Cybersecurity Latest Rundown

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

SOX: 18 HIPAA: 4 FISMA: 2 NYDFS: 1 PCI DSS: 1 SOC 2: 1

Industry Watch

U.S. Federal Agencies (FISMA) QUIET

Below average activity (0.3x baseline)

Financial Services (Payment Processing) (PCI DSS) QUIET

Below average activity (0.5x baseline)

Technology Service Providers (SOC 2) QUIET

Below average activity (0.5x baseline)

Healthcare (HIPAA) QUIET

Below average activity (0.3x baseline)

CyberSecurity Latest Rundown

Heroes, let's go! The threat landscape for November 12, 2025.

CRITICAL ITEMS

Microsoft Patch Tuesday Addresses Actively Exploited Windows Kernel Zero-Day (CVE-2025-62215)
Date & Time: 2025-11-11T20:49:26

Microsoft's November 2025 security update addresses between 63 and 68 vulnerabilities across its product suite. The most urgent issue is a zero-day vulnerability in the Windows Kernel, tracked as CVE-2025-62215, which is confirmed to be actively exploited in the wild. This flaw allows for local privilege escalation, enabling an attacker who has already gained initial access to a system to elevate their permissions and take full control.

Business impact

Active exploitation means threat actors are already using this flaw to compromise systems. An unpatched vulnerability of this nature can serve as a critical link in a ransomware attack chain, allowing attackers to move from a limited foothold to full domain compromise. This poses an immediate risk to data integrity, confidentiality, and system availability, potentially leading to significant operational disruption and data breaches.

Recommended action

Prioritize the deployment of the November 2025 security updates to all affected Windows systems immediately. Due to active exploitation, CVE-2025-62215 should be patched on all critical systems within a 24-hour window.

CVE: CVE-2025-62215 | Compliance: HIPAA, SOX | Source: cyberscoop.com ↗, blog.qualys.com ↗
Clop Ransomware Campaign Hits Hitachi Subsidiary GlobalLogic via Oracle Zero-Day
Date & Time: 2025-11-11T19:26:08

GlobalLogic, a digital engineering firm and subsidiary of Hitachi, has confirmed it was impacted by a widespread data theft campaign orchestrated by the Clop ransomware group. The attackers exploited a zero-day vulnerability in the Oracle E-Business Suite to gain access. This incident is part of a larger spree of attacks by Clop targeting customers of the widely used enterprise software.

Business impact

This is a significant supply chain security event. The compromise of GlobalLogic, which serves nearly 600 clients, could lead to follow-on attacks or data exposure for its customers. The incident underscores the high risk associated with zero-day vulnerabilities in critical enterprise applications, which can lead to widespread data theft, extortion, and severe reputational damage.

Recommended action

Organizations using Oracle E-Business Suite must ensure all recent security patches have been applied. Conduct an immediate third-party risk review for any vendors, like GlobalLogic, who may have been affected by this campaign to understand potential exposure.

CVE: n/a | Compliance: PCI DSS, SOX | Source: cyberscoop.com ↗
Wolfram Cloud Vulnerability Allows for Privilege Escalation, Remote Code Execution
Date & Time: 2025-11-11T22:09:31

CERT/CC has issued an alert for a critical vulnerability in Wolfram Cloud version 14.2. The flaw stems from the Java Virtual Machine (JVM) having unrestricted access to temporary directories (`/tmp/`) within the cloud environment. This weakness can be exploited by an attacker to escalate privileges, exfiltrate information, and achieve remote code execution on the cloud instance.

Business impact

A compromise of a cloud instance can lead to the theft of sensitive proprietary data, abuse of expensive computational resources for malicious activities like cryptocurrency mining, and the establishment of a beachhead for further attacks into connected corporate networks. The vulnerability affects multi-tenant environments, posing a risk to all users on a shared instance.

Recommended action

Users of Wolfram Cloud version 14.2 should immediately seek guidance from the vendor for patches or mitigation steps. Security teams should review permissions for all applications running in cloud environments, particularly access to temporary file systems, and implement strict monitoring for anomalous activity.

CVE: n/a | Compliance: SOX, SOC 2 | Source: kb.cert.org ↗

HIGH SEVERITY ITEMS

New 'Maverick' Banking Malware Spreads via WhatsApp to Target Brazilian Banks
Date & Time: 2025-11-11T18:37:00

A new .NET-based banking malware, dubbed "Maverick," is being distributed via WhatsApp to target users and banks in Brazil. The malware shares characteristics with another banking trojan called "Coyote" and is designed to hijack browser sessions to steal financial credentials and execute fraudulent transactions. The use of a popular messaging platform as a distribution vector increases its potential reach and success rate.

Business impact

This campaign poses a direct financial risk to corporate and personal banking customers in the targeted region. A successful infection can lead to unauthorized fund transfers, credential theft, and compromise of sensitive financial data.

Recommended action

Advise employees, especially those operating in Brazil, to be vigilant against unsolicited links and files shared on WhatsApp. Ensure endpoint protection is capable of detecting and blocking .NET-based threats and consider deploying browser isolation technologies for high-risk users.

CVE: n/a | Compliance: NYDFS | Source: thehackernews.com ↗
Intel Patches Over 60 Vulnerabilities in November Security Update
Date & Time: 2025-11-12T10:36:11

Coinciding with Microsoft's updates, major chipmakers have also released their monthly security advisories. Intel's release is notably large, addressing over 60 vulnerabilities in its hardware and software products. These updates highlight the ongoing security challenges at the firmware and hardware level, which can provide attackers with deep and persistent access if left unpatched.

Business impact

Hardware-level vulnerabilities can undermine the entire security stack built on top of them. Successful exploitation can bypass operating system and application-level controls, making them particularly dangerous. Failure to apply firmware patches can leave organizations exposed to threats that are invisible to many traditional security tools.

Recommended action

IT and security teams must incorporate firmware and driver updates from hardware vendors like Intel, AMD, and Nvidia into their regular patch management cycles. Review the latest advisories to identify and prioritize patching for hardware deployed in your environment.

CVE: n/a | Compliance: SOX | Source: securityweek.com ↗
Security Researchers Highlight Limitations of Google Play Integrity API for Mobile App Defense
Date & Time: 2025-11-11T21:04:31

With Google's SafetyNet Attestation API being deprecated, developers are migrating to the new Play Integrity API. However, a recent analysis highlights its limitations in providing complete protection against sophisticated mobile threats. Relying solely on this API may leave mobile applications vulnerable to reverse engineering, tampering, or execution on rooted or compromised devices.

Business impact

For businesses with mobile apps that handle sensitive customer data or financial transactions, over-reliance on platform-level security checks can lead to a false sense of security. This could expose the organization and its customers to fraud, data theft, and brand damage.

Recommended action

Mobile development teams must adopt a defense-in-depth strategy for application security. This should include client-side protections like code obfuscation and runtime application self-protection (RASP) in addition to server-side validation and API protection that doesn't depend exclusively on the Play Integrity API.

CVE: n/a | Compliance: SOX | Source: approov.io ↗

EXECUTIVE INSIGHTS

Tenzai Raises $75 Million to Build AI-Powered Pentesting Platform
Date & Time: 2025-11-11T20:55:26

Tel Aviv-based startup Tenzai has secured $75 million in seed funding for its AI-driven penetration testing platform. The platform aims to continuously identify and address vulnerabilities, reflecting a broader industry trend towards automating and scaling offensive security practices.

Source: securityweek.com ↗
AI Tools Can Accelerate Reverse Engineering of Fraud Prevention Controls
Date & Time: 2025-11-12T00:46:35

Attackers are now using AI-powered analysis tools to reverse engineer client-side security controls in hours, a task that previously took skilled humans weeks. This shift requires defenders to move beyond simple code obfuscation and adopt more dynamic and resilient fraud prevention techniques.

Source: arkoselabs.com ↗

VENDOR SPOTLIGHT

Spotlight Rationale: Today's critical intelligence is dominated by privilege escalation vulnerabilities like the actively exploited Windows Kernel zero-day ([CVE-2025-62215](https://nvd.nist.gov/vuln/detail/CVE-2025-62215)), the Wolfram Cloud flaw, and the MSP360 Backup issue. These threats highlight the extreme risk of standing privileges, where an attacker can exploit a flaw to gain control of an account or service with persistent, high-level access. Aembit's approach directly counters this by eliminating the concept of standing privileges for workloads.

Threat Context: Microsoft Patch Tuesday Addresses Actively Exploited Windows Kernel Zero-Day (CVE-2025-62215)

Platform Focus: Aembit Workload IAM

Aembit provides a Just-in-Time (JIT) access model for workloads and Non-Human Identities (NHIs). Instead of relying on static, long-lived credentials (like API keys or service account passwords) that can be stolen after a breach, Aembit grants ephemeral, tightly-scoped tokens to workloads only when they need to access another service. If an attacker compromises a server via a flaw like CVE-2025-62215, they will find no standing credentials to steal, severely limiting their ability to move laterally across the cloud environment.

Actionable Platform Guidance: To mitigate threats like CVE-2025-62215, security teams can use Aembit to enforce a zero-standing-privilege policy. Start by identifying critical workloads that use static credentials. Onboard these workloads into Aembit and create access policies that define which services they can communicate with. Aembit will then act as an identity provider, federating identity and issuing short-lived tokens, effectively removing the static secrets from the workload's environment.

Source: aembit.io ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Aembit Policy for Zero Standing Privilege

# This is a conceptual guide for creating an Aembit policy to
# eliminate static credentials for a workload, mitigating lateral
# movement risk from exploits like CVE-2025-62215.

# 1. Identify the Client Workload and Server Workload
#    - Client: 'billing-processor-service' (e.g., running on a Windows VM)
#    - Server: 'customer-database-api'

# 2. Define Access Policy in Aembit UI or via IaC (Terraform)
policy {
name        = "Allow Billing to Access Customer DB"
description = "Grants JIT access for the billing service to the database API."

# Define conditions for the client workload
client_conditions {
# Match based on cloud provider tags, Kubernetes labels, etc.
# This ensures only the legitimate workload gets access.
aws_tags = {
"app" = "billing-processor"
"env" = "production"
}
}

# Define conditions for the server workload
server_conditions {
aws_tags = {
"app" = "customer-database"
"env" = "production"
}
}

# Define granted permissions (e.g., specific API paths)
permissions {
http {
methods = ["GET", "POST"]
path    = "/api/v1/customers/*"
}
}

# Status: Enabled
status = "enabled"
}

# 3. Deploy Aembit Agent/Workload Identity Provider to the workload's host.
# 4. Remove the static database credentials from the 'billing-processor-service' configuration.
#    The service will now request ephemeral tokens from Aembit to authenticate.

2. YARA Rule for Potential CVE-2025-62215 Exploitation Artifacts

rule Detect_Exploit_WinKernel_CVE_2025_62215 {
meta:
description = "Detects potential artifacts associated with exploitation of the Windows Kernel privilege escalation vulnerability CVE-2025-62215."
author = "Threat Rundown"
date = "2025-11-12"
reference = "https://cyberscoop.com/?p=86742"
severity = "high"
tlp = "white"
strings:
// Generic strings related to token manipulation, common in LPE
$s1 = "SeTcbPrivilege" wide
$s2 = "NtSetInformationProcess" wide
$s3 = "CreateProcessWithTokenW" wide
// Placeholder for a unique string found in a public PoC or malware sample
$s4 = "KernelPwn_Nov25" ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (2 of ($s*))
}

3. SIEM Query — Detecting Suspicious Parent-Child Process for LPE

// This query looks for a low-privilege process spawning a system-level process,
// a common indicator of privilege escalation.
index=endpoint sourcetype="os_events" event_type="process_creation"
// Add more common web/scripting processes as needed
(parent_process_name IN ("powershell.exe", "cmd.exe", "wscript.exe", "mshta.exe") AND process_name IN ("lsass.exe", "wininit.exe", "services.exe"))
| eval risk_score=case(
// High confidence if parent is running as a low-privilege user
parent_user_privileges=="low" AND process_user_privileges=="system", 100,
// Medium confidence for any such relationship
1==1, 50)
| where risk_score >= 50
| table _time, host, parent_process_name, parent_user, process_name, process_user, risk_score
| sort -_time

4. PowerShell Script — Check for November 2025 Security Update

# This script checks a list of computers for the presence of the required
# security update. Replace 'KB5099999' with the actual KB number for the patch.

$computers = "localhost", "SERVER01", "WEBSRV05"
# Placeholder KB number for the November 2025 update
$targetKB = "KB5099999"

foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer..."
try {
$hotfix = Get-HotFix -Id $targetKB -ComputerName $computer -ErrorAction Stop
if ($hotfix) {
Write-Host "  [+] SUCCESS: $computer is PATCHED. ($($hotfix.InstalledOn))" -ForegroundColor Green
}
}
catch {
Write-Host "  [-] VULNERABLE: $computer is MISSING patch $targetKB." -ForegroundColor Red
}
} else {
Write-Host "  [!] OFFLINE: Cannot connect to $computer." -ForegroundColor Yellow
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work.

{ "type": "bundle", "id": "bundle--90a8be82-6421-47a6-ae31-fbd37a070b44", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--03e54cce-ef05-496b-9e74-858bdf911f47", "created": "2025-11-12T13:04:37.847Z", "modified": "2025-11-12T13:04:37.847Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--4264b51c-41eb-4953-992a-118df6e009a8", "created": "2025-11-12T13:04:37.847Z", "modified": "2025-11-12T13:04:37.847Z", "name": "Threat Intelligence Report - 2025-11-12", "description": "Threat Intelligence Report - 2025-11-12\n\nThis report consolidates actionable cybersecurity intelligence from 96 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack (Score: 100)\n• Microsoft Patch Tuesday addresses 63 defects, including one actively exploited zero-day (Score: 100)\n• Microsoft Patches Actively Exploited Windows Kernel Zero-Day (Score: 100)\n• Hitachi subsidiary GlobalLogic impacted by Clop’s attack spree on Oracle customers (Score: 100)\n• Microsoft Patch Tuesday, November 2025 Security Update Review (Score: 100)\n\nEXTRACTED ENTITIES:\n• 24 Attack Pattern(s)\n• 15 Campaign(s)\n• 1 Course Of Action(s)\n• 1 Domain Name(s)\n• 1 Indicator(s)\n• 1 Intrusion Set(s)\n• 16 Location(s)\n• 47 Malware(s)\n• 1 Marking Definition(s)\n• 22 Relationship(s)\n• 13 Threat Actor(s)\n• 9 Tool(s)\n• 1 Url(s)\n• 16 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-11-12T13:04:37.847Z", "object_refs": [ "identity--03e54cce-ef05-496b-9e74-858bdf911f47", "vulnerability--8f735ec2-8220-4b83-9a8c-a0835387a0a3", "vulnerability--792ede9b-8de1-4c9a-91a0-e3f210f0d032", "vulnerability--5aa023ed-89ff-455f-a14b-06d7a32d06cd", "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "vulnerability--6010829c-9633-4789-9611-a16db23db2f2", "vulnerability--79785aec-b79d-4b48-9193-077cbe55287a", "vulnerability--a9612828-7f11-4309-be11-9f187e26e457", "vulnerability--42ef99bb-338a-4d7e-907d-09e0a7806721", "vulnerability--39cf974d-29cd-453a-92b0-aacee7aa323e", "vulnerability--5f025007-20c8-4ccf-bfb6-a845e768c5eb", "malware--605c817b-0ca8-4c4f-8961-7dd094ee058b", "identity--7a97dfb8-5ca7-49d1-aa53-fe9c78a3853d", "vulnerability--2ce0c1a5-da9a-4507-8424-5cac0a7bdc24", "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "vulnerability--75209a3b-2817-47f1-b38d-3b0e59249e1d", "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "vulnerability--ed3de346-93c1-4c44-867e-0a775a7fa8e3", "vulnerability--1256edd4-a495-44a4-86b1-0740bb38277e", "malware--2bc1c989-7436-42b1-9012-2cfdf3da1a9d", "malware--44927346-2d9c-445c-8c5e-7dcdc2fbdec2", "malware--6be03c76-ed62-49ad-8d6a-8d6edc139482", "malware--3e45ebc9-bae3-4704-86a9-44abdb347667", "malware--a1fb60fd-66bc-4b59-93c9-962366cafc2a", "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "identity--2d677b32-42d6-4ae8-a662-4c9bb04de1b8", "malware--7cc3f9a2-daea-458e-a385-314141c7ae13", "malware--409c6fc4-b4a8-4d72-a6e5-90829bae6112", "identity--6e0f3149-d6f1-4ada-9805-3e656b4318ae", "identity--5fb634f4-4efc-4668-9397-71cf3601ffae", "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "identity--1abdf29f-9fe3-478e-b225-610c02d5b71e", "identity--15a8eecf-1ec3-47c8-a984-463663f1f6ef", "attack-pattern--86775379-7666-49ed-b92b-48c360342708", "malware--9fea6585-318d-4805-b8d1-1cdd2b3881ca", "malware--743fd0cd-4279-4ce4-aed2-d58784f3031c", "threat-actor--2607de8b-b3f2-45d2-beb8-6277dfbeb4b9", "malware--46a0b253-36c0-4c14-bdf6-40460c8bb029", "malware--6975652f-c247-47d4-8b69-5eba0a4b6104", "tool--ef194854-4842-4fb3-8351-88104dd33103", "identity--de165938-73e8-4c1e-92f2-1b7832514832", "identity--15d433d8-67cd-4bf6-a69d-b0c73b67f58e", "malware--622d89f5-39ec-4c12-9e59-72477cefd1ab", "malware--9c0dd3c2-3017-43bd-9b16-4b60a3d61120", "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "identity--cbb9b9ee-52b7-4d0e-b4a6-25b063a6fac2", "identity--23f126ae-d9bd-497b-9eb9-63af757eb466", "malware--fa4c643a-e54a-4f71-aa1c-4bb424bb6db5", "malware--d1b982de-9a91-4b3f-afe9-f09f8d466881", "malware--c1213cab-cfa6-47a2-b43b-7af4967ec05a", "identity--cba0f55e-7bb3-4ae6-b0f8-048dae21e7f3", "identity--ad194b40-4a7d-4618-9298-c15574c0cf77", "malware--ffa5aef9-e5ae-485c-b748-1db12e072806", "identity--6c5b43ba-1151-49f5-aea4-5130de5e46ba", "identity--ec073fc7-bb30-4c07-8aa0-9d1d51058897", "threat-actor--aed4bc51-33b0-4736-bcb7-17aea7c56aa9", "identity--6b8db019-ba56-4716-bbd3-bab18737fef4", "tool--9fb8a1b4-5c61-44e4-90e1-494f8de4d8d6", "malware--bbe568e2-469f-4f6e-894f-9004f60be5a5", "tool--9f804692-3dad-41b3-b550-5a7ca93e97a9", "threat-actor--59aae272-74d1-4419-b6d7-48ca8d0af280", "malware--4267370b-1057-49a4-942f-fcb4c563aacc", "tool--c2210051-55ab-4475-801e-0134045250d9", "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "malware--f0089dea-b7b7-4a84-8fc4-e81a86cbecba", "identity--a57d502c-4e82-41ec-9234-875d491343fa", "identity--9fa139c1-5ce0-4ccf-9d02-1e0f8c2f38f6", "malware--8a13dba8-08ba-42eb-b07b-0712d0ad6082", "malware--9c959f03-a85c-4ccb-b73e-c55b0e32e5c2", "location--5b9801e8-bffe-4bee-b903-e93d9f801e0c", "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "tool--8296b0e0-ae1f-45b6-8de0-1c1a4a5e05c5", "malware--6f4456e2-6dc0-4521-ba8e-cabeff00859c", "malware--d1c0263c-8c2f-4c70-bd70-1ec546470fa2", "identity--bf415032-9753-40fd-aa77-45a09f6f767d", "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "malware--0b67e2fd-eaf0-45b4-ba7e-3a4c1a740bb6", "tool--6f10bc28-3ad5-432c-bcde-e601f2332ffb", "identity--76224fd2-7db9-4dfd-951a-4b084bef03ad", "malware--1cddedd9-b8e1-4176-90a1-a8b5ed7613a4", "attack-pattern--22092a47-7fd2-4602-90b1-61623bb89079", "malware--2d7ce7de-e032-4043-8963-4c014393a48f", "malware--5e5e274e-42ad-4cf9-86fc-12db386831e5", "location--c92adf8f-1739-4c88-895d-06a7f2948f2e", "attack-pattern--78a1ad04-d1a7-4bf8-8006-34af1fd1d770", "identity--ce2e69c6-c194-4ca1-8ccd-65c1ce21af1b", "location--554766a1-5093-4b60-9732-aa6d14becb18", "tool--91088445-edc4-4d00-864c-785446cbb1af", "identity--f8278a12-ae20-4c3f-9977-3dd4feafc099", "identity--01b0e443-1611-4441-beba-d4f250c69101", "tool--2bd39da2-1744-453b-8891-2872e72c94bb", "identity--daec362e-708a-4630-b425-6826593bb788", "identity--0379b4f6-f35b-447e-999f-7564a31b875b", "location--79365b11-f080-4c12-97f5-45b7784679a6", "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "location--e8a8e369-e014-4c3f-98e2-d780344dbe7a", "tool--98496f61-df6e-4741-9fdc-b751ce5ac69d", "location--99e79579-3626-4cbc-b307-9a0ed522e607", "indicator--032d49c6-e2db-4ca3-ac15-f16c0d458867", "location--ea96e271-70b7-4ed7-af72-74ba165daca2", "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb", "location--c641f4aa-ac4d-4b50-a0eb-cb383b4a3e53", "vulnerability--7680a803-4098-41b0-83ff-f4c1ee650dbd", "location--2cffd105-432c-46ca-a015-faa047518780", "identity--95c8389c-7419-490e-8d5b-8f227478ce1c", "location--f89078f0-39f7-4a02-a7e4-dbde6a3138cd", "identity--a8564e44-9dd4-4fa2-af91-011d076d1c14", "location--44405860-a9a6-458f-beae-e4e62ebb780f", "identity--7aa77399-1a75-40ae-a4c3-2fbf8783bcff", "location--09fb5c3f-e950-4d77-9967-81596ba45e63", "location--5dbd12b2-f0b0-4c36-847b-62aa529b4595", "location--24ea8196-d1e3-4fe9-8c4e-06047a334d1e", "attack-pattern--9ad5784d-77ba-4b52-90f9-49695e3dbde6", "attack-pattern--020ddb29-4b95-4601-a850-894e55402fe2", "location--4184e662-7eed-444d-94b4-7f31e34d5299", "attack-pattern--2a1ef775-77d8-455c-bede-0a48e2d7adc4", "location--d28ab131-d57a-43d0-9c93-51a1e6b190f8", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--9df8a3ab-356d-40ee-a3ef-bad3413bd273", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c", "attack-pattern--d23a8103-121b-4c0d-a34a-5ec584acaeb7", "attack-pattern--104bfab2-6169-45c6-95cf-ffc0f8ecff74", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "attack-pattern--6fcbd058-983b-40a2-8af8-cb9b4fb11c49", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "vulnerability--e5e19dbb-9f5c-4b3b-9103-9554dd1471d2", "malware--7416ef3d-9471-426c-8207-03f69b793b25", "malware--4c273b4d-c681-4302-81b8-286063d8e93e", "malware--fb92963d-78ca-4501-ab22-5f8394998fbc", "malware--7f56ebfd-a440-4bec-a600-2df6dc5d53d6", "malware--b20affba-bd78-4165-9dda-624a8d4e35e6", "malware--ceaee96d-6e14-4906-850d-d40eae01669d", "malware--f84adf7a-2e67-45c9-a301-1f420520d7e5", "malware--fc9a4656-6703-44b9-9a03-61ee73462b81", "malware--d6ff8375-0353-4d82-895e-fdf01c9735a8", "malware--886ed07c-5c1a-426b-b101-9f267618edac", "malware--c11bd714-b26c-43ef-8e86-ef5b073e6384", "malware--2a27d8e0-d3b6-4240-8033-fe9635da0c5b", "malware--1ba91f3e-b4a1-487b-9b69-bb64699d0970", "malware--26057f69-5f7f-4d7b-971f-e9180578a998", "malware--89c9f06f-3d39-4f22-bcb8-c6b2c2d9b5ea", "malware--13f5f7e1-54e9-43dd-8a19-545cdd66caef", "malware--d7c166ea-92f3-4c85-aefb-32238632c463", "malware--d687008a-f040-4eb9-8305-d17294d2c07a", "campaign--ace327ac-6d05-4911-8004-cbcdff2f0182", "campaign--58000471-19de-45a5-bc04-4c32d73b1220", "campaign--d1bd8954-7c60-4546-97c6-1a993b2e3f22", "campaign--3149d6eb-fb4c-46e7-bdd1-271ea64c962f", "campaign--d3470651-90a8-4acf-847d-f68d2b3c5521", "campaign--6cf5032b-22d6-49b5-b168-28dca5df5765", "campaign--cfb299c4-a999-4786-8373-7737f814b830", "campaign--4c6aadb7-e396-480e-9a10-d4346045441e", "campaign--10425fca-0adb-4b01-96fb-a3fa66114d37", "campaign--87b551a3-bb7a-45bb-bc96-a8323ebf8ce5", "campaign--070f07d6-fd10-459c-a426-157d5a523212", "campaign--24c7aaca-f227-40ed-babf-69c898aee0f2", "campaign--3db58af6-22b4-440e-934e-6a3b93961fee", "campaign--27f0ef15-52fa-4f44-968c-833f529bca3f", "campaign--d178f098-66ae-4db6-bd0b-f75ef2e6a291", "course-of-action--aa9aca02-11f2-48d4-a79e-4bde05b96d98", "relationship--5dfa82e2-4780-48db-adb9-150e921f3ec2", "relationship--117ad508-f0e4-4758-8487-12c2ce230bc3", "relationship--341936b5-9a66-49ea-83fc-d0c44a7a23f0", "relationship--3ed91fd9-c9bf-4423-a596-96bec95af734", "relationship--71a352df-0829-4179-9085-6e0c3d0da093", "relationship--cf7cc71b-6e8f-4d73-8cea-a2995e646bd4", "relationship--940cb913-54b0-40bf-af35-462511e371af", "relationship--355f32b3-685e-4fb3-a8cd-8f81e0895052", "relationship--89e1a9f5-a74d-4e4e-a09d-cafb6b4d586d", "relationship--96361ed8-c88c-4061-aa58-38793ef55047", "relationship--4678aeba-2267-410f-8b01-e65a4a097afe", "relationship--680b5ab6-72fb-4c00-a0d2-18c1e8a410d0", "relationship--da266b2e-ec69-4692-a2b8-15eeca4be258", "relationship--aab491c2-1f75-485a-a914-9c73013bdc47", "relationship--df9504e2-04ca-47c7-8e99-e0862058418e", "relationship--f458d851-6331-4947-9209-9f39d4c42714", "relationship--3845c3d6-444f-485c-83c9-4ab3bc9d37b0", "relationship--4885b254-162b-4199-87ee-81632d3f2db0", "relationship--4c004770-fe43-42c5-9268-08b895ee223d", "relationship--7c59bdd3-7c55-45a3-be2c-fc50718daa34", "domain-name--0266672a-9fc2-4956-ae4f-2c7b07ece81e", "url--27e94823-d68c-4826-87f6-389434b2a0f5", "relationship--58e4a32b-2f29-4d6c-8600-64e03402644c", "relationship--3338ccf7-3ac2-42df-aec7-fc14efff5f83" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--03e54cce-ef05-496b-9e74-858bdf911f47", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--8f735ec2-8220-4b83-9a8c-a0835387a0a3", "name": "https://www.cve.org/CVERecord?id=CVE-2025-24085", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--792ede9b-8de1-4c9a-91a0-e3f210f0d032", "name": "CVE-2025-24085", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-24085", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24085" }, { "source_name": "nvd", "external_id": "CVE-2025-24085", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24085" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--5aa023ed-89ff-455f-a14b-06d7a32d06cd", "name": "CVE-2025-21042", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-21042", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21042" }, { "source_name": "nvd", "external_id": "CVE-2025-21042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21042" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "name": "CVE-2025-59305", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-59305", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59305" }, { "source_name": "nvd", "external_id": "CVE-2025-59305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59305" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--6010829c-9633-4789-9611-a16db23db2f2", "name": "CVE-2024-40766", "external_references": [ { "source_name": "cve", "external_id": "CVE-2024-40766", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40766" }, { "source_name": "nvd", "external_id": "CVE-2024-40766", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40766" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--79785aec-b79d-4b48-9193-077cbe55287a", "name": "CVE-2025-20362", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-20362", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20362" }, { "source_name": "nvd", "external_id": "CVE-2025-20362", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20362" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--a9612828-7f11-4309-be11-9f187e26e457", "name": "CVE-2025-12480", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-12480", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12480" }, { "source_name": "nvd", "external_id": "CVE-2025-12480", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12480" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--42ef99bb-338a-4d7e-907d-09e0a7806721", "name": "CVE-2025-52881", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-52881", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52881" }, { "source_name": "nvd", "external_id": "CVE-2025-52881", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52881" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--39cf974d-29cd-453a-92b0-aacee7aa323e", "name": "CVE-2025-52565", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-52565", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52565" }, { "source_name": "nvd", "external_id": "CVE-2025-52565", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--5f025007-20c8-4ccf-bfb6-a845e768c5eb", "name": "CVE-2025-34299", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-34299", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-34299" }, { "source_name": "nvd", "external_id": "CVE-2025-34299", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34299" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--605c817b-0ca8-4c4f-8961-7dd094ee058b", "name": "Yanluowang ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--7a97dfb8-5ca7-49d1-aa53-fe9c78a3853d", "name": "U.S. Cybersecurity and Infrastructure Security Agency", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--2ce0c1a5-da9a-4507-8424-5cac0a7bdc24", "name": "CVE-2025-41244", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-41244", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-41244" }, { "source_name": "nvd", "external_id": "CVE-2025-41244", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41244" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "name": "the Lazarus Group", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--75209a3b-2817-47f1-b38d-3b0e59249e1d", "name": "CVE-2025-31133", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-31133", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31133" }, { "source_name": "nvd", "external_id": "CVE-2025-31133", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31133" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "name": "CISA", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--ed3de346-93c1-4c44-867e-0a775a7fa8e3", "name": "CVE-2025-32463", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-32463", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32463" }, { "source_name": "nvd", "external_id": "CVE-2025-32463", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32463" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--1256edd4-a495-44a4-86b1-0740bb38277e", "name": "CVE-2025-53609", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-53609", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53609" }, { "source_name": "nvd", "external_id": "CVE-2025-53609", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53609" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--2bc1c989-7436-42b1-9012-2cfdf3da1a9d", "name": "The Rhadamanthys infostealer", "is_family": true, "malware_types": [ "stealer" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--44927346-2d9c-445c-8c5e-7dcdc2fbdec2", "name": "GootLoader has resurfaced yet again after a brief spike in activity earlier this March", "is_family": true, "malware_types": [ "dropper" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--6be03c76-ed62-49ad-8d6a-8d6edc139482", "name": "Gootloader", "is_family": true, "malware_types": [ "dropper" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--3e45ebc9-bae3-4704-86a9-44abdb347667", "name": "Mirai", "is_family": true, "malware_types": [ "bot" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--a1fb60fd-66bc-4b59-93c9-962366cafc2a", "name": "Akira ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "name": "Callisto/Star Blizzard/UNC4057", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "name": "LulzSec", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "name": "Charming Kitten", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "name": "Lazarus", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--2d677b32-42d6-4ae8-a662-4c9bb04de1b8", "name": "Trend Micro", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--7cc3f9a2-daea-458e-a385-314141c7ae13", "name": "XCSSET", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--409c6fc4-b4a8-4d72-a6e5-90829bae6112", "name": "Rhadamanthys is an infostealer", "is_family": true, "malware_types": [ "stealer" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--6e0f3149-d6f1-4ada-9805-3e656b4318ae", "name": "U.S. Cyber Command", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--5fb634f4-4efc-4668-9397-71cf3601ffae", "name": "NSA", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "intrusion-set", "id": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "name": "Scattered Spider", "labels": [ "intrusion-set" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--1abdf29f-9fe3-478e-b225-610c02d5b71e", "name": "Australian Signals Directorate", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--15a8eecf-1ec3-47c8-a984-463663f1f6ef", "name": "NIST", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--86775379-7666-49ed-b92b-48c360342708", "name": "XSS", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--9fea6585-318d-4805-b8d1-1cdd2b3881ca", "name": "GlassWorm malware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--743fd0cd-4279-4ce4-aed2-d58784f3031c", "name": "PureRAT", "is_family": true, "malware_types": [ "remote-access-trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--2607de8b-b3f2-45d2-beb8-6277dfbeb4b9", "name": "Cl0p", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--46a0b253-36c0-4c14-bdf6-40460c8bb029", "name": "LANDFALL", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--6975652f-c247-47d4-8b69-5eba0a4b6104", "name": "Trojan", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "tool", "id": "tool--ef194854-4842-4fb3-8351-88104dd33103", "name": "NMap", "tool_types": [ "network-capture", "vulnerability-scanning" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--de165938-73e8-4c1e-92f2-1b7832514832", "name": "CrowdStrike", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--15d433d8-67cd-4bf6-a69d-b0c73b67f58e", "name": "Mandiant", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--622d89f5-39ec-4c12-9e59-72477cefd1ab", "name": "DCRat", "is_family": true, "malware_types": [ "remote-access-trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--9c0dd3c2-3017-43bd-9b16-4b60a3d61120", "name": "Datzbro", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "name": "ShinyHunters", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--cbb9b9ee-52b7-4d0e-b4a6-25b063a6fac2", "name": "KnowBe4", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--23f126ae-d9bd-497b-9eb9-63af757eb466", "name": "Flashpoint", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--fa4c643a-e54a-4f71-aa1c-4bb424bb6db5", "name": "Rhadamanthys", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--d1b982de-9a91-4b3f-afe9-f09f8d466881", "name": "AtomicStealer", "is_family": true, "malware_types": [ "stealer" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--c1213cab-cfa6-47a2-b43b-7af4967ec05a", "name": "XMRig", "is_family": true, "malware_types": [ "crypto-miner" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--cba0f55e-7bb3-4ae6-b0f8-048dae21e7f3", "name": "Proofpoint", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--ad194b40-4a7d-4618-9298-c15574c0cf77", "name": "Nozomi Networks", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--ffa5aef9-e5ae-485c-b748-1db12e072806", "name": "Akira Ransomware’s", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--6c5b43ba-1151-49f5-aea4-5130de5e46ba", "name": "Rapid7", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--ec073fc7-bb30-4c07-8aa0-9d1d51058897", "name": "Microsoft Threat Intelligence", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--aed4bc51-33b0-4736-bcb7-17aea7c56aa9", "name": "Qilin", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "identity", "id": "identity--6b8db019-ba56-4716-bbd3-bab18737fef4", "name": "OWASP", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "tool", "id": "tool--9fb8a1b4-5c61-44e4-90e1-494f8de4d8d6", "name": "any.run", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--bbe568e2-469f-4f6e-894f-9004f60be5a5", "name": "Ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "tool", "id": "tool--9f804692-3dad-41b3-b550-5a7ca93e97a9", "name": "Wazuh", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--59aae272-74d1-4419-b6d7-48ca8d0af280", "name": "Qilin group", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.270Z", "confidence": 95, "type": "malware", "id": "malware--4267370b-1057-49a4-942f-fcb4c563aacc", "name": "MatrixPDF", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.270Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "tool", "id": "tool--c2210051-55ab-4475-801e-0134045250d9", "name": "Defender for Office 365", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "name": "ZDI", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--f0089dea-b7b7-4a84-8fc4-e81a86cbecba", "name": "Fantasy Hub", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--a57d502c-4e82-41ec-9234-875d491343fa", "name": "CBO", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--9fa139c1-5ce0-4ccf-9d02-1e0f8c2f38f6", "name": "SonicWall", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--8a13dba8-08ba-42eb-b07b-0712d0ad6082", "name": "Datzbro that can conduct device takeover", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--9c959f03-a85c-4ccb-b73e-c55b0e32e5c2", "name": "RayInitiator", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--5b9801e8-bffe-4bee-b903-e93d9f801e0c", "name": "the United States", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "name": "Aleksei Olegovich Volkov", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "tool", "id": "tool--8296b0e0-ae1f-45b6-8de0-1c1a4a5e05c5", "name": "Kali", "tool_types": [ "exploitation", "vulnerability-scanning", "network-capture" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--6f4456e2-6dc0-4521-ba8e-cabeff00859c", "name": "RingReaper", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--d1c0263c-8c2f-4c70-bd70-1ec546470fa2", "name": "Maverick", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--bf415032-9753-40fd-aa77-45a09f6f767d", "name": "QNAP", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "name": "chubaka.kor", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--0b67e2fd-eaf0-45b4-ba7e-3a4c1a740bb6", "name": "Coyote", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "tool", "id": "tool--6f10bc28-3ad5-432c-bcde-e601f2332ffb", "name": "Google SafetyNet Attestation", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--76224fd2-7db9-4dfd-951a-4b084bef03ad", "name": "The US Congressional Budget Office", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--1cddedd9-b8e1-4176-90a1-a8b5ed7613a4", "name": "GlassWorm", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--22092a47-7fd2-4602-90b1-61623bb89079", "name": "DoS", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--2d7ce7de-e032-4043-8963-4c014393a48f", "name": "Paragon’s Graphite", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "malware", "id": "malware--5e5e274e-42ad-4cf9-86fc-12db386831e5", "name": "Gootloader Returns", "is_family": true, "malware_types": [ "dropper" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--c92adf8f-1739-4c88-895d-06a7f2948f2e", "name": "U.S.", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--78a1ad04-d1a7-4bf8-8006-34af1fd1d770", "name": "Privilege Escalation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--ce2e69c6-c194-4ca1-8ccd-65c1ce21af1b", "name": "Mend.io", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--554766a1-5093-4b60-9732-aa6d14becb18", "name": "South Korea", "country": "KR", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "tool", "id": "tool--91088445-edc4-4d00-864c-785446cbb1af", "name": "Universal Forwarders", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--f8278a12-ae20-4c3f-9977-3dd4feafc099", "name": "OneBlood", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--01b0e443-1611-4441-beba-d4f250c69101", "name": "Security Affairs", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "tool", "id": "tool--2bd39da2-1744-453b-8891-2872e72c94bb", "name": "ELK", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--daec362e-708a-4630-b425-6826593bb788", "name": "Schneider Electric", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--0379b4f6-f35b-447e-999f-7564a31b875b", "name": "GlobalLogic", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--79365b11-f080-4c12-97f5-45b7784679a6", "name": "Oman", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "name": "DragonForce", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--e8a8e369-e014-4c3f-98e2-d780344dbe7a", "name": "Moldova", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "tool", "id": "tool--98496f61-df6e-4741-9fdc-b751ce5ac69d", "name": "Cisco Secure Firewall Threat Defense", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--99e79579-3626-4cbc-b307-9a0ed522e607", "name": "Dublin", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 82, "type": "indicator", "id": "indicator--032d49c6-e2db-4ca3-ac15-f16c0d458867", "name": "141.98.82.26", "pattern": "[ipv4-addr:value = '141.98.82.26']", "pattern_type": "stix", "indicator_types": [ "ipv4-addr" ], "valid_from": "2025-11-12T13:04:37.271538+00:00", "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--ea96e271-70b7-4ed7-af72-74ba165daca2", "name": "Brussels", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb", "name": "Aleksey Olegovich Volkov", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--c641f4aa-ac4d-4b50-a0eb-cb383b4a3e53", "name": "Norway", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 85, "type": "vulnerability", "id": "vulnerability--7680a803-4098-41b0-83ff-f4c1ee650dbd", "name": "the Gemini Trifecta", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--2cffd105-432c-46ca-a015-faa047518780", "name": "Afghanistan", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--95c8389c-7419-490e-8d5b-8f227478ce1c", "name": "Logitech", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--f89078f0-39f7-4a02-a7e4-dbde6a3138cd", "name": "Denmark", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--a8564e44-9dd4-4fa2-af91-011d076d1c14", "name": "Suspected in Breach of Congressional Budget Office The Congressional Budget Office has been the subject of an apparent cyber incident", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--44405860-a9a6-458f-beae-e4e62ebb780f", "name": "the United Arab Emirates", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "identity", "id": "identity--7aa77399-1a75-40ae-a4c3-2fbf8783bcff", "name": "Jaguar Land Rover", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--09fb5c3f-e950-4d77-9967-81596ba45e63", "name": "Israel", "country": "IL", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--5dbd12b2-f0b0-4c36-847b-62aa529b4595", "name": "Berlin", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--24ea8196-d1e3-4fe9-8c4e-06047a334d1e", "name": "Ireland", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--9ad5784d-77ba-4b52-90f9-49695e3dbde6", "name": "to execute code over a network", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--020ddb29-4b95-4601-a850-894e55402fe2", "name": "using maliciously crafted input", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "location", "id": "location--4184e662-7eed-444d-94b4-7f31e34d5299", "name": "Germany", "country": "DE", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--2a1ef775-77d8-455c-bede-0a48e2d7adc4", "name": "a position to observe your network traffic to conclude language model conversation topics", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 92, "type": "location", "id": "location--d28ab131-d57a-43d0-9c93-51a1e6b190f8", "name": "Union County", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.271Z", "modified": "2025-11-12T13:04:37.271Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "name": "Abuse Elevation Control Mechanism", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1548", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1548/", "external_id": "T1548" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "name": "Access Token Manipulation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1134", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1134/", "external_id": "T1134" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--9df8a3ab-356d-40ee-a3ef-bad3413bd273", "name": "Obfuscated Files or Information", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1027", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1027/", "external_id": "T1027" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "name": "Compromise Software Supply Chain", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/002/", "external_id": "T1195.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "name": "Remote Services", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1021", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1021/", "external_id": "T1021" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c", "name": "Lateral Tool Transfer", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1570", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1570/", "external_id": "T1570" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--d23a8103-121b-4c0d-a34a-5ec584acaeb7", "name": "Install Digital Certificate", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1608.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1608/003/", "external_id": "T1608.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--104bfab2-6169-45c6-95cf-ffc0f8ecff74", "name": "SQL Stored Procedures", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1505.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1505/001/", "external_id": "T1505.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 78, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 73, "type": "attack-pattern", "id": "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "name": "Compromise Hardware Supply Chain", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/003/", "external_id": "T1195.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--6fcbd058-983b-40a2-8af8-cb9b4fb11c49", "name": "IDE Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1176.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1176/002/", "external_id": "T1176.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--e5e19dbb-9f5c-4b3b-9103-9554dd1471d2", "created": "2025-11-12T13:04:00.874Z", "modified": "2025-11-12T13:04:00.874Z", "name": "CVE-2025-62215", "description": "Vulnerability CVE-2025-62215 | Affects: Microsoft addressed | Status: actively exploited", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-62215", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62215" }, { "source_name": "article", "url": "https://cyberscoop.com/?p=86742", "description": "Microsoft Patch Tuesday addresses 63 defects, including one actively exploited zero-day" } ], "x_exploited": true, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7416ef3d-9471-426c-8207-03f69b793b25", "created": "2025-11-12T13:04:00.872Z", "modified": "2025-11-12T13:04:00.872Z", "name": "Critical", "description": "Malware Critical identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/microsoft-fixes-63-security-flaws.html", "description": "Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--4c273b4d-c681-4302-81b8-286063d8e93e", "created": "2025-11-12T13:04:01.202Z", "modified": "2025-11-12T13:04:01.202Z", "name": "the Windows Kernel", "description": "Malware the Windows Kernel identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://cyberscoop.com/?p=86742", "description": "Microsoft Patch Tuesday addresses 63 defects, including one actively exploited zero-day" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--fb92963d-78ca-4501-ab22-5f8394998fbc", "created": "2025-11-12T13:04:04.841Z", "modified": "2025-11-12T13:04:04.841Z", "name": "WhatsApp", "description": "Malware WhatsApp identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html", "description": "WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7f56ebfd-a440-4bec-a600-2df6dc5d53d6", "created": "2025-11-12T13:04:04.841Z", "modified": "2025-11-12T13:04:04.841Z", "name": "CyberProof", "description": "Malware CyberProof identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html", "description": "WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--b20affba-bd78-4165-9dda-624a8d4e35e6", "created": "2025-11-12T13:04:05.859Z", "modified": "2025-11-12T13:04:05.859Z", "name": "ANYRUN", "description": "Malware ANYRUN identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1ov3k6f/ama_were_malware_analysts_from_anyrun_curious/", "description": "AMA: We’re Malware Analysts from ANY.RUN. Curious about AI and ML in cybersecurity? Ask us anything!" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ceaee96d-6e14-4906-850d-d40eae01669d", "created": "2025-11-12T13:04:10.643Z", "modified": "2025-11-12T13:04:10.643Z", "name": "ZDI", "description": "Malware ZDI identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--f84adf7a-2e67-45c9-a301-1f420520d7e5", "created": "2025-11-12T13:04:10.644Z", "modified": "2025-11-12T13:04:10.644Z", "name": "CVSS", "description": "Malware CVSS identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--fc9a4656-6703-44b9-9a03-61ee73462b81", "created": "2025-11-12T13:04:11.219Z", "modified": "2025-11-12T13:04:11.219Z", "name": "Tenzai", "description": "Malware Tenzai identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44256", "description": "Tenzai Raises $75 Million in Seed Funding to Build AI-Powered Pentesting Platform" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--d6ff8375-0353-4d82-895e-fdf01c9735a8", "created": "2025-11-12T13:04:13.897Z", "modified": "2025-11-12T13:04:13.897Z", "name": "WebAuthn", "description": "Malware WebAuthn identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://mojoauth.com/blog/integrate-mojoauth-with-popular-saas-kits-like-shipfast-divjoy-saas-pegasus-and-supastarter-for-next-gen-passwordless-login", "description": "Integrate MojoAuth with Popular SaaS Kits like ShipFast, Divjoy, SaaS Pegasus, and Supastarter for Next-Gen Passwordless Login" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--886ed07c-5c1a-426b-b101-9f267618edac", "created": "2025-11-12T13:04:15.275Z", "modified": "2025-11-12T13:04:15.275Z", "name": "InDesign", "description": "Malware InDesign identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44258", "description": "Adobe Patches 29 Vulnerabilities" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--c11bd714-b26c-43ef-8e86-ef5b073e6384", "created": "2025-11-12T13:04:15.275Z", "modified": "2025-11-12T13:04:15.275Z", "name": "Photoshop", "description": "Malware Photoshop identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44258", "description": "Adobe Patches 29 Vulnerabilities" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2a27d8e0-d3b6-4240-8033-fe9635da0c5b", "created": "2025-11-12T13:04:15.275Z", "modified": "2025-11-12T13:04:15.275Z", "name": "Format Plugins", "description": "Malware Format Plugins identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44258", "description": "Adobe Patches 29 Vulnerabilities" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1ba91f3e-b4a1-487b-9b69-bb64699d0970", "created": "2025-11-12T13:04:15.554Z", "modified": "2025-11-12T13:04:15.554Z", "name": "Non-Human Identities", "description": "Malware Non-Human Identities identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://entro.security/?p=18636", "description": "Assured Compliance through NHI Lifecycle Management" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--26057f69-5f7f-4d7b-971f-e9180578a998", "created": "2025-11-12T13:04:21.406Z", "modified": "2025-11-12T13:04:21.406Z", "name": "Windows 10", "description": "Malware Windows 10 identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-kb5068781-the-first-windows-10-extended-security-update/", "description": "Microsoft releases KB5068781 — The first Windows 10 extended security update" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--89c9f06f-3d39-4f22-bcb8-c6b2c2d9b5ea", "created": "2025-11-12T13:04:25.426Z", "modified": "2025-11-12T13:04:25.426Z", "name": "GitHub Copilot", "description": "Malware GitHub Copilot identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--13f5f7e1-54e9-43dd-8a19-545cdd66caef", "created": "2025-11-12T13:04:27.701Z", "modified": "2025-11-12T13:04:27.701Z", "name": "Microsoft Configuration", "description": "Malware Microsoft Configuration identified in threat intelligence", "malware_types": [ "trojan" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--d7c166ea-92f3-4c85-aefb-32238632c463", "created": "2025-11-12T13:04:28.177Z", "modified": "2025-11-12T13:04:28.177Z", "name": "Windows Administrator Protection", "description": "Malware Windows Administrator Protection identified in threat intelligence", "malware_types": [ "trojan" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--d687008a-f040-4eb9-8305-d17294d2c07a", "created": "2025-11-12T13:04:28.455Z", "modified": "2025-11-12T13:04:28.455Z", "name": "Dynamics 365 Field Service", "description": "Malware Dynamics 365 Field Service identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--ace327ac-6d05-4911-8004-cbcdff2f0182", "created": "2025-11-12T13:04:37.234Z", "modified": "2025-11-12T13:04:37.234Z", "name": " Critical Campaign", "description": "Campaign involving using Critical", "first_seen": "2025-11-12T10:21:00.000Z", "last_seen": "2025-11-12T10:21:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/microsoft-fixes-63-security-flaws.html", "description": "Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--58000471-19de-45a5-bc04-4c32d73b1220", "created": "2025-11-12T13:04:37.234Z", "modified": "2025-11-12T13:04:37.234Z", "name": "CVE-2025-62215 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-62215", "first_seen": "2025-11-11T20:49:26.000Z", "last_seen": "2025-11-11T20:49:26.000Z", "objective": "Exploitation of CVE-2025-62215 for unauthorized access", "confidence": 75, "external_references": [ { "source_name": "article", "url": "https://cyberscoop.com/?p=86742", "description": "Microsoft Patch Tuesday addresses 63 defects, including one actively exploited zero-day" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--d1bd8954-7c60-4546-97c6-1a993b2e3f22", "created": "2025-11-12T13:04:37.235Z", "modified": "2025-11-12T13:04:37.235Z", "name": " the Windows Kernel Campaign", "description": "Campaign involving using the Windows Kernel", "first_seen": "2025-11-11T20:49:26.000Z", "last_seen": "2025-11-11T20:49:26.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://cyberscoop.com/?p=86742", "description": "Microsoft Patch Tuesday addresses 63 defects, including one actively exploited zero-day" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--3149d6eb-fb4c-46e7-bdd1-271ea64c962f", "created": "2025-11-12T13:04:37.236Z", "modified": "2025-11-12T13:04:37.236Z", "name": " Maverick Campaign", "description": "Campaign involving using Maverick", "first_seen": "2025-11-11T18:37:00.000Z", "last_seen": "2025-11-11T18:37:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html", "description": "WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--d3470651-90a8-4acf-847d-f68d2b3c5521", "created": "2025-11-12T13:04:37.237Z", "modified": "2025-11-12T13:04:37.237Z", "name": " Non-Human Identities Campaign", "description": "Campaign involving using Non-Human Identities", "first_seen": "2025-11-11T22:00:00.000Z", "last_seen": "2025-11-11T22:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://entro.security/?p=18634", "description": "Innovating NHIs for Better Cloud Security" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--6cf5032b-22d6-49b5-b168-28dca5df5765", "created": "2025-11-12T13:04:37.238Z", "modified": "2025-11-12T13:04:37.238Z", "name": " ANYRUN Campaign", "description": "Campaign involving using ANYRUN", "first_seen": "2025-11-12T12:15:31.000Z", "last_seen": "2025-11-12T12:15:31.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1ov3k6f/ama_were_malware_analysts_from_anyrun_curious/", "description": "AMA: We’re Malware Analysts from ANY.RUN. Curious about AI and ML in cybersecurity? Ask us anything!" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--cfb299c4-a999-4786-8373-7737f814b830", "created": "2025-11-12T13:04:37.243Z", "modified": "2025-11-12T13:04:37.243Z", "name": " ZDI Campaign", "description": "Campaign involving using ZDI", "first_seen": "2025-11-11T06:00:00.000Z", "last_seen": "2025-11-11T06:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--4c6aadb7-e396-480e-9a10-d4346045441e", "created": "2025-11-12T13:04:37.244Z", "modified": "2025-11-12T13:04:37.244Z", "name": " Tenzai Campaign", "description": "Campaign involving using Tenzai", "first_seen": "2025-11-11T20:55:26.000Z", "last_seen": "2025-11-11T20:55:26.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44256", "description": "Tenzai Raises $75 Million in Seed Funding to Build AI-Powered Pentesting Platform" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--10425fca-0adb-4b01-96fb-a3fa66114d37", "created": "2025-11-12T13:04:37.245Z", "modified": "2025-11-12T13:04:37.245Z", "name": " WebAuthn Campaign", "description": "Campaign involving using WebAuthn", "first_seen": "2025-11-11T16:38:30.000Z", "last_seen": "2025-11-11T16:38:30.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://mojoauth.com/blog/integrate-mojoauth-with-popular-saas-kits-like-shipfast-divjoy-saas-pegasus-and-supastarter-for-next-gen-passwordless-login", "description": "Integrate MojoAuth with Popular SaaS Kits like ShipFast, Divjoy, SaaS Pegasus, and Supastarter for Next-Gen Passwordless Login" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--87b551a3-bb7a-45bb-bc96-a8323ebf8ce5", "created": "2025-11-12T13:04:37.246Z", "modified": "2025-11-12T13:04:37.246Z", "name": " InDesign Campaign", "description": "Campaign involving using InDesign", "first_seen": "2025-11-11T21:20:33.000Z", "last_seen": "2025-11-11T21:20:33.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44258", "description": "Adobe Patches 29 Vulnerabilities" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--070f07d6-fd10-459c-a426-157d5a523212", "created": "2025-11-12T13:04:37.251Z", "modified": "2025-11-12T13:04:37.251Z", "name": " Windows 10 Campaign", "description": "Campaign involving using Windows 10", "first_seen": "2025-11-11T19:09:57.000Z", "last_seen": "2025-11-11T19:09:57.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-kb5068781-the-first-windows-10-extended-security-update/", "description": "Microsoft releases KB5068781 — The first Windows 10 extended security update" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--24c7aaca-f227-40ed-babf-69c898aee0f2", "created": "2025-11-12T13:04:37.253Z", "modified": "2025-11-12T13:04:37.253Z", "name": " GitHub Copilot Campaign", "description": "Campaign involving using GitHub Copilot", "first_seen": "2025-11-11T08:00:00.000Z", "last_seen": "2025-11-11T08:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--3db58af6-22b4-440e-934e-6a3b93961fee", "created": "2025-11-12T13:04:37.255Z", "modified": "2025-11-12T13:04:37.255Z", "name": " Microsoft Configuration Campaign", "description": "Campaign involving using Microsoft Configuration", "first_seen": "2025-11-11T08:00:00.000Z", "last_seen": "2025-11-11T08:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--27f0ef15-52fa-4f44-968c-833f529bca3f", "created": "2025-11-12T13:04:37.255Z", "modified": "2025-11-12T13:04:37.255Z", "name": " Windows Administrator Protection Campaign", "description": "Campaign involving using Windows Administrator Protection", "first_seen": "2025-11-11T08:00:00.000Z", "last_seen": "2025-11-11T08:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--d178f098-66ae-4db6-bd0b-f75ef2e6a291", "created": "2025-11-12T13:04:37.256Z", "modified": "2025-11-12T13:04:37.256Z", "name": " Dynamics 365 Field Service Campaign", "description": "Campaign involving using Dynamics 365 Field Service", "first_seen": "2025-11-11T08:00:00.000Z", "last_seen": "2025-11-11T08:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--aa9aca02-11f2-48d4-a79e-4bde05b96d98", "created": "2025-11-12T13:04:37.263Z", "modified": "2025-11-12T13:04:37.263Z", "name": "Mitigate CVE-2025-62215", "description": "Apply security updates and patches to address CVE-2025-62215", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62215", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://thehackernews.com/2025/11/microsoft-fixes-63-security-flaws.html", "description": "Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5dfa82e2-4780-48db-adb9-150e921f3ec2", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: the lazarus group uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--117ad508-f0e4-4758-8487-12c2ce230bc3", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 85, "description": "MITRE ATT&CK mapping: the lazarus group uses supply chain compromise (T1195)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--341936b5-9a66-49ea-83fc-d0c44a7a23f0", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "target_ref": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "confidence": 85, "description": "MITRE ATT&CK mapping: the lazarus group uses compromise software supply chain (T1195.002)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3ed91fd9-c9bf-4423-a596-96bec95af734", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "target_ref": "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "confidence": 85, "description": "MITRE ATT&CK mapping: the lazarus group uses compromise hardware supply chain (T1195.003)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--71a352df-0829-4179-9085-6e0c3d0da093", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: callisto/star blizzard/unc4057 uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cf7cc71b-6e8f-4d73-8cea-a2995e646bd4", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: lulzsec uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--940cb913-54b0-40bf-af35-462511e371af", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: charming kitten uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--355f32b3-685e-4fb3-a8cd-8f81e0895052", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: lazarus uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--89e1a9f5-a74d-4e4e-a09d-cafb6b4d586d", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 85, "description": "MITRE ATT&CK mapping: lazarus uses supply chain compromise (T1195)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--96361ed8-c88c-4061-aa58-38793ef55047", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "target_ref": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "confidence": 85, "description": "MITRE ATT&CK mapping: lazarus uses compromise software supply chain (T1195.002)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4678aeba-2267-410f-8b01-e65a4a097afe", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "target_ref": "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "confidence": 85, "description": "MITRE ATT&CK mapping: lazarus uses compromise hardware supply chain (T1195.003)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--680b5ab6-72fb-4c00-a0d2-18c1e8a410d0", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--da266b2e-ec69-4692-a2b8-15eeca4be258", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--2607de8b-b3f2-45d2-beb8-6277dfbeb4b9", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: cl0p uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aab491c2-1f75-485a-a914-9c73013bdc47", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: shinyhunters uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--df9504e2-04ca-47c7-8e99-e0862058418e", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--aed4bc51-33b0-4736-bcb7-17aea7c56aa9", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: qilin uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f458d851-6331-4947-9209-9f39d4c42714", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--59aae272-74d1-4419-b6d7-48ca8d0af280", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: qilin group uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3845c3d6-444f-485c-83c9-4ab3bc9d37b0", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: aleksei olegovich volkov uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4885b254-162b-4199-87ee-81632d3f2db0", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: chubaka.kor uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4c004770-fe43-42c5-9268-08b895ee223d", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: dragonforce uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7c59bdd3-7c55-45a3-be2c-fc50718daa34", "created": "2025-11-12T13:04:37.846Z", "modified": "2025-11-12T13:04:37.846Z", "relationship_type": "uses", "source_ref": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: aleksey olegovich volkov uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--0266672a-9fc2-4956-ae4f-2c7b07ece81e", "value": "youtube.com" }, { "type": "url", "spec_version": "2.1", "id": "url--27e94823-d68c-4826-87f6-389434b2a0f5", "value": "https://www.youtube.com/watch?v=Zg3..." }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--58e4a32b-2f29-4d6c-8600-64e03402644c", "created": "2025-11-12T13:04:37.847Z", "modified": "2025-11-12T13:04:37.847Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--e5e19dbb-9f5c-4b3b-9103-9554dd1471d2", "target_ref": "course-of-action--aa9aca02-11f2-48d4-a79e-4bde05b96d98", "description": "CVE-2025-62215 is mitigated by Mitigate CVE-2025-62215" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3338ccf7-3ac2-42df-aec7-fc14efff5f83", "created": "2025-11-12T13:04:37.847Z", "modified": "2025-11-12T13:04:37.847Z", "relationship_type": "targets", "source_ref": "campaign--58000471-19de-45a5-bc04-4c32d73b1220", "target_ref": "vulnerability--e5e19dbb-9f5c-4b3b-9103-9554dd1471d2", "description": "CVE-2025-62215 Exploitation Campaign targets CVE-2025-62215" } ] }

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

EXECUTIVE INSIGHTS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.