS

China-linked Hackers Target U.S. Non-profit in Long-term Espionage Campaign
Date & Time: 2025-11-08T18:51:25

A sophisticated threat actor linked to China breached a U.S. non-profit focused on policy matters, maintaining access for weeks. The attackers used DLL sideloading via a legitimate executable named `vetysafe.exe` to establish persistence and conduct espionage, likely to gather intelligence on U.S. policy.

Business impact

This campaign highlights the ongoing threat of nation-state espionage against organizations involved in policy, research, and government affairs. The theft of sensitive information could impact national security, trade negotiations, and corporate strategy.

Recommended action

Hunt for the `vetysafe.exe` indicator on endpoints. Implement application control policies to prevent DLL sideloading and enhance monitoring of process execution chains for anomalous behavior.

CVE: n/a | Compliance: SOX | Source: Security Affairs ↗

HIGH SEVERITY ITEMS

Italian Political Adviser Targeted with Paragon’s Graphite Spyware
Date & Time: 2025-11-08T17:19:37

The use of commercial-grade spyware continues, with a new report revealing an Italian political adviser was targeted with Graphite spyware from the vendor Paragon. This marks the fifth known Italian target, indicating a sustained surveillance campaign against political figures in the region.

Business impact

This serves as a stark reminder that corporate leaders and individuals in sensitive roles are prime targets for sophisticated surveillance. A successful compromise can expose strategic plans, negotiation tactics, and confidential client information.

Recommended action

High-risk individuals should receive specialized training on mobile device security, including recognizing sophisticated phishing attempts and utilizing features like Lockdown Mode. Regularly review device integrity and installed applications.

CVE: n/a | Compliance: HIPAA, SOX | Source: Security Affairs ↗

OTHER NOTEWORTHY ITEMS

Saturday Security: Three Breaches, Three Lessons and How Attackers Keep Adapting
Date & Time: 2025-11-08T17:08:31

A recent blog post analyzes three distinct data breaches, highlighting the adaptability of threat actors. The incidents span nation-state espionage, data theft, and social engineering, demonstrating that no single defensive strategy is sufficient against the diverse modern threat landscape.

Source: psilvas.wordpress.com ↗

EXECUTIVE INSIGHTS

A Qualitative Study On Boards’ Cybersecurity Risk Decision Making
Date & Time: 2025-11-08T16:00:00

Research presented at NDSS 2025 explores how corporate boards of directors perceive and act on cybersecurity risk. Understanding the language, metrics, and motivations that drive board-level decisions is crucial for CISOs seeking to secure budget and strategic alignment for their security programs.

Source: Security Boulevard ↗

VENDOR SPOTLIGHT

Spotlight Rationale: Today's intelligence highlights persistent threats from nation-state actors using custom tooling (China-linked group's `vetysafe.exe`) and ransomware groups leveraging initial access brokers (Yanluowang). A robust SIEM and threat intelligence platform is critical for detecting these advanced TTPs. IBM's combination of QRadar SIEM and X-Force Threat Intelligence provides a comprehensive solution for this challenge.

Threat Context: China-linked Hackers Target U.S. Non-profit in Long-term Espionage Campaign

Platform Focus: IBM Security QRadar SIEM & X-Force Threat Intelligence

IBM QRadar allows security teams to collect and correlate log data from across the enterprise to detect suspicious activity. When enriched with IBM X-Force Threat Intelligence, which provides up-to-date data on actor TTPs, malware indicators, and vulnerabilities, QRadar can effectively identify stealthy techniques like the DLL sideloading used by the China-linked actor. This allows for earlier detection and response, disrupting the attack chain before significant damage occurs.

Actionable Platform Guidance: Use QRadar's rule engine to create specific analytics for the TTPs seen in today's threats. Integrate X-Force feeds to automatically flag known malicious indicators associated with actors like the Yanluowang ransomware affiliates or China-linked espionage groups.

Source: IBM Security ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - IBM QRadar

# Actionable Guidance for IBM QRadar to Detect Today's Threats
# Disclaimer: This guidance is based on general platform knowledge. Verify against current IBM documentation.

# --- Immediate Actions --- #

# 1. Create a Custom Rule for DLL Sideloading Behavior:
#    - Navigate to the 'Offenses' tab and click 'Rules'.
#    - Create a new rule that triggers when a known legitimate process (e.g., vetysafe.exe)
#      spawns a child process from an unusual path (e.g., %APPDATA%, %TEMP%).
#    - Rule Test: 'when the event matches QID  and when the event context is Local to Remote'
#    - Rule Condition: 'and when the process name is one of the following 'vetysafe.exe''
#      'and when the child process path contains any of 'AppData', 'Temp''

# 2. Enable and Prioritize X-Force Threat Intelligence Feed:
#    - In the Admin tab, go to 'System Settings' -> 'Threat Intelligence'.
#    - Ensure the 'X-Force Threat Intelligence' feed is enabled and configured.
#    - Create a rule that increases the magnitude of any offense involving an IP, URL, or hash from this feed.

# 3. Build a Search for Anomalous Java RMI Traffic (for CVE-2025-20354):
#    - In the 'Log Activity' tab, create an AQL search.
#    - Search for traffic to TCP port 1099 on your Cisco CCX servers from sources outside of your trusted management network.
#    - AQL: 'SELECT sourceip, destinationip FROM events WHERE destinationport = 1099 AND destinationip IN () AND NOT sourceip IN () START '

# --- Verification Steps --- #

# 1. Test the Custom Rule:
#    - Use a test endpoint to simulate the creation of a file in %APPDATA% by a process named 'vetysafe.exe'.
#    - Verify that a new offense is generated in QRadar.

# 2. Verify Feed Correlation:
#    - Check the 'Threat Intelligence' dashboard to confirm that events are being successfully correlated against the X-Force feed.

2. YARA Rule for China-Linked Actor Loader

rule China_Linked_Actor_Vetysafe_Loader {
meta:
description = "Detects the vetysafe.exe executable used for DLL sideloading by a China-linked actor."
author = "Threat Rundown"
date = "2025-11-10"
reference = "https://securityaffairs.com/?p=184351"
severity = "high"
tlp = "white"
strings:
$mz = { 4D 5A } // MZ header
$s1 = "vetysafe.exe" ascii wide
condition:
$mz at 0 and filesize < 1MB and $s1
}

3. SIEM Query — Potential Cisco CCX RCE Exploitation (CVE-2025-20354)

index=firewall sourcetype="pan:traffic" OR sourcetype="cisco:asa"
(dest_port=1099) AND (dest_ip IN (list_of_cisco_ccx_servers))
NOT (src_ip IN (list_of_trusted_management_ips))
| stats count by _time, src_ip, dest_ip, dest_port, user
| where count > 5
| eval risk_score=case(
src_ip IN (known_threat_intel_feed), 100,
1==1, 75)
| table _time, src_ip, dest_ip, user, risk_score
| sort -_time

4. PowerShell Script — Hunt for vetysafe.exe Artifacts

# Hunt for vetysafe.exe process and file artifacts
$suspiciousProcess = "vetysafe.exe"
$searchPaths = @("$env:ProgramFiles", "$env:ProgramFiles(x86)", "$env:windir", "$env:APPDATA", "$env:LOCALAPPDATA", "$env:TEMP")

Write-Host "[*] Searching for running process: $suspiciousProcess"
$running = Get-Process -Name $suspiciousProcess -ErrorAction SilentlyContinue
if ($running) {
Write-Host "[!] FOUND suspicious process running:"
$running | Format-List Path, Id, StartTime
} else {
Write-Host "[-] No running process found."
}

Write-Host "\n[*] Searching for file artifacts on disk..."
foreach ($path in $searchPaths) {
Get-ChildItem -Path $path -Filter $suspiciousProcess -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
Write-Host "[!] FOUND file artifact: $($_.FullName)"
}
}
Write-Host "[*] Hunt complete."

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--4cecf7f6-ae10-4da6-9235-e7e8ccda3858", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--11b49acf-69cb-4305-8aa1-74f8704598e1", "created": "2025-11-09T10:44:27.341Z", "modified": "2025-11-09T10:44:27.341Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--9d24cc3d-915c-47bb-af85-c9fa81f9c87f", "created": "2025-11-09T10:44:27.341Z", "modified": "2025-11-09T10:44:27.341Z", "name": "Threat Intelligence Report - 2025-11-09", "description": "Threat Intelligence Report - 2025-11-09\n\nThis report consolidates actionable cybersecurity intelligence from 50 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• China-linked hackers target U.S. non-profit in long-term espionage campaign (Score: 100)\n• Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware (Score: 100)\n• Arbitrary App Installation on Intune Managed Android Enterprise BYOD in Work Profile (Score: 93.7)\n• NDSS 2025 – Qualitative Study On Boards’ Cybersecurity Risk Decision Making (Score: 92.7)\n• CVE 2025-24085 | 0-Click iMessage Attack (Score: 92.1)\n\nEXTRACTED ENTITIES:\n• 17 Attack Pattern(s)\n• 11 Campaign(s)\n• 2 Course Of Action(s)\n• 3 Domain Name(s)\n• 7 Indicator(s)\n• 1 Intrusion Set(s)\n• 13 Location(s)\n• 31 Malware(s)\n• 1 Marking Definition(s)\n• 20 Relationship(s)\n• 9 Threat Actor(s)\n• 7 Tool(s)\n• 3 Url(s)\n• 10 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-11-09T10:44:27.341Z", "object_refs": [ "identity--11b49acf-69cb-4305-8aa1-74f8704598e1", "vulnerability--8f735ec2-8220-4b83-9a8c-a0835387a0a3", "vulnerability--792ede9b-8de1-4c9a-91a0-e3f210f0d032", "vulnerability--5aa023ed-89ff-455f-a14b-06d7a32d06cd", "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "vulnerability--6010829c-9633-4789-9611-a16db23db2f2", "vulnerability--79785aec-b79d-4b48-9193-077cbe55287a", "malware--605c817b-0ca8-4c4f-8961-7dd094ee058b", "identity--7a97dfb8-5ca7-49d1-aa53-fe9c78a3853d", "vulnerability--2ce0c1a5-da9a-4507-8424-5cac0a7bdc24", "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "vulnerability--ed3de346-93c1-4c44-867e-0a775a7fa8e3", "vulnerability--1256edd4-a495-44a4-86b1-0740bb38277e", "malware--6be03c76-ed62-49ad-8d6a-8d6edc139482", "malware--3e45ebc9-bae3-4704-86a9-44abdb347667", "malware--a1fb60fd-66bc-4b59-93c9-962366cafc2a", "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "identity--2d677b32-42d6-4ae8-a662-4c9bb04de1b8", "malware--7cc3f9a2-daea-458e-a385-314141c7ae13", "identity--6e0f3149-d6f1-4ada-9805-3e656b4318ae", "identity--5fb634f4-4efc-4668-9397-71cf3601ffae", "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "identity--15a8eecf-1ec3-47c8-a984-463663f1f6ef", "malware--46a0b253-36c0-4c14-bdf6-40460c8bb029", "malware--6975652f-c247-47d4-8b69-5eba0a4b6104", "identity--de165938-73e8-4c1e-92f2-1b7832514832", "identity--15d433d8-67cd-4bf6-a69d-b0c73b67f58e", "malware--622d89f5-39ec-4c12-9e59-72477cefd1ab", "malware--9c0dd3c2-3017-43bd-9b16-4b60a3d61120", "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "malware--fa4c643a-e54a-4f71-aa1c-4bb424bb6db5", "malware--d1b982de-9a91-4b3f-afe9-f09f8d466881", "malware--c1213cab-cfa6-47a2-b43b-7af4967ec05a", "identity--cba0f55e-7bb3-4ae6-b0f8-048dae21e7f3", "identity--ad194b40-4a7d-4618-9298-c15574c0cf77", "malware--ffa5aef9-e5ae-485c-b748-1db12e072806", "identity--6c5b43ba-1151-49f5-aea4-5130de5e46ba", "identity--ec073fc7-bb30-4c07-8aa0-9d1d51058897", "identity--6b8db019-ba56-4716-bbd3-bab18737fef4", "tool--9fb8a1b4-5c61-44e4-90e1-494f8de4d8d6", "malware--bbe568e2-469f-4f6e-894f-9004f60be5a5", "tool--9f804692-3dad-41b3-b550-5a7ca93e97a9", "malware--4267370b-1057-49a4-942f-fcb4c563aacc", "tool--c2210051-55ab-4475-801e-0134045250d9", "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "identity--a57d502c-4e82-41ec-9234-875d491343fa", "identity--9fa139c1-5ce0-4ccf-9d02-1e0f8c2f38f6", "malware--8a13dba8-08ba-42eb-b07b-0712d0ad6082", "malware--9c959f03-a85c-4ccb-b73e-c55b0e32e5c2", "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "tool--8296b0e0-ae1f-45b6-8de0-1c1a4a5e05c5", "malware--6f4456e2-6dc0-4521-ba8e-cabeff00859c", "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "malware--2d7ce7de-e032-4043-8963-4c014393a48f", "malware--5e5e274e-42ad-4cf9-86fc-12db386831e5", "location--c92adf8f-1739-4c88-895d-06a7f2948f2e", "attack-pattern--78a1ad04-d1a7-4bf8-8006-34af1fd1d770", "identity--ce2e69c6-c194-4ca1-8ccd-65c1ce21af1b", "location--554766a1-5093-4b60-9732-aa6d14becb18", "tool--91088445-edc4-4d00-864c-785446cbb1af", "identity--f8278a12-ae20-4c3f-9977-3dd4feafc099", "identity--01b0e443-1611-4441-beba-d4f250c69101", "tool--2bd39da2-1744-453b-8891-2872e72c94bb", "location--79365b11-f080-4c12-97f5-45b7784679a6", "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "location--e8a8e369-e014-4c3f-98e2-d780344dbe7a", "tool--98496f61-df6e-4741-9fdc-b751ce5ac69d", "location--99e79579-3626-4cbc-b307-9a0ed522e607", "indicator--032d49c6-e2db-4ca3-ac15-f16c0d458867", "location--ea96e271-70b7-4ed7-af72-74ba165daca2", "vulnerability--7680a803-4098-41b0-83ff-f4c1ee650dbd", "location--2cffd105-432c-46ca-a015-faa047518780", "identity--a8564e44-9dd4-4fa2-af91-011d076d1c14", "location--44405860-a9a6-458f-beae-e4e62ebb780f", "identity--7aa77399-1a75-40ae-a4c3-2fbf8783bcff", "location--09fb5c3f-e950-4d77-9967-81596ba45e63", "location--5dbd12b2-f0b0-4c36-847b-62aa529b4595", "location--24ea8196-d1e3-4fe9-8c4e-06047a334d1e", "attack-pattern--020ddb29-4b95-4601-a850-894e55402fe2", "location--4184e662-7eed-444d-94b4-7f31e34d5299", "attack-pattern--2a1ef775-77d8-455c-bede-0a48e2d7adc4", "location--d28ab131-d57a-43d0-9c93-51a1e6b190f8", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--af705332-242d-4c31-9955-6dca77d560de", "attack-pattern--75f8063e-1388-4007-8255-4523fceba24e", "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e", "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9", "attack-pattern--13975792-7c14-4c1e-a11e-80b1ecbde971", "attack-pattern--2e4f88ee-4edd-4377-a16f-6ff65fd48fce", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "malware--0ec035fd-a9cc-499e-93eb-44852911672c", "malware--7c76c70f-1bad-41ab-89c6-d78e370811f4", "malware--dffb4264-779c-42f9-9800-be25af73076d", "malware--7b9bae54-ff8a-4894-beab-42a46b99d545", "malware--e77401fd-d913-45ea-86b4-c9b9dbf8a278", "malware--30372c67-c5d7-46f4-bae6-3f88e160ee3a", "malware--6d51f5dd-427b-4d73-a750-93d69adc5f37", "malware--46df4c75-7d15-4ee9-ae10-98989f906a2f", "malware--2698040b-690b-45a7-9f44-4aa6b0f71efd", "malware--4a22e96b-acab-4089-a2c9-17ee47185893", "malware--620d1f35-4965-4b56-90d9-a815cb3b70a6", "campaign--72c163d9-58ab-4f9a-8df6-fb3578b7d139", "campaign--08da5b48-ae3f-4221-af75-396f27d9c0fd", "campaign--a277f9ef-3ad9-4589-be8d-68524adad98d", "campaign--3007e546-4048-4622-95dc-2eb0d954f782", "campaign--94ae090a-d676-4ba5-bcf4-538041d51e77", "campaign--29dbe1e9-7e06-411f-ba9b-f6a047050ec5", "campaign--13b3edaf-0e44-475b-bcc0-8f535825e89d", "campaign--356cf522-6ebd-4f34-9792-f1daebd55730", "campaign--e926dd4b-4551-4483-b4f9-9064d5e8e647", "campaign--a3117e76-b09d-4ae0-8ef8-3af501b61acf", "campaign--fc5e16e3-9213-4b60-b294-c3e0885f3ff3", "course-of-action--79cf0d8c-8257-46a8-ad8b-1ababf562110", "course-of-action--65e8c573-8c12-4e96-a664-2b73aacd5d0d", "relationship--7ae7f542-f09f-4c71-a34a-3d83553764df", "relationship--3ea1dd75-c8d5-4e80-af7a-bcce8e3a353c", "relationship--0c7737b7-ad0c-437c-b2ec-23f9985090f4", "relationship--c4393cba-c21c-48b9-af7a-63c0e29217be", "relationship--6d9b150c-b8ca-4fb3-b2d0-74201c2b3212", "relationship--9ac6628f-ec9d-47f7-841f-7b0f87334fbf", "relationship--e4c2bbcc-14b2-47c8-80a3-3881afadf510", "relationship--92e85952-4297-463b-9902-d98991818a2d", "relationship--8488e448-a942-4125-8b3b-53341115ae34", "relationship--fef019ed-2354-453e-ad92-b6d84fdcfab8", "domain-name--cd8f5036-6bbd-4816-8b61-75438b0663f6", "url--b47d353d-bdb4-4935-aab2-8bb69f14104a", "domain-name--b99b19f0-653f-44d6-a1e8-0dccc30ed24c", "url--b650ce9b-5543-49af-93f5-cb1ca67afa70", "domain-name--8752478b-d532-4353-a6d9-69614781d7f4", "url--1692423f-a711-45c5-bbd2-799498e88c11", "indicator--23ece01e-ebd3-4e24-8222-b817c637212f", "relationship--fef36d61-1603-44fa-97ad-36e053a077eb", "indicator--18511fe2-959b-4a96-960c-711f20295818", "relationship--b7fa0112-74d5-4484-ae70-a427a2cd21fe", "indicator--467c70d6-142b-4387-97ac-9cb19efd88aa", "relationship--af7e43f0-78ec-4bde-a6da-b9b0fd0a330f", "indicator--c48629a5-db6c-41bb-8a28-d2c0e0cf1279", "relationship--a1eb40cf-8855-49da-839f-8604f176552b", "indicator--a37f30fd-9c42-4679-87d9-8bbce0946b21", "relationship--b2abdbe4-cf53-4583-8906-efb639f47d1e", "indicator--958d83e9-0ed3-4588-8ad5-254c00d68082", "relationship--3fd68d69-7b49-4be6-bb6f-ca9a63310439", "relationship--9fb72d82-7480-4eda-8c1f-bd904dd16bf9", "relationship--68f32e5a-236c-47bf-856c-d49b9e70389d", "relationship--fc62ee33-98d2-4a9f-922b-37f351519ca7", "relationship--90f8a75a-acf6-4ec7-9dc9-d929a157bca2" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--11b49acf-69cb-4305-8aa1-74f8704598e1", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--8f735ec2-8220-4b83-9a8c-a0835387a0a3", "name": "https://www.cve.org/CVERecord?id=CVE-2025-24085", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--792ede9b-8de1-4c9a-91a0-e3f210f0d032", "name": "CVE-2025-24085", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-24085", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24085" }, { "source_name": "nvd", "external_id": "CVE-2025-24085", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24085" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--5aa023ed-89ff-455f-a14b-06d7a32d06cd", "name": "CVE-2025-21042", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-21042", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21042" }, { "source_name": "nvd", "external_id": "CVE-2025-21042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21042" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "name": "CVE-2025-59305", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-59305", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59305" }, { "source_name": "nvd", "external_id": "CVE-2025-59305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59305" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--6010829c-9633-4789-9611-a16db23db2f2", "name": "CVE-2024-40766", "external_references": [ { "source_name": "cve", "external_id": "CVE-2024-40766", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40766" }, { "source_name": "nvd", "external_id": "CVE-2024-40766", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40766" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--79785aec-b79d-4b48-9193-077cbe55287a", "name": "CVE-2025-20362", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-20362", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20362" }, { "source_name": "nvd", "external_id": "CVE-2025-20362", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20362" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--605c817b-0ca8-4c4f-8961-7dd094ee058b", "name": "Yanluowang ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--7a97dfb8-5ca7-49d1-aa53-fe9c78a3853d", "name": "U.S. Cybersecurity and Infrastructure Security Agency", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 94, "type": "vulnerability", "id": "vulnerability--2ce0c1a5-da9a-4507-8424-5cac0a7bdc24", "name": "CVE-2025-41244", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-41244", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-41244" }, { "source_name": "nvd", "external_id": "CVE-2025-41244", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41244" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "name": "the Lazarus Group", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "name": "CISA", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 92, "type": "vulnerability", "id": "vulnerability--ed3de346-93c1-4c44-867e-0a775a7fa8e3", "name": "CVE-2025-32463", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-32463", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32463" }, { "source_name": "nvd", "external_id": "CVE-2025-32463", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32463" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 92, "type": "vulnerability", "id": "vulnerability--1256edd4-a495-44a4-86b1-0740bb38277e", "name": "CVE-2025-53609", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-53609", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53609" }, { "source_name": "nvd", "external_id": "CVE-2025-53609", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53609" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--6be03c76-ed62-49ad-8d6a-8d6edc139482", "name": "Gootloader", "is_family": true, "malware_types": [ "dropper" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--3e45ebc9-bae3-4704-86a9-44abdb347667", "name": "Mirai", "is_family": true, "malware_types": [ "bot" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--a1fb60fd-66bc-4b59-93c9-962366cafc2a", "name": "Akira ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "name": "Callisto/Star Blizzard/UNC4057", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "name": "LulzSec", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "name": "Charming Kitten", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "name": "Lazarus", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--2d677b32-42d6-4ae8-a662-4c9bb04de1b8", "name": "Trend Micro", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--7cc3f9a2-daea-458e-a385-314141c7ae13", "name": "XCSSET", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--6e0f3149-d6f1-4ada-9805-3e656b4318ae", "name": "U.S. Cyber Command", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--5fb634f4-4efc-4668-9397-71cf3601ffae", "name": "NSA", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "intrusion-set", "id": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "name": "Scattered Spider", "labels": [ "intrusion-set" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--15a8eecf-1ec3-47c8-a984-463663f1f6ef", "name": "NIST", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--46a0b253-36c0-4c14-bdf6-40460c8bb029", "name": "LANDFALL", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--6975652f-c247-47d4-8b69-5eba0a4b6104", "name": "Trojan", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--de165938-73e8-4c1e-92f2-1b7832514832", "name": "CrowdStrike", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--15d433d8-67cd-4bf6-a69d-b0c73b67f58e", "name": "Mandiant", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--622d89f5-39ec-4c12-9e59-72477cefd1ab", "name": "DCRat", "is_family": true, "malware_types": [ "remote-access-trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--9c0dd3c2-3017-43bd-9b16-4b60a3d61120", "name": "Datzbro", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "name": "ShinyHunters", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--fa4c643a-e54a-4f71-aa1c-4bb424bb6db5", "name": "Rhadamanthys", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--d1b982de-9a91-4b3f-afe9-f09f8d466881", "name": "AtomicStealer", "is_family": true, "malware_types": [ "stealer" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--c1213cab-cfa6-47a2-b43b-7af4967ec05a", "name": "XMRig", "is_family": true, "malware_types": [ "crypto-miner" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--cba0f55e-7bb3-4ae6-b0f8-048dae21e7f3", "name": "Proofpoint", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--ad194b40-4a7d-4618-9298-c15574c0cf77", "name": "Nozomi Networks", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--ffa5aef9-e5ae-485c-b748-1db12e072806", "name": "Akira Ransomware’s", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--6c5b43ba-1151-49f5-aea4-5130de5e46ba", "name": "Rapid7", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--ec073fc7-bb30-4c07-8aa0-9d1d51058897", "name": "Microsoft Threat Intelligence", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--6b8db019-ba56-4716-bbd3-bab18737fef4", "name": "OWASP", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "tool", "id": "tool--9fb8a1b4-5c61-44e4-90e1-494f8de4d8d6", "name": "any.run", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 93, "type": "malware", "id": "malware--bbe568e2-469f-4f6e-894f-9004f60be5a5", "name": "Ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "tool", "id": "tool--9f804692-3dad-41b3-b550-5a7ca93e97a9", "name": "Wazuh", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--4267370b-1057-49a4-942f-fcb4c563aacc", "name": "MatrixPDF", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "tool", "id": "tool--c2210051-55ab-4475-801e-0134045250d9", "name": "Defender for Office 365", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "name": "ZDI", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--a57d502c-4e82-41ec-9234-875d491343fa", "name": "CBO", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--9fa139c1-5ce0-4ccf-9d02-1e0f8c2f38f6", "name": "SonicWall", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--8a13dba8-08ba-42eb-b07b-0712d0ad6082", "name": "Datzbro that can conduct device takeover", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--9c959f03-a85c-4ccb-b73e-c55b0e32e5c2", "name": "RayInitiator", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "name": "Aleksei Olegovich Volkov", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "tool", "id": "tool--8296b0e0-ae1f-45b6-8de0-1c1a4a5e05c5", "name": "Kali", "tool_types": [ "exploitation", "vulnerability-scanning", "network-capture" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--6f4456e2-6dc0-4521-ba8e-cabeff00859c", "name": "RingReaper", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "name": "chubaka.kor", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 90, "type": "malware", "id": "malware--2d7ce7de-e032-4043-8963-4c014393a48f", "name": "Paragon’s Graphite", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "malware", "id": "malware--5e5e274e-42ad-4cf9-86fc-12db386831e5", "name": "Gootloader Returns", "is_family": true, "malware_types": [ "dropper" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "location", "id": "location--c92adf8f-1739-4c88-895d-06a7f2948f2e", "name": "U.S.", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--78a1ad04-d1a7-4bf8-8006-34af1fd1d770", "name": "Privilege Escalation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--ce2e69c6-c194-4ca1-8ccd-65c1ce21af1b", "name": "Mend.io", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "location", "id": "location--554766a1-5093-4b60-9732-aa6d14becb18", "name": "South Korea", "country": "KR", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "tool", "id": "tool--91088445-edc4-4d00-864c-785446cbb1af", "name": "Universal Forwarders", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--f8278a12-ae20-4c3f-9977-3dd4feafc099", "name": "OneBlood", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "identity", "id": "identity--01b0e443-1611-4441-beba-d4f250c69101", "name": "Security Affairs", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "tool", "id": "tool--2bd39da2-1744-453b-8891-2872e72c94bb", "name": "ELK", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "location", "id": "location--79365b11-f080-4c12-97f5-45b7784679a6", "name": "Oman", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 93, "type": "threat-actor", "id": "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "name": "DragonForce", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "location", "id": "location--e8a8e369-e014-4c3f-98e2-d780344dbe7a", "name": "Moldova", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "tool", "id": "tool--98496f61-df6e-4741-9fdc-b751ce5ac69d", "name": "Cisco Secure Firewall Threat Defense", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.752Z", "modified": "2025-11-09T10:44:26.752Z", "confidence": 95, "type": "location", "id": "location--99e79579-3626-4cbc-b307-9a0ed522e607", "name": "Dublin", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 77, "type": "indicator", "id": "indicator--032d49c6-e2db-4ca3-ac15-f16c0d458867", "name": "141.98.82.26", "pattern": "[ipv4-addr:value = '141.98.82.26']", "pattern_type": "stix", "indicator_types": [ "ipv4-addr" ], "valid_from": "2025-11-09T10:44:26.753023+00:00", "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 95, "type": "location", "id": "location--ea96e271-70b7-4ed7-af72-74ba165daca2", "name": "Brussels", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 80, "type": "vulnerability", "id": "vulnerability--7680a803-4098-41b0-83ff-f4c1ee650dbd", "name": "the Gemini Trifecta", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 95, "type": "location", "id": "location--2cffd105-432c-46ca-a015-faa047518780", "name": "Afghanistan", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 95, "type": "identity", "id": "identity--a8564e44-9dd4-4fa2-af91-011d076d1c14", "name": "Suspected in Breach of Congressional Budget Office The Congressional Budget Office has been the subject of an apparent cyber incident", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 95, "type": "location", "id": "location--44405860-a9a6-458f-beae-e4e62ebb780f", "name": "the United Arab Emirates", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 95, "type": "identity", "id": "identity--7aa77399-1a75-40ae-a4c3-2fbf8783bcff", "name": "Jaguar Land Rover", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 95, "type": "location", "id": "location--09fb5c3f-e950-4d77-9967-81596ba45e63", "name": "Israel", "country": "IL", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 95, "type": "location", "id": "location--5dbd12b2-f0b0-4c36-847b-62aa529b4595", "name": "Berlin", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 95, "type": "location", "id": "location--24ea8196-d1e3-4fe9-8c4e-06047a334d1e", "name": "Ireland", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 91, "type": "attack-pattern", "id": "attack-pattern--020ddb29-4b95-4601-a850-894e55402fe2", "name": "using maliciously crafted input", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 91, "type": "location", "id": "location--4184e662-7eed-444d-94b4-7f31e34d5299", "name": "Germany", "country": "DE", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 91, "type": "attack-pattern", "id": "attack-pattern--2a1ef775-77d8-455c-bede-0a48e2d7adc4", "name": "a position to observe your network traffic to conclude language model conversation topics", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 87, "type": "location", "id": "location--d28ab131-d57a-43d0-9c93-51a1e6b190f8", "name": "Union County", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:26.753Z", "modified": "2025-11-09T10:44:26.753Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--af705332-242d-4c31-9955-6dca77d560de", "name": "Modify Registry", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1112", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1112/", "external_id": "T1112" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--75f8063e-1388-4007-8255-4523fceba24e", "name": "Registry Run Keys / Startup Folder", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/001/", "external_id": "T1547.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e", "name": "Application Layer Protocol", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1071", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1071/", "external_id": "T1071" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9", "name": "Non-Application Layer Protocol", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1095", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1095/", "external_id": "T1095" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 78, "type": "attack-pattern", "id": "attack-pattern--13975792-7c14-4c1e-a11e-80b1ecbde971", "name": "Disable or Modify Linux Audit System", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1562.012", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1562/012/", "external_id": "T1562.012" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--2e4f88ee-4edd-4377-a16f-6ff65fd48fce", "name": "Virtual Private Server", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1583.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1583/003/", "external_id": "T1583.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "name": "Malicious Shell Modification", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1156", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1156/", "external_id": "T1156" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--0ec035fd-a9cc-499e-93eb-44852911672c", "created": "2025-11-09T10:44:16.147Z", "modified": "2025-11-09T10:44:16.147Z", "name": "Non-Human Identities", "description": "Malware Non-Human Identities identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://entro.security/?p=18616", "description": "NHIs: A Budget-Friendly Solution for Modern Cybersecurity?" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7c76c70f-1bad-41ab-89c6-d78e370811f4", "created": "2025-11-09T10:44:16.898Z", "modified": "2025-11-09T10:44:16.898Z", "name": "the Extended Security Updates", "description": "Malware the Extended Security Updates identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.bleepingcomputer.com/news/microsoft/still-on-windows-10-enroll-in-free-extended-security-updates/", "description": "Still on Windows 10? Enroll in free ESU before next week’s Patch Tuesday" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--dffb4264-779c-42f9-9800-be25af73076d", "created": "2025-11-09T10:44:16.898Z", "modified": "2025-11-09T10:44:16.898Z", "name": "ESU", "description": "Malware ESU identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.bleepingcomputer.com/news/microsoft/still-on-windows-10-enroll-in-free-extended-security-updates/", "description": "Still on Windows 10? Enroll in free ESU before next week’s Patch Tuesday" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7b9bae54-ff8a-4894-beab-42a46b99d545", "created": "2025-11-09T10:44:17.158Z", "modified": "2025-11-09T10:44:17.158Z", "name": "Secrets Security Management", "description": "Malware Secrets Security Management identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://entro.security/?p=18594", "description": "Freedom in Cybersecurity: Choosing the Right NHIs" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e77401fd-d913-45ea-86b4-c9b9dbf8a278", "created": "2025-11-09T10:44:19.154Z", "modified": "2025-11-09T10:44:19.154Z", "name": "ALPHV", "description": "Malware ALPHV identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.sentinelone.com/?p=134916", "description": "The Good, the Bad and the Ugly in Cybersecurity – Week 45" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--30372c67-c5d7-46f4-bae6-3f88e160ee3a", "created": "2025-11-09T10:44:19.154Z", "modified": "2025-11-09T10:44:19.154Z", "name": "Crypto", "description": "Malware Crypto identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.sentinelone.com/?p=134916", "description": "The Good, the Bad and the Ugly in Cybersecurity – Week 45" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--6d51f5dd-427b-4d73-a750-93d69adc5f37", "created": "2025-11-09T10:44:19.154Z", "modified": "2025-11-09T10:44:19.154Z", "name": "Fraud", "description": "Malware Fraud identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.sentinelone.com/?p=134916", "description": "The Good, the Bad and the Ugly in Cybersecurity – Week 45" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--46df4c75-7d15-4ee9-ae10-98989f906a2f", "created": "2025-11-09T10:44:19.154Z", "modified": "2025-11-09T10:44:19.154Z", "name": "Crypto Fraud & DPRK Laundering Ops", "description": "Malware Crypto Fraud & DPRK Laundering Ops identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.sentinelone.com/?p=134916", "description": "The Good, the Bad and the Ugly in Cybersecurity – Week 45" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2698040b-690b-45a7-9f44-4aa6b0f71efd", "created": "2025-11-09T10:44:23.016Z", "modified": "2025-11-09T10:44:23.016Z", "name": "the Drinking Water Inspectorate", "description": "Malware the Drinking Water Inspectorate identified in threat intelligence", "malware_types": [ "trojan" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1os4kxs/cyberattacks_are_increasingly_targeting_the_water/", "description": "Cyber-Attacks Are Increasingly Targeting the Water Sector" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--4a22e96b-acab-4089-a2c9-17ee47185893", "created": "2025-11-09T10:44:23.767Z", "modified": "2025-11-09T10:44:23.767Z", "name": "Spyware Targets Samsung Galaxy Devices", "description": "Malware Spyware Targets Samsung Galaxy Devices identified in threat intelligence", "malware_types": [ "spyware" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.healthcareinfosecurity.com/samsung-zero-day-flaw-exploited-by-landfall-spyware-a-29963", "description": "Samsung Zero-Day Flaw Exploited by 'Landfall' Spyware" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--620d1f35-4965-4b56-90d9-a815cb3b70a6", "created": "2025-11-09T10:44:23.767Z", "modified": "2025-11-09T10:44:23.767Z", "name": "Samsung Galaxy", "description": "Malware Samsung Galaxy identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.healthcareinfosecurity.com/samsung-zero-day-flaw-exploited-by-landfall-spyware-a-29963", "description": "Samsung Zero-Day Flaw Exploited by 'Landfall' Spyware" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--72c163d9-58ab-4f9a-8df6-fb3578b7d139", "created": "2025-11-09T10:44:26.742Z", "modified": "2025-11-09T10:44:26.742Z", "name": "CVE-2025-21042 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-21042", "first_seen": "2025-11-07T18:00:00.000Z", "last_seen": "2025-11-07T18:00:00.000Z", "objective": "Exploitation of CVE-2025-21042 for unauthorized access", "confidence": 75, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html", "description": "Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--08da5b48-ae3f-4221-af75-396f27d9c0fd", "created": "2025-11-09T10:44:26.742Z", "modified": "2025-11-09T10:44:26.742Z", "name": " Samsung Galaxy Campaign", "description": "Campaign involving using Samsung Galaxy", "first_seen": "2025-11-07T18:00:00.000Z", "last_seen": "2025-11-07T18:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html", "description": "Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--a277f9ef-3ad9-4589-be8d-68524adad98d", "created": "2025-11-09T10:44:26.742Z", "modified": "2025-11-09T10:44:26.742Z", "name": " Fraud Campaign", "description": "Campaign involving using Fraud", "first_seen": "2025-11-08T16:00:00.000Z", "last_seen": "2025-11-08T16:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "http://securityboulevard.com/?guid=8726392d3cf475bce275e835c7ca2a68", "description": "NDSS 2025 – Qualitative Study On Boards’ Cybersecurity Risk Decision Making" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--3007e546-4048-4622-95dc-2eb0d954f782", "created": "2025-11-09T10:44:26.742Z", "modified": "2025-11-09T10:44:26.742Z", "name": "CVE-2025-24085 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-24085", "first_seen": "2025-11-09T04:58:20.000Z", "last_seen": "2025-11-09T04:58:20.000Z", "objective": "Exploitation of CVE-2025-24085 for unauthorized access", "confidence": 75, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1osak55/cve_202524085_0click_imessage_attack/", "description": "CVE 2025-24085 | 0-Click iMessage Attack" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--94ae090a-d676-4ba5-bcf4-538041d51e77", "created": "2025-11-09T10:44:26.743Z", "modified": "2025-11-09T10:44:26.743Z", "name": " ESU Campaign", "description": "Campaign involving using ESU", "first_seen": "2025-11-08T17:08:31.000Z", "last_seen": "2025-11-08T17:08:31.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "http://psilvas.wordpress.com/?p=4209", "description": "Saturday Security: Three Breaches, Three Lessons and How Attackers Keep Adapting" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--29dbe1e9-7e06-411f-ba9b-f6a047050ec5", "created": "2025-11-09T10:44:26.743Z", "modified": "2025-11-09T10:44:26.743Z", "name": " Non-Human Identities Campaign", "description": "Campaign involving using Non-Human Identities", "first_seen": "2025-11-08T22:00:00.000Z", "last_seen": "2025-11-08T22:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://entro.security/?p=18606", "description": "Ensuring Stability in Cyber Security with NHIs" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--13b3edaf-0e44-475b-bcc0-8f535825e89d", "created": "2025-11-09T10:44:26.743Z", "modified": "2025-11-09T10:44:26.743Z", "name": " Paragon’s Graphite Campaign", "description": "Campaign involving using Paragon’s Graphite", "first_seen": "2025-11-08T17:19:37.000Z", "last_seen": "2025-11-08T17:19:37.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://securityaffairs.com/?p=184340", "description": "A new Italian citizen was targeted with Paragon’s Graphite spyware. We have a serious problem" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--356cf522-6ebd-4f34-9792-f1daebd55730", "created": "2025-11-09T10:44:26.744Z", "modified": "2025-11-09T10:44:26.744Z", "name": " the Extended Security Updates Campaign", "description": "Campaign involving using the Extended Security Updates", "first_seen": "2025-11-08T15:09:19.000Z", "last_seen": "2025-11-08T15:09:19.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.bleepingcomputer.com/news/microsoft/still-on-windows-10-enroll-in-free-extended-security-updates/", "description": "Still on Windows 10? Enroll in free ESU before next week’s Patch Tuesday" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--e926dd4b-4551-4483-b4f9-9064d5e8e647", "created": "2025-11-09T10:44:26.745Z", "modified": "2025-11-09T10:44:26.745Z", "name": " ALPHV Campaign", "description": "Campaign involving using ALPHV", "first_seen": "2025-11-07T14:00:07.000Z", "last_seen": "2025-11-07T14:00:07.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.sentinelone.com/?p=134916", "description": "The Good, the Bad and the Ugly in Cybersecurity – Week 45" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--a3117e76-b09d-4ae0-8ef8-3af501b61acf", "created": "2025-11-09T10:44:26.748Z", "modified": "2025-11-09T10:44:26.748Z", "name": " the Drinking Water Inspectorate Campaign", "description": "Campaign involving using the Drinking Water Inspectorate", "first_seen": "2025-11-09T00:03:02.000Z", "last_seen": "2025-11-09T00:03:02.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1os4kxs/cyberattacks_are_increasingly_targeting_the_water/", "description": "Cyber-Attacks Are Increasingly Targeting the Water Sector" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--fc5e16e3-9213-4b60-b294-c3e0885f3ff3", "created": "2025-11-09T10:44:26.749Z", "modified": "2025-11-09T10:44:26.749Z", "name": " Spyware Targets Samsung Galaxy Devices Campaign", "description": "Campaign involving using Spyware Targets Samsung Galaxy Devices", "first_seen": "2025-11-07T22:37:07.000Z", "last_seen": "2025-11-07T22:37:07.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.healthcareinfosecurity.com/samsung-zero-day-flaw-exploited-by-landfall-spyware-a-29963", "description": "Samsung Zero-Day Flaw Exploited by 'Landfall' Spyware" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--79cf0d8c-8257-46a8-ad8b-1ababf562110", "created": "2025-11-09T10:44:26.750Z", "modified": "2025-11-09T10:44:26.750Z", "name": "Mitigate CVE-2025-21042", "description": "Apply security updates and patches to address CVE-2025-21042", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21042", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://securityaffairs.com/?p=184351", "description": "China-linked hackers target U.S. non-profit in long-term espionage campaign" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--65e8c573-8c12-4e96-a664-2b73aacd5d0d", "created": "2025-11-09T10:44:26.750Z", "modified": "2025-11-09T10:44:26.750Z", "name": "Mitigate CVE-2025-24085", "description": "Apply security updates and patches to address CVE-2025-24085", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24085", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html", "description": "Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7ae7f542-f09f-4c71-a34a-3d83553764df", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: the lazarus group uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3ea1dd75-c8d5-4e80-af7a-bcce8e3a353c", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: callisto/star blizzard/unc4057 uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0c7737b7-ad0c-437c-b2ec-23f9985090f4", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: lulzsec uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c4393cba-c21c-48b9-af7a-63c0e29217be", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: charming kitten uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6d9b150c-b8ca-4fb3-b2d0-74201c2b3212", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: lazarus uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9ac6628f-ec9d-47f7-841f-7b0f87334fbf", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e4c2bbcc-14b2-47c8-80a3-3881afadf510", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: shinyhunters uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--92e85952-4297-463b-9902-d98991818a2d", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: aleksei olegovich volkov uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8488e448-a942-4125-8b3b-53341115ae34", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: chubaka.kor uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fef019ed-2354-453e-ad92-b6d84fdcfab8", "created": "2025-11-09T10:44:27.340Z", "modified": "2025-11-09T10:44:27.340Z", "relationship_type": "uses", "source_ref": "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: dragonforce uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--cd8f5036-6bbd-4816-8b61-75438b0663f6", "value": "cve.org" }, { "type": "url", "spec_version": "2.1", "id": "url--b47d353d-bdb4-4935-aab2-8bb69f14104a", "value": "https://www.cve.org/CVERecord?id=CVE-2025-24085" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b99b19f0-653f-44d6-a1e8-0dccc30ed24c", "value": "breakingdefense.com" }, { "type": "url", "spec_version": "2.1", "id": "url--b650ce9b-5543-49af-93f5-cb1ca67afa70", "value": "https://breakingdefense.com/2025/11/pentagon-releases-revised-plan-to-boost-cyber-talent-domain-mastery/" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--8752478b-d532-4353-a6d9-69614781d7f4", "value": "thesecuritynexus.net" }, { "type": "url", "spec_version": "2.1", "id": "url--1692423f-a711-45c5-bbd2-799498e88c11", "value": "https://www.thesecuritynexus.net/blog_files/d1600229b6b2a1aa1efe82afbad3be5e-29.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--23ece01e-ebd3-4e24-8222-b817c637212f", "created": "2025-11-09T10:44:10.677Z", "modified": "2025-11-09T10:44:10.677Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'cve.org']", "pattern_type": "stix", "valid_from": "2025-11-09T10:44:10.677Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fef36d61-1603-44fa-97ad-36e053a077eb", "created": "2025-11-09T10:44:10.677Z", "modified": "2025-11-09T10:44:10.677Z", "relationship_type": "based-on", "source_ref": "indicator--23ece01e-ebd3-4e24-8222-b817c637212f", "target_ref": "domain-name--cd8f5036-6bbd-4816-8b61-75438b0663f6" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--18511fe2-959b-4a96-960c-711f20295818", "created": "2025-11-09T10:44:10.678Z", "modified": "2025-11-09T10:44:10.678Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2025-24085']", "pattern_type": "stix", "valid_from": "2025-11-09T10:44:10.678Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b7fa0112-74d5-4484-ae70-a427a2cd21fe", "created": "2025-11-09T10:44:10.678Z", "modified": "2025-11-09T10:44:10.678Z", "relationship_type": "based-on", "source_ref": "indicator--18511fe2-959b-4a96-960c-711f20295818", "target_ref": "url--b47d353d-bdb4-4935-aab2-8bb69f14104a" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--467c70d6-142b-4387-97ac-9cb19efd88aa", "created": "2025-11-09T10:44:10.679Z", "modified": "2025-11-09T10:44:10.679Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'breakingdefense.com']", "pattern_type": "stix", "valid_from": "2025-11-09T10:44:10.679Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--af7e43f0-78ec-4bde-a6da-b9b0fd0a330f", "created": "2025-11-09T10:44:10.679Z", "modified": "2025-11-09T10:44:10.679Z", "relationship_type": "based-on", "source_ref": "indicator--467c70d6-142b-4387-97ac-9cb19efd88aa", "target_ref": "domain-name--b99b19f0-653f-44d6-a1e8-0dccc30ed24c" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c48629a5-db6c-41bb-8a28-d2c0e0cf1279", "created": "2025-11-09T10:44:10.680Z", "modified": "2025-11-09T10:44:10.680Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'https://breakingdefense.com/2025/11/pentagon-releases-revised-plan-to-boost-cyber-talent-domain-mastery/']", "pattern_type": "stix", "valid_from": "2025-11-09T10:44:10.680Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a1eb40cf-8855-49da-839f-8604f176552b", "created": "2025-11-09T10:44:10.680Z", "modified": "2025-11-09T10:44:10.680Z", "relationship_type": "based-on", "source_ref": "indicator--c48629a5-db6c-41bb-8a28-d2c0e0cf1279", "target_ref": "url--b650ce9b-5543-49af-93f5-cb1ca67afa70" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a37f30fd-9c42-4679-87d9-8bbce0946b21", "created": "2025-11-09T10:44:10.680Z", "modified": "2025-11-09T10:44:10.680Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'thesecuritynexus.net']", "pattern_type": "stix", "valid_from": "2025-11-09T10:44:10.680Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b2abdbe4-cf53-4583-8906-efb639f47d1e", "created": "2025-11-09T10:44:10.680Z", "modified": "2025-11-09T10:44:10.680Z", "relationship_type": "based-on", "source_ref": "indicator--a37f30fd-9c42-4679-87d9-8bbce0946b21", "target_ref": "domain-name--8752478b-d532-4353-a6d9-69614781d7f4" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--958d83e9-0ed3-4588-8ad5-254c00d68082", "created": "2025-11-09T10:44:10.681Z", "modified": "2025-11-09T10:44:10.681Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'https://www.thesecuritynexus.net/blog_files/d1600229b6b2a1aa1efe82afbad3be5e-29.html']", "pattern_type": "stix", "valid_from": "2025-11-09T10:44:10.681Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3fd68d69-7b49-4be6-bb6f-ca9a63310439", "created": "2025-11-09T10:44:10.681Z", "modified": "2025-11-09T10:44:10.681Z", "relationship_type": "based-on", "source_ref": "indicator--958d83e9-0ed3-4588-8ad5-254c00d68082", "target_ref": "url--1692423f-a711-45c5-bbd2-799498e88c11" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9fb72d82-7480-4eda-8c1f-bd904dd16bf9", "created": "2025-11-09T10:44:27.341Z", "modified": "2025-11-09T10:44:27.341Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--792ede9b-8de1-4c9a-91a0-e3f210f0d032", "target_ref": "course-of-action--65e8c573-8c12-4e96-a664-2b73aacd5d0d", "description": "CVE-2025-24085 is mitigated by Mitigate CVE-2025-24085" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--68f32e5a-236c-47bf-856c-d49b9e70389d", "created": "2025-11-09T10:44:27.341Z", "modified": "2025-11-09T10:44:27.341Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--5aa023ed-89ff-455f-a14b-06d7a32d06cd", "target_ref": "course-of-action--79cf0d8c-8257-46a8-ad8b-1ababf562110", "description": "CVE-2025-21042 is mitigated by Mitigate CVE-2025-21042" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fc62ee33-98d2-4a9f-922b-37f351519ca7", "created": "2025-11-09T10:44:27.341Z", "modified": "2025-11-09T10:44:27.341Z", "relationship_type": "targets", "source_ref": "campaign--72c163d9-58ab-4f9a-8df6-fb3578b7d139", "target_ref": "vulnerability--5aa023ed-89ff-455f-a14b-06d7a32d06cd", "description": "CVE-2025-21042 Exploitation Campaign targets CVE-2025-21042" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--90f8a75a-acf6-4ec7-9dc9-d929a157bca2", "created": "2025-11-09T10:44:27.341Z", "modified": "2025-11-09T10:44:27.341Z", "relationship_type": "targets", "source_ref": "campaign--3007e546-4048-4622-95dc-2eb0d954f782", "target_ref": "vulnerability--792ede9b-8de1-4c9a-91a0-e3f210f0d032", "description": "CVE-2025-24085 Exploitation Campaign targets CVE-2025-24085" } ] }