Cybersecurity Latest Rundown

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

SOX: 15 HIPAA: 5 FISMA: 3 General Enterprise: 3 NIS2: 1

Industry Watch

EU Organizations (GDPR) QUIET

Below average activity (0.6x baseline)

Healthcare (HIPAA) QUIET

Below average activity (0.6x baseline)

Technology Service Providers (SOC 2) QUIET

Below average activity (0.5x baseline)

General Enterprise (General Enterprise) QUIET

Below average activity (0.5x baseline)

CyberSecurity Latest Rundown

Heroes, here is your rundown for November 13, 2025.

CRITICAL ITEMS

Amazon Confirms Active Zero-Day Exploitation of Critical Cisco ISE and CitrixBleed 2 Vulnerabilities
Date & Time: 2025-11-13T09:50:22

Amazon has reported observing a threat actor actively exploiting two critical vulnerabilities, CVE-2025-20337 in Cisco Identity Services Engine (ISE) and CVE-2025-5777 in Citrix products (dubbed CitrixBleed 2), as zero-days. This means attackers were leveraging these flaws before patches or public disclosure, giving defenders no time to prepare.

Business impact

Exploitation of these vulnerabilities could lead to a complete compromise of network security. A compromised Cisco ISE allows for unauthorized network access and privilege escalation, while a Citrix flaw can expose sensitive application data and provide a foothold for lateral movement within the corporate network.

Recommended action

Immediately apply the vendor-supplied patches for both Cisco ISE and the affected Citrix products. Initiate threat hunting activities, searching for indicators of compromise related to these vulnerabilities, as exploitation may have occurred prior to patching.

CVE: CVE-2025-20337, CVE-2025-5777 | Compliance: SOX | Source: SecurityWeek ↗
CISA Adds Actively Exploited WatchGuard Firebox Flaw to KEV Catalog
Date & Time: 2025-11-13T07:23:00

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical WatchGuard Fireware vulnerability, CVE-2025-9242, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms evidence of active, in-the-wild exploitation and mandates that Federal Civilian Executive Branch agencies patch the flaw. The vulnerability affects an estimated 54,000 Firebox appliances and can be exploited by an unauthenticated attacker.

Business impact

A successful exploit could allow an attacker to completely bypass perimeter security, gain administrative access to the firewall, intercept network traffic, and pivot into the internal network. This poses a severe risk of data breach, ransomware deployment, and persistent network compromise.

Recommended action

All organizations using WatchGuard Firebox appliances must apply the patch for CVE-2025-9242 immediately. Review firewall logs for any signs of unauthorized access or anomalous activity directed at the management interface.

CVE: CVE-2025-9242 | Compliance: SOX | Source: The Hacker News ↗, Security Affairs ↗
Global Police Operation Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Infrastructure
Date & Time: 2025-11-13T10:53:39

An international law enforcement operation, dubbed "Operation Endgame," has successfully taken down 1,025 servers used by three major malware operations: the Rhadamanthys information stealer, VenomRAT, and the Elysium botnet. This coordinated action across nine countries represents a significant disruption to the cybercrime ecosystem supporting these threats.

Business impact

This takedown may temporarily reduce the volume of attacks from these specific malware families. However, it serves as a reminder of the persistent threat from organized cybercrime. Data stolen by these operations in the past may still be in circulation or used for future attacks.

Recommended action

Security teams should use this opportunity to hunt for historical indicators of compromise (IoCs) associated with Rhadamanthys, VenomRAT, and Elysium to ensure their networks have not been previously compromised. Review and reinforce defenses against information stealers and remote access trojans.

CVE: n/a | Compliance: General Enterprise | Source: BleepingComputer ↗

HIGH SEVERITY ITEMS

Google Sues 'Lighthouse' Phishing-as-a-Service Platform Behind $1B in Scams
Date & Time: 2025-11-13T15:58:28

Google is taking legal action to dismantle a Chinese phishing network that operates the "Lighthouse" Phishing-as-a-Service (PaaS) platform. This service has enabled widespread scam campaigns, resulting in over $1 billion in losses and targeting millions of users globally.

Business impact

The existence of industrialized PaaS platforms dramatically lowers the barrier to entry for cybercriminals, leading to a higher volume and sophistication of phishing attacks. This legal action, if successful, could disrupt a major source of these attacks, but the underlying threat model remains.

Recommended action

Bolster anti-phishing defenses with strong email filtering, user education, and the deployment of phishing-resistant authentication methods like FIDO2/passkeys. Monitor for phishing campaigns that leverage infrastructure from the Lighthouse platform.

CVE: n/a | Compliance: HIPAA, SOX | Source: TechRepublic ↗

UK's NHS Investigating Potential Breach of Oracle E-Business Suite
Date & Time: 2025-11-13T12:54:05

The UK's National Health Service (NHS) and the National Cyber Security Centre are investigating claims from a hacking group that it has breached the NHS's Oracle E-Business Suite (EBS). The hackers have allegedly named the NHS as one of over 40 victims of their campaign.

Business impact

A breach of the NHS's Oracle EBS could result in the exposure of highly sensitive patient and administrative data, leading to severe regulatory fines (HIPAA), reputational damage, and operational disruption for a critical national healthcare provider.

Recommended action

Organizations using Oracle EBS should ensure all systems are fully patched, review access controls and audit logs for any signs of compromise, and monitor threat intelligence for updates on the tactics used in this campaign.

CVE: n/a | Compliance: HIPAA, SOX | Source: SecurityWeek ↗
CISA Warns Federal Agencies on Incomplete Patching of Cisco Devices Targeted by Chinese APTs
Date & Time: 2025-11-13T15:05:20

CISA has issued updated guidance after discovering that federal agencies were incorrectly reporting vulnerable Cisco ASA and FTD devices as 'patched'. These devices, targeted in state-sponsored Chinese hacking campaigns, remain exposed due to incomplete patching procedures, creating a false sense of security.

Business impact

Failure to properly validate patching leaves critical network infrastructure vulnerable to exploitation by sophisticated threat actors. This can lead to espionage, data exfiltration, and the establishment of persistent access into government and corporate networks.

Recommended action

Do not rely solely on software version numbers for patch verification. Follow CISA's updated, detailed guidance to actively confirm that security patches for Cisco ASA and FTD devices have been successfully and completely applied.

CVE: n/a | Compliance: SOX, FISMA | Source: SecurityWeek ↗
Malicious 'Safery' Chrome Extension Steals Ethereum Wallet Seed Phrases
Date & Time: 2025-11-13T13:04:00

A malicious Chrome browser extension named "Safery: Ethereum Wallet" is masquerading as a legitimate cryptocurrency wallet to steal users' seed phrases. The extension uses the Sui blockchain for its operations and is designed to exfiltrate the credentials needed for full control over a user's Ethereum assets.

Business impact

This threat poses a direct financial risk to employees who may use corporate devices for personal cryptocurrency management, potentially introducing malware into the network. It highlights the ongoing risk of malicious browser extensions as a vector for credential theft.

Recommended action

Enforce browser extension blocklists/allowlists on corporate devices. Educate users on the dangers of installing unvetted extensions, especially those related to financial or cryptocurrency management.

CVE: n/a | Compliance: GDPR, NIS2 | Source: The Hacker News ↗

EXECUTIVE INSIGHTS

October 2025 Ransomware Attacks Soar 30% as New Groups Emerge
Date & Time: 2025-11-13T08:43:30

Analysis of October 2025 data shows a 30% surge in ransomware attacks, with new threat groups entering the landscape and redefining attack methodologies. This trend indicates that the ransomware ecosystem is not only growing but also evolving, posing a continuous and escalating threat to organizations across all sectors. This sustained increase requires a strategic, long-term focus on resilience, including robust backup and recovery plans, network segmentation, and proactive threat hunting, rather than relying solely on preventative controls.

Source: Cyble ↗

VENDOR SPOTLIGHT

Spotlight Rationale: Today's intelligence highlights the need for automation to manage a complex and fast-moving threat landscape, from zero-day exploits like CVE-2025-20337 to the operational challenges of post-quantum cryptography readiness.

Threat Context: The PKI perfect storm: how to kill three birds with one stone (spoiler: the stone is automation)

Platform Focus: Sectigo Certificate Manager (Automated CLM)

Sectigo's article emphasizes that manual Public Key Infrastructure (PKI) management is no longer viable. An automated Certificate Lifecycle Management (CLM) platform directly addresses the converging challenges of shorter certificate lifespans, the impending need for post-quantum cryptographic agility, and the deprecation of certain protocols. By automating discovery, issuance, and renewal, CLM reduces the attack surface created by expired or misconfigured certificates, which are often exploited by attackers for man-in-the-middle attacks or to establish persistence.

Actionable Platform Guidance: Organizations should leverage an automated CLM solution to perform a comprehensive discovery scan of their entire network to create an inventory of all existing TLS/SSL certificates. Following discovery, they should configure automated renewal policies with notifications to eliminate unexpected expirations. Finally, use the platform's agility features to plan and execute a phased migration from current cryptographic standards to quantum-resistant algorithms.

Source: Sectigo ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Automated CLM (Sectigo)

# Action Plan for Automated Certificate Lifecycle Management (CLM)

# 1. Initial Discovery Phase
# - Configure discovery scans targeting all internal and external IP ranges, cloud environments, and integrated devices (e.g., load balancers).
# - Goal: Create a complete, centralized inventory of every TLS/SSL certificate.

# 2. Policy Configuration
# - Define certificate policies based on business unit, environment (prod/dev), and risk level.
# - Set automated renewal thresholds (e.g., 30 days before expiry) to prevent service disruptions.
# - Enforce cryptographic standards (e.g., key length, signature algorithm) for all new certificate requests.

# 3. Automation & Integration
# - Integrate the CLM platform with your Certificate Authorities (CAs) and key infrastructure (e.g., Active Directory Certificate Services).
# - Use automation agents or API integrations to push renewed certificates directly to web servers, application servers, and network appliances.

# 4. Verification & Reporting
# - Schedule regular reports on certificate health, upcoming expirations, and policy compliance.
# - Set up alerts for failed renewals or the discovery of non-compliant certificates.

2. YARA Rule for Rhadamanthys Infostealer

rule Detect_Rhadamanthys_Infostealer_Artifacts {
meta:
description = "Detects potential artifacts associated with the Rhadamanthys information stealer malware."
author = "Threat Rundown"
date = "2025-11-13"
reference = "https://www.bleepingcomputer.com/news/security/police-disrupts-rhadamanthys-venomrat-and-elysium-malware-operations/"
severity = "high"
tlp = "white"
strings:
$s1 = "C:\\ProgramData\\WindowsNT.dat" ascii wide
$s2 = "rhadamanthys" ascii wide
$s3 = "/c ping 127.0.0.1 -n 5 > NUL & del" ascii wide
$s4 = "BCRYPT_AES_ALGORITHM" ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 2MB and (2 of ($s*))
}

3. SIEM Query — Detecting WatchGuard CVE-2025-9242 Exploitation Attempts

index=firewall sourcetype="watchguard_fireware"
(dest_port="4100" OR dest_port="8080") AND action="denied" AND NOT src_ip IN (known_admin_ips)
| stats count by src_ip, dest_ip, policy
| where count > 10
| eval risk_score=case(
policy matches '(?i)WatchGuard Web UI', 100,
policy matches '(?i)Allow-Outgoing', 20,
1==1, 50)
| where risk_score >= 100
| table src_ip, dest_ip, policy, count, risk_score
| sort -count

4. PowerShell Script — Hunt for IoCs on Key Servers

<#
.SYNOPSIS
Checks a list of servers for specific file-based Indicators of Compromise (IoCs).
.DESCRIPTION
This script iterates through a list of computer names, tests connectivity, and then
searches for the presence of a specific malicious file path.
#>

$computers = "DC01", "FILESRV01", "EXCHANGE01", "WEBSRV01"
$iocPath = "C:\ProgramData\WindowsNT.dat" # Example IoC for Rhadamanthys

Write-Host "Starting IoC scan for path: $iocPath" -ForegroundColor Yellow

foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
try {
$remotePath = "\\$($computer)\C$\ProgramData\WindowsNT.dat"
if (Test-Path -LiteralPath $remotePath -ErrorAction Stop) {
Write-Host "[CRITICAL] IoC FOUND on $computer at path: $remotePath" -ForegroundColor Red
} else {
Write-Host "[INFO] IoC not found on $computer." -ForegroundColor Green
}
} catch {
Write-Host "[WARNING] Could not access path on $computer. Check permissions or path. Error: $($_.Exception.Message)" -ForegroundColor Magenta
}
} else {
Write-Host "[WARNING] Cannot connect to $computer. Host may be offline." -ForegroundColor Magenta
}
}

Write-Host "Scan complete." -ForegroundColor Yellow

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--0e3fdd50-ce64-478c-b6c7-6cd8cbe4e77a", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--979df24d-0248-447f-ad50-33760258ba69", "created": "2025-11-13T17:08:18.388Z", "modified": "2025-11-13T17:08:18.388Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--88393617-afae-4912-9073-21cf31bf54f1", "created": "2025-11-13T17:08:18.388Z", "modified": "2025-11-13T17:08:18.388Z", "name": "Threat Intelligence Report - 2025-11-13", "description": "Threat Intelligence Report - 2025-11-13\n\nThis report consolidates actionable cybersecurity intelligence from 90 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Google Sues ‘Lighthouse’ Phishing Service After $1B+ Scams Target Millions (Score: 100)\n• ZDI-25-993: Adobe USD-Fileformat-plugins usdGltf Heap-based Buffer Overflow Remote Code Execution Vu (Score: 100)\n• ZDI-25-994: Adobe USD-Fileformat-plugins Out-Of-Bounds Read Remote Code Execution Vulnerability (Score: 100)\n• ZDI-25-997: Adobe USD-Fileformat-plugins usdGltf Use-After-Free Information Disclosure Vulnerability (Score: 100)\n• ZDI-25-1000: Adobe USD-Fileformat-plugins usdGltf Out-Of-Bounds Read Information Disclosure Vulnerab (Score: 100)\n\nEXTRACTED ENTITIES:\n• 34 Attack Pattern(s)\n• 14 Campaign(s)\n• 4 Course Of Action(s)\n• 1 Indicator(s)\n• 1 Intrusion Set(s)\n• 16 Location(s)\n• 53 Malware(s)\n• 1 Marking Definition(s)\n• 34 Relationship(s)\n• 13 Threat Actor(s)\n• 9 Tool(s)\n• 19 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-11-13T17:08:18.388Z", "object_refs": [ "identity--979df24d-0248-447f-ad50-33760258ba69", "vulnerability--8f735ec2-8220-4b83-9a8c-a0835387a0a3", "vulnerability--792ede9b-8de1-4c9a-91a0-e3f210f0d032", "vulnerability--5aa023ed-89ff-455f-a14b-06d7a32d06cd", "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "vulnerability--6010829c-9633-4789-9611-a16db23db2f2", "vulnerability--79785aec-b79d-4b48-9193-077cbe55287a", "vulnerability--a9612828-7f11-4309-be11-9f187e26e457", "vulnerability--42ef99bb-338a-4d7e-907d-09e0a7806721", "vulnerability--39cf974d-29cd-453a-92b0-aacee7aa323e", "vulnerability--5f025007-20c8-4ccf-bfb6-a845e768c5eb", "malware--605c817b-0ca8-4c4f-8961-7dd094ee058b", "identity--7a97dfb8-5ca7-49d1-aa53-fe9c78a3853d", "vulnerability--2ce0c1a5-da9a-4507-8424-5cac0a7bdc24", "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "vulnerability--75209a3b-2817-47f1-b38d-3b0e59249e1d", "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "vulnerability--ed3de346-93c1-4c44-867e-0a775a7fa8e3", "vulnerability--1256edd4-a495-44a4-86b1-0740bb38277e", "malware--2bc1c989-7436-42b1-9012-2cfdf3da1a9d", "malware--44927346-2d9c-445c-8c5e-7dcdc2fbdec2", "malware--6be03c76-ed62-49ad-8d6a-8d6edc139482", "malware--3e45ebc9-bae3-4704-86a9-44abdb347667", "malware--a1fb60fd-66bc-4b59-93c9-962366cafc2a", "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "identity--2d677b32-42d6-4ae8-a662-4c9bb04de1b8", "malware--7cc3f9a2-daea-458e-a385-314141c7ae13", "malware--409c6fc4-b4a8-4d72-a6e5-90829bae6112", "identity--6e0f3149-d6f1-4ada-9805-3e656b4318ae", "identity--5fb634f4-4efc-4668-9397-71cf3601ffae", "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "identity--1abdf29f-9fe3-478e-b225-610c02d5b71e", "identity--15a8eecf-1ec3-47c8-a984-463663f1f6ef", "attack-pattern--86775379-7666-49ed-b92b-48c360342708", "malware--9fea6585-318d-4805-b8d1-1cdd2b3881ca", "malware--743fd0cd-4279-4ce4-aed2-d58784f3031c", "threat-actor--2607de8b-b3f2-45d2-beb8-6277dfbeb4b9", "malware--46a0b253-36c0-4c14-bdf6-40460c8bb029", "malware--6975652f-c247-47d4-8b69-5eba0a4b6104", "tool--ef194854-4842-4fb3-8351-88104dd33103", "identity--de165938-73e8-4c1e-92f2-1b7832514832", "identity--15d433d8-67cd-4bf6-a69d-b0c73b67f58e", "malware--622d89f5-39ec-4c12-9e59-72477cefd1ab", "malware--9c0dd3c2-3017-43bd-9b16-4b60a3d61120", "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "identity--cbb9b9ee-52b7-4d0e-b4a6-25b063a6fac2", "identity--23f126ae-d9bd-497b-9eb9-63af757eb466", "malware--fa4c643a-e54a-4f71-aa1c-4bb424bb6db5", "malware--d1b982de-9a91-4b3f-afe9-f09f8d466881", "malware--c1213cab-cfa6-47a2-b43b-7af4967ec05a", "identity--cba0f55e-7bb3-4ae6-b0f8-048dae21e7f3", "identity--ad194b40-4a7d-4618-9298-c15574c0cf77", "malware--ffa5aef9-e5ae-485c-b748-1db12e072806", "identity--6c5b43ba-1151-49f5-aea4-5130de5e46ba", "identity--ec073fc7-bb30-4c07-8aa0-9d1d51058897", "threat-actor--aed4bc51-33b0-4736-bcb7-17aea7c56aa9", "identity--6b8db019-ba56-4716-bbd3-bab18737fef4", "tool--9fb8a1b4-5c61-44e4-90e1-494f8de4d8d6", "malware--bbe568e2-469f-4f6e-894f-9004f60be5a5", "tool--9f804692-3dad-41b3-b550-5a7ca93e97a9", "threat-actor--59aae272-74d1-4419-b6d7-48ca8d0af280", "malware--4267370b-1057-49a4-942f-fcb4c563aacc", "tool--c2210051-55ab-4475-801e-0134045250d9", "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "malware--f0089dea-b7b7-4a84-8fc4-e81a86cbecba", "identity--a57d502c-4e82-41ec-9234-875d491343fa", "identity--9fa139c1-5ce0-4ccf-9d02-1e0f8c2f38f6", "malware--8a13dba8-08ba-42eb-b07b-0712d0ad6082", "malware--9c959f03-a85c-4ccb-b73e-c55b0e32e5c2", "location--5b9801e8-bffe-4bee-b903-e93d9f801e0c", "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "tool--8296b0e0-ae1f-45b6-8de0-1c1a4a5e05c5", "malware--6f4456e2-6dc0-4521-ba8e-cabeff00859c", "malware--d1c0263c-8c2f-4c70-bd70-1ec546470fa2", "identity--bf415032-9753-40fd-aa77-45a09f6f767d", "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "malware--0b67e2fd-eaf0-45b4-ba7e-3a4c1a740bb6", "tool--6f10bc28-3ad5-432c-bcde-e601f2332ffb", "identity--76224fd2-7db9-4dfd-951a-4b084bef03ad", "malware--1cddedd9-b8e1-4176-90a1-a8b5ed7613a4", "attack-pattern--22092a47-7fd2-4602-90b1-61623bb89079", "malware--2d7ce7de-e032-4043-8963-4c014393a48f", "malware--5e5e274e-42ad-4cf9-86fc-12db386831e5", "location--c92adf8f-1739-4c88-895d-06a7f2948f2e", "attack-pattern--78a1ad04-d1a7-4bf8-8006-34af1fd1d770", "identity--ce2e69c6-c194-4ca1-8ccd-65c1ce21af1b", "location--554766a1-5093-4b60-9732-aa6d14becb18", "tool--91088445-edc4-4d00-864c-785446cbb1af", "identity--f8278a12-ae20-4c3f-9977-3dd4feafc099", "identity--01b0e443-1611-4441-beba-d4f250c69101", "tool--2bd39da2-1744-453b-8891-2872e72c94bb", "identity--daec362e-708a-4630-b425-6826593bb788", "identity--0379b4f6-f35b-447e-999f-7564a31b875b", "location--79365b11-f080-4c12-97f5-45b7784679a6", "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "location--e8a8e369-e014-4c3f-98e2-d780344dbe7a", "tool--98496f61-df6e-4741-9fdc-b751ce5ac69d", "location--99e79579-3626-4cbc-b307-9a0ed522e607", "indicator--032d49c6-e2db-4ca3-ac15-f16c0d458867", "location--ea96e271-70b7-4ed7-af72-74ba165daca2", "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb", "location--c641f4aa-ac4d-4b50-a0eb-cb383b4a3e53", "vulnerability--7680a803-4098-41b0-83ff-f4c1ee650dbd", "location--2cffd105-432c-46ca-a015-faa047518780", "identity--95c8389c-7419-490e-8d5b-8f227478ce1c", "location--f89078f0-39f7-4a02-a7e4-dbde6a3138cd", "identity--a8564e44-9dd4-4fa2-af91-011d076d1c14", "location--44405860-a9a6-458f-beae-e4e62ebb780f", "identity--7aa77399-1a75-40ae-a4c3-2fbf8783bcff", "location--09fb5c3f-e950-4d77-9967-81596ba45e63", "location--5dbd12b2-f0b0-4c36-847b-62aa529b4595", "location--24ea8196-d1e3-4fe9-8c4e-06047a334d1e", "attack-pattern--9ad5784d-77ba-4b52-90f9-49695e3dbde6", "attack-pattern--020ddb29-4b95-4601-a850-894e55402fe2", "location--4184e662-7eed-444d-94b4-7f31e34d5299", "attack-pattern--2a1ef775-77d8-455c-bede-0a48e2d7adc4", "location--d28ab131-d57a-43d0-9c93-51a1e6b190f8", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96", "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee", "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--af705332-242d-4c31-9955-6dca77d560de", "attack-pattern--75f8063e-1388-4007-8255-4523fceba24e", "attack-pattern--4c8bcb56-2a96-4393-a41f-3829ab20b9ba", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--7aa19707-a8bb-4175-a9ce-0dc6a85cf429", "attack-pattern--7ea3b24d-a348-4e2a-8251-34ddfc9d4e74", "attack-pattern--1cee389c-adf4-4dd9-8799-2e24d73fe07a", "attack-pattern--6f441f0d-2af5-4ab6-853d-745c0cc303e9", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "attack-pattern--f9415933-ea91-4a9d-9cff-435abcfbe10f", "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "vulnerability--362cd1ff-34a1-4935-9407-8b30c34a131f", "vulnerability--d1ead664-b882-4b60-bef9-8a0b4fda9f0a", "vulnerability--61ba0d91-d1f9-4517-9645-530acdbf5905", "vulnerability--08a8d2cb-3748-4d46-a42a-eb4feb0e2ae1", "malware--d8a865a6-9a2f-4237-8ebf-09cc3615b7bc", "malware--998016a5-ef40-4372-af8d-fda51389b5de", "malware--de9ca544-b544-4257-ac6c-c39d705aacae", "malware--6b0847ff-13ba-45e6-bd76-51076e5ec93e", "malware--9c45a635-b01b-463b-96d8-62f8c44a9d3c", "malware--890b9b5b-ac66-40a6-b1e5-40c458ce0c8d", "malware--3705937f-0b7b-4617-9ebe-91764ad2b61b", "malware--e40008ba-b7f9-4aa9-b4be-fd45a38d6fa4", "malware--0beaeefc-9c5e-47c9-9a3d-24b903b035a1", "malware--00c46de3-f76c-46eb-87da-6ca1d922645c", "malware--e67d7f07-42e5-4f67-ae71-99c5927d804d", "malware--78243444-6ba0-4ff1-af3d-9ccffa742e5e", "malware--cc9461e1-cf12-4cd5-b8f7-3a3ae1a615f4", "malware--2cb874cc-f490-4ba2-a3a1-d73633bea6be", "malware--dca3a109-93ad-41fd-bd29-fec2de7f81ce", "malware--2d817ac6-8b68-4323-aa56-3830132a4b5c", "malware--c11cdc7d-5687-4827-8a79-d68fd283defb", "malware--e6237a39-d678-4d31-91c2-ac4018bef9e7", "malware--333e9d98-282c-466d-a5df-a90890c6a455", "malware--dff87144-5d54-4ff2-ac83-c06199fbea19", "malware--955b1b13-c3b7-4753-b56c-89baf54474bd", "malware--e11c6bf4-3acb-44ac-aa0c-bf713ac89bd2", "malware--1fafe0f0-70e0-4f1a-b7d0-c1af77d57bf1", "malware--12cb64b8-d062-45b4-b068-051cdddbe637", "campaign--15408c8d-8182-42b6-9664-7f479e877bbc", "campaign--9a265fcd-24f9-4de5-8c19-1647582aa0bf", "campaign--1191a542-bab8-4edc-a35d-63b76c09cb2d", "campaign--705ed079-5747-413e-945d-9a6a0c041d3a", "campaign--11d5a993-d3cb-4988-9da5-e6da4608ed61", "campaign--f58ea61a-106f-453f-891f-9235af052ac1", "campaign--2cc5b45a-4591-4b63-a36f-baccc46ced95", "campaign--9ebd2e36-bc92-4d76-a0a7-9d6e15566cae", "campaign--de53a88b-ab70-4ddb-8573-325299be3eee", "campaign--397c5d1c-b9c4-4797-8338-8042bbd2ffa1", "campaign--d57449a6-543e-4528-a280-9e1d3d555b1a", "campaign--ccbd586b-0bd8-4c6f-abbd-93536364d79c", "campaign--fbea321d-865b-4578-a816-4e6439e6d89f", "campaign--6e99d37a-92eb-496d-94df-97cd59e3a578", "course-of-action--b5055d44-4ee3-46d9-9ec4-4e6b7d115d8d", "course-of-action--0b0f486d-4632-4a52-95ca-b7cc9021b101", "course-of-action--a43864f3-b3c9-40b9-bfa9-e7b40bb2e356", "course-of-action--3da35019-3ba2-46d6-a9b3-68d723579a9b", "relationship--b116fc38-91a9-4b6e-9c4f-a052496bd261", "relationship--cc06fb91-f99f-4c2a-bbc1-3c2cb26bd457", "relationship--2a3f3f8b-23fe-4c38-a759-babd61f09cc8", "relationship--48040348-a080-49b2-aafb-dd9cbef498fd", "relationship--83b846f0-a8b1-46c0-a307-b48a2ae2c973", "relationship--0036d0bc-1596-4abd-bebd-651d6b9bf4b1", "relationship--4f35c094-6adc-43c3-9ab9-4751d750f4a5", "relationship--a9f34d13-9d19-424f-911d-2f61ad982087", "relationship--62b6953b-7b6e-42d0-b7b0-7cd02f94d805", "relationship--db693b90-8eea-4ef1-b5ef-fd25986c9028", "relationship--be449e06-c98c-4bd6-b10e-7f234dc6e61b", "relationship--845c17f6-df64-4be7-a807-1156d55dadde", "relationship--60997a60-81ba-4e12-9186-9ddff93c6234", "relationship--58a5fc18-e9d9-47ba-927e-0fd54a71cf9e", "relationship--d5cd5b99-95a8-4c26-9037-dcbf5569a41d", "relationship--cac2697d-0c9f-4f58-8c24-f957a101752e", "relationship--665459a8-1f8d-42b3-af8e-aacc74901768", "relationship--b5ea106a-25fa-47af-98cd-e42436d2b3de", "relationship--2af9c668-12ab-41e1-b407-c89f2847d75d", "relationship--c2da1cf9-f608-40ad-816c-f8c7df483934", "relationship--b2922f74-b42d-40ea-8ef6-ba6c7622d6eb", "relationship--128a2567-14f9-42a6-8af1-921de311392f", "relationship--05d12b0e-b364-470b-a492-a020a78e2e25", "relationship--ef7a26e4-bede-4dbf-98da-53dad3fec34f", "relationship--12c8ec50-b6f5-42de-a3b0-10bcc69441c9", "relationship--e3dd32ac-19e2-4ed8-80bf-7f15a529b279", "relationship--67d4e1a3-fa39-4f3b-bafa-0c663709daea", "relationship--1de96e42-89a2-498e-b872-069f9a66c3f0", "relationship--7128294c-45a2-4f0e-a5ed-549f0f3fb707", "relationship--8c98901b-6813-4791-ad40-596bcbe337e8", "relationship--9d0c0e70-0399-4483-871b-929405d3a190", "relationship--b9897b38-4f50-4377-ab16-b83195ae87cf", "relationship--8600711a-d077-485c-8c1f-c2c44dc889dc", "relationship--f2e9ac04-e86d-4bf1-bdc9-756d096d03e5" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--979df24d-0248-447f-ad50-33760258ba69", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.381Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--8f735ec2-8220-4b83-9a8c-a0835387a0a3", "name": "https://www.cve.org/CVERecord?id=CVE-2025-24085", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--792ede9b-8de1-4c9a-91a0-e3f210f0d032", "name": "CVE-2025-24085", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-24085", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24085" }, { "source_name": "nvd", "external_id": "CVE-2025-24085", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24085" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--5aa023ed-89ff-455f-a14b-06d7a32d06cd", "name": "CVE-2025-21042", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-21042", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21042" }, { "source_name": "nvd", "external_id": "CVE-2025-21042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21042" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "name": "CVE-2025-59305", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-59305", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59305" }, { "source_name": "nvd", "external_id": "CVE-2025-59305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59305" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--6010829c-9633-4789-9611-a16db23db2f2", "name": "CVE-2024-40766", "external_references": [ { "source_name": "cve", "external_id": "CVE-2024-40766", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40766" }, { "source_name": "nvd", "external_id": "CVE-2024-40766", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40766" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--79785aec-b79d-4b48-9193-077cbe55287a", "name": "CVE-2025-20362", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-20362", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20362" }, { "source_name": "nvd", "external_id": "CVE-2025-20362", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20362" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 94, "type": "vulnerability", "id": "vulnerability--a9612828-7f11-4309-be11-9f187e26e457", "name": "CVE-2025-12480", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-12480", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12480" }, { "source_name": "nvd", "external_id": "CVE-2025-12480", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12480" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 94, "type": "vulnerability", "id": "vulnerability--42ef99bb-338a-4d7e-907d-09e0a7806721", "name": "CVE-2025-52881", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-52881", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52881" }, { "source_name": "nvd", "external_id": "CVE-2025-52881", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52881" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 94, "type": "vulnerability", "id": "vulnerability--39cf974d-29cd-453a-92b0-aacee7aa323e", "name": "CVE-2025-52565", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-52565", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52565" }, { "source_name": "nvd", "external_id": "CVE-2025-52565", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 94, "type": "vulnerability", "id": "vulnerability--5f025007-20c8-4ccf-bfb6-a845e768c5eb", "name": "CVE-2025-34299", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-34299", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-34299" }, { "source_name": "nvd", "external_id": "CVE-2025-34299", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34299" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--605c817b-0ca8-4c4f-8961-7dd094ee058b", "name": "Yanluowang ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--7a97dfb8-5ca7-49d1-aa53-fe9c78a3853d", "name": "U.S. Cybersecurity and Infrastructure Security Agency", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 94, "type": "vulnerability", "id": "vulnerability--2ce0c1a5-da9a-4507-8424-5cac0a7bdc24", "name": "CVE-2025-41244", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-41244", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-41244" }, { "source_name": "nvd", "external_id": "CVE-2025-41244", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41244" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "name": "the Lazarus Group", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 94, "type": "vulnerability", "id": "vulnerability--75209a3b-2817-47f1-b38d-3b0e59249e1d", "name": "CVE-2025-31133", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-31133", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31133" }, { "source_name": "nvd", "external_id": "CVE-2025-31133", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31133" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "name": "CISA", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 92, "type": "vulnerability", "id": "vulnerability--ed3de346-93c1-4c44-867e-0a775a7fa8e3", "name": "CVE-2025-32463", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-32463", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32463" }, { "source_name": "nvd", "external_id": "CVE-2025-32463", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32463" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 92, "type": "vulnerability", "id": "vulnerability--1256edd4-a495-44a4-86b1-0740bb38277e", "name": "CVE-2025-53609", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-53609", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53609" }, { "source_name": "nvd", "external_id": "CVE-2025-53609", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53609" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--2bc1c989-7436-42b1-9012-2cfdf3da1a9d", "name": "The Rhadamanthys infostealer", "is_family": true, "malware_types": [ "stealer" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--44927346-2d9c-445c-8c5e-7dcdc2fbdec2", "name": "GootLoader has resurfaced yet again after a brief spike in activity earlier this March", "is_family": true, "malware_types": [ "dropper" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--6be03c76-ed62-49ad-8d6a-8d6edc139482", "name": "Gootloader", "is_family": true, "malware_types": [ "dropper" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--3e45ebc9-bae3-4704-86a9-44abdb347667", "name": "Mirai", "is_family": true, "malware_types": [ "bot" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--a1fb60fd-66bc-4b59-93c9-962366cafc2a", "name": "Akira ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "name": "Callisto/Star Blizzard/UNC4057", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "name": "LulzSec", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "name": "Charming Kitten", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "name": "Lazarus", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--2d677b32-42d6-4ae8-a662-4c9bb04de1b8", "name": "Trend Micro", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--7cc3f9a2-daea-458e-a385-314141c7ae13", "name": "XCSSET", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--409c6fc4-b4a8-4d72-a6e5-90829bae6112", "name": "Rhadamanthys is an infostealer", "is_family": true, "malware_types": [ "stealer" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--6e0f3149-d6f1-4ada-9805-3e656b4318ae", "name": "U.S. Cyber Command", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--5fb634f4-4efc-4668-9397-71cf3601ffae", "name": "NSA", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "intrusion-set", "id": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "name": "Scattered Spider", "labels": [ "intrusion-set" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--1abdf29f-9fe3-478e-b225-610c02d5b71e", "name": "Australian Signals Directorate", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--15a8eecf-1ec3-47c8-a984-463663f1f6ef", "name": "NIST", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--86775379-7666-49ed-b92b-48c360342708", "name": "XSS", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--9fea6585-318d-4805-b8d1-1cdd2b3881ca", "name": "GlassWorm malware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--743fd0cd-4279-4ce4-aed2-d58784f3031c", "name": "PureRAT", "is_family": true, "malware_types": [ "remote-access-trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--2607de8b-b3f2-45d2-beb8-6277dfbeb4b9", "name": "Cl0p", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--46a0b253-36c0-4c14-bdf6-40460c8bb029", "name": "LANDFALL", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--6975652f-c247-47d4-8b69-5eba0a4b6104", "name": "Trojan", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "tool", "id": "tool--ef194854-4842-4fb3-8351-88104dd33103", "name": "NMap", "tool_types": [ "network-capture", "vulnerability-scanning" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--de165938-73e8-4c1e-92f2-1b7832514832", "name": "CrowdStrike", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--15d433d8-67cd-4bf6-a69d-b0c73b67f58e", "name": "Mandiant", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--622d89f5-39ec-4c12-9e59-72477cefd1ab", "name": "DCRat", "is_family": true, "malware_types": [ "remote-access-trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "malware", "id": "malware--9c0dd3c2-3017-43bd-9b16-4b60a3d61120", "name": "Datzbro", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "name": "ShinyHunters", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.382Z", "modified": "2025-11-13T17:08:18.382Z", "confidence": 95, "type": "identity", "id": "identity--cbb9b9ee-52b7-4d0e-b4a6-25b063a6fac2", "name": "KnowBe4", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--23f126ae-d9bd-497b-9eb9-63af757eb466", "name": "Flashpoint", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--fa4c643a-e54a-4f71-aa1c-4bb424bb6db5", "name": "Rhadamanthys", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--d1b982de-9a91-4b3f-afe9-f09f8d466881", "name": "AtomicStealer", "is_family": true, "malware_types": [ "stealer" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--c1213cab-cfa6-47a2-b43b-7af4967ec05a", "name": "XMRig", "is_family": true, "malware_types": [ "crypto-miner" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--cba0f55e-7bb3-4ae6-b0f8-048dae21e7f3", "name": "Proofpoint", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--ad194b40-4a7d-4618-9298-c15574c0cf77", "name": "Nozomi Networks", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--ffa5aef9-e5ae-485c-b748-1db12e072806", "name": "Akira Ransomware’s", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--6c5b43ba-1151-49f5-aea4-5130de5e46ba", "name": "Rapid7", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--ec073fc7-bb30-4c07-8aa0-9d1d51058897", "name": "Microsoft Threat Intelligence", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--aed4bc51-33b0-4736-bcb7-17aea7c56aa9", "name": "Qilin", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--6b8db019-ba56-4716-bbd3-bab18737fef4", "name": "OWASP", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "tool", "id": "tool--9fb8a1b4-5c61-44e4-90e1-494f8de4d8d6", "name": "any.run", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 93, "type": "malware", "id": "malware--bbe568e2-469f-4f6e-894f-9004f60be5a5", "name": "Ransomware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "tool", "id": "tool--9f804692-3dad-41b3-b550-5a7ca93e97a9", "name": "Wazuh", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--59aae272-74d1-4419-b6d7-48ca8d0af280", "name": "Qilin group", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--4267370b-1057-49a4-942f-fcb4c563aacc", "name": "MatrixPDF", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "tool", "id": "tool--c2210051-55ab-4475-801e-0134045250d9", "name": "Defender for Office 365", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "name": "ZDI", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--f0089dea-b7b7-4a84-8fc4-e81a86cbecba", "name": "Fantasy Hub", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--a57d502c-4e82-41ec-9234-875d491343fa", "name": "CBO", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--9fa139c1-5ce0-4ccf-9d02-1e0f8c2f38f6", "name": "SonicWall", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--8a13dba8-08ba-42eb-b07b-0712d0ad6082", "name": "Datzbro that can conduct device takeover", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--9c959f03-a85c-4ccb-b73e-c55b0e32e5c2", "name": "RayInitiator", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "location", "id": "location--5b9801e8-bffe-4bee-b903-e93d9f801e0c", "name": "the United States", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "name": "Aleksei Olegovich Volkov", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "tool", "id": "tool--8296b0e0-ae1f-45b6-8de0-1c1a4a5e05c5", "name": "Kali", "tool_types": [ "exploitation", "vulnerability-scanning", "network-capture" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--6f4456e2-6dc0-4521-ba8e-cabeff00859c", "name": "RingReaper", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--d1c0263c-8c2f-4c70-bd70-1ec546470fa2", "name": "Maverick", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--bf415032-9753-40fd-aa77-45a09f6f767d", "name": "QNAP", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "name": "chubaka.kor", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "malware", "id": "malware--0b67e2fd-eaf0-45b4-ba7e-3a4c1a740bb6", "name": "Coyote", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "tool", "id": "tool--6f10bc28-3ad5-432c-bcde-e601f2332ffb", "name": "Google SafetyNet Attestation", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.383Z", "modified": "2025-11-13T17:08:18.383Z", "confidence": 95, "type": "identity", "id": "identity--76224fd2-7db9-4dfd-951a-4b084bef03ad", "name": "The US Congressional Budget Office", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "malware", "id": "malware--1cddedd9-b8e1-4176-90a1-a8b5ed7613a4", "name": "GlassWorm", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--22092a47-7fd2-4602-90b1-61623bb89079", "name": "DoS", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "malware", "id": "malware--2d7ce7de-e032-4043-8963-4c014393a48f", "name": "Paragon’s Graphite", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "malware", "id": "malware--5e5e274e-42ad-4cf9-86fc-12db386831e5", "name": "Gootloader Returns", "is_family": true, "malware_types": [ "dropper" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--c92adf8f-1739-4c88-895d-06a7f2948f2e", "name": "U.S.", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--78a1ad04-d1a7-4bf8-8006-34af1fd1d770", "name": "Privilege Escalation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "identity", "id": "identity--ce2e69c6-c194-4ca1-8ccd-65c1ce21af1b", "name": "Mend.io", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--554766a1-5093-4b60-9732-aa6d14becb18", "name": "South Korea", "country": "KR", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "tool", "id": "tool--91088445-edc4-4d00-864c-785446cbb1af", "name": "Universal Forwarders", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "identity", "id": "identity--f8278a12-ae20-4c3f-9977-3dd4feafc099", "name": "OneBlood", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "identity", "id": "identity--01b0e443-1611-4441-beba-d4f250c69101", "name": "Security Affairs", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "tool", "id": "tool--2bd39da2-1744-453b-8891-2872e72c94bb", "name": "ELK", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "identity", "id": "identity--daec362e-708a-4630-b425-6826593bb788", "name": "Schneider Electric", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "identity", "id": "identity--0379b4f6-f35b-447e-999f-7564a31b875b", "name": "GlobalLogic", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--79365b11-f080-4c12-97f5-45b7784679a6", "name": "Oman", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 93, "type": "threat-actor", "id": "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "name": "DragonForce", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--e8a8e369-e014-4c3f-98e2-d780344dbe7a", "name": "Moldova", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "tool", "id": "tool--98496f61-df6e-4741-9fdc-b751ce5ac69d", "name": "Cisco Secure Firewall Threat Defense", "tool_types": [ "unknown" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--99e79579-3626-4cbc-b307-9a0ed522e607", "name": "Dublin", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 77, "type": "indicator", "id": "indicator--032d49c6-e2db-4ca3-ac15-f16c0d458867", "name": "141.98.82.26", "pattern": "[ipv4-addr:value = '141.98.82.26']", "pattern_type": "stix", "indicator_types": [ "ipv4-addr" ], "valid_from": "2025-11-13T17:08:18.384446+00:00", "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--ea96e271-70b7-4ed7-af72-74ba165daca2", "name": "Brussels", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 92, "type": "threat-actor", "id": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb", "name": "Aleksey Olegovich Volkov", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--c641f4aa-ac4d-4b50-a0eb-cb383b4a3e53", "name": "Norway", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 80, "type": "vulnerability", "id": "vulnerability--7680a803-4098-41b0-83ff-f4c1ee650dbd", "name": "the Gemini Trifecta", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--2cffd105-432c-46ca-a015-faa047518780", "name": "Afghanistan", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "identity", "id": "identity--95c8389c-7419-490e-8d5b-8f227478ce1c", "name": "Logitech", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--f89078f0-39f7-4a02-a7e4-dbde6a3138cd", "name": "Denmark", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "identity", "id": "identity--a8564e44-9dd4-4fa2-af91-011d076d1c14", "name": "Suspected in Breach of Congressional Budget Office The Congressional Budget Office has been the subject of an apparent cyber incident", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--44405860-a9a6-458f-beae-e4e62ebb780f", "name": "the United Arab Emirates", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "identity", "id": "identity--7aa77399-1a75-40ae-a4c3-2fbf8783bcff", "name": "Jaguar Land Rover", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--09fb5c3f-e950-4d77-9967-81596ba45e63", "name": "Israel", "country": "IL", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--5dbd12b2-f0b0-4c36-847b-62aa529b4595", "name": "Berlin", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "location", "id": "location--24ea8196-d1e3-4fe9-8c4e-06047a334d1e", "name": "Ireland", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--9ad5784d-77ba-4b52-90f9-49695e3dbde6", "name": "to execute code over a network", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.384Z", "modified": "2025-11-13T17:08:18.384Z", "confidence": 91, "type": "attack-pattern", "id": "attack-pattern--020ddb29-4b95-4601-a850-894e55402fe2", "name": "using maliciously crafted input", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 91, "type": "location", "id": "location--4184e662-7eed-444d-94b4-7f31e34d5299", "name": "Germany", "country": "DE", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 91, "type": "attack-pattern", "id": "attack-pattern--2a1ef775-77d8-455c-bede-0a48e2d7adc4", "name": "a position to observe your network traffic to conclude language model conversation topics", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 87, "type": "location", "id": "location--d28ab131-d57a-43d0-9c93-51a1e6b190f8", "name": "Union County", "region": "unknown", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96", "name": "System Information Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1082", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1082/", "external_id": "T1082" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee", "name": "File and Directory Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1083", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1083/", "external_id": "T1083" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1", "name": "Process Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1057", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1057/", "external_id": "T1057" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--af705332-242d-4c31-9955-6dca77d560de", "name": "Modify Registry", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1112", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1112/", "external_id": "T1112" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--75f8063e-1388-4007-8255-4523fceba24e", "name": "Registry Run Keys / Startup Folder", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/001/", "external_id": "T1547.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--4c8bcb56-2a96-4393-a41f-3829ab20b9ba", "name": "Web Shell", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1505.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1505/003/", "external_id": "T1505.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 82, "type": "attack-pattern", "id": "attack-pattern--7aa19707-a8bb-4175-a9ce-0dc6a85cf429", "name": "DNS", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1071.004", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1071/004/", "external_id": "T1071.004" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 81, "type": "attack-pattern", "id": "attack-pattern--7ea3b24d-a348-4e2a-8251-34ddfc9d4e74", "name": "Fast Flux DNS", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1568.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1568/001/", "external_id": "T1568.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 78, "type": "attack-pattern", "id": "attack-pattern--1cee389c-adf4-4dd9-8799-2e24d73fe07a", "name": "Service Exhaustion Flood", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_id": "T1499.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1499/002/", "external_id": "T1499.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 74, "type": "attack-pattern", "id": "attack-pattern--6f441f0d-2af5-4ab6-853d-745c0cc303e9", "name": "DNS Server", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1583.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1583/002/", "external_id": "T1583.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.385Z", "modified": "2025-11-13T17:08:18.385Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "name": "Malicious Shell Modification", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1156", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1156/", "external_id": "T1156" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "confidence": 66, "type": "attack-pattern", "id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "name": "Artificial Intelligence", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.007", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/007/", "external_id": "T1588.007" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "confidence": 66, "type": "attack-pattern", "id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "name": "Botnet", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1584.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1584/005/", "external_id": "T1584.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "confidence": 66, "type": "attack-pattern", "id": "attack-pattern--f9415933-ea91-4a9d-9cff-435abcfbe10f", "name": "Pass the Hash", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1550.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1550/002/", "external_id": "T1550.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "confidence": 65, "type": "attack-pattern", "id": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "name": "Browser Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1176.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1176/001/", "external_id": "T1176.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--362cd1ff-34a1-4935-9407-8b30c34a131f", "created": "2025-11-13T17:07:18.506Z", "modified": "2025-11-13T17:07:18.506Z", "name": "CVE-2025-43401", "description": "Vulnerability CVE-2025-43401", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-43401", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43401" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--d1ead664-b882-4b60-bef9-8a0b4fda9f0a", "created": "2025-11-13T17:07:25.069Z", "modified": "2025-11-13T17:07:25.069Z", "name": "CVE-2025-5777", "description": "Vulnerability CVE-2025-5777 | Affects: Cisco and Citrix vulnerabilities | Status: zero-day", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-5777", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5777" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=44277", "description": "Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon" } ], "x_exploited": true, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--61ba0d91-d1f9-4517-9645-530acdbf5905", "created": "2025-11-13T17:07:25.069Z", "modified": "2025-11-13T17:07:25.069Z", "name": "CVE-2025-20337", "description": "Vulnerability CVE-2025-20337 | Affects: Cisco and Citrix vulnerabilities | Status: zero-day", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-20337", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20337" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=44277", "description": "Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon" } ], "x_exploited": true, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--08a8d2cb-3748-4d46-a42a-eb4feb0e2ae1", "created": "2025-11-13T17:07:28.411Z", "modified": "2025-11-13T17:07:28.411Z", "name": "CVE-2025-9242", "description": "Vulnerability CVE-2025-9242 | CVSS Score: 9.3", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-9242", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9242" }, { "source_name": "article", "url": "https://thehackernews.com/2025/11/cisa-flags-critical-watchguard-fireware.html", "description": "CISA Flags Critical WatchGuard Fireware Flaw Exposing 54,000 Fireboxes to No-Login Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--d8a865a6-9a2f-4237-8ebf-09cc3615b7bc", "created": "2025-11-13T17:07:14.334Z", "modified": "2025-11-13T17:07:14.334Z", "name": "ZDI", "description": "Malware ZDI identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--998016a5-ef40-4372-af8d-fda51389b5de", "created": "2025-11-13T17:07:14.334Z", "modified": "2025-11-13T17:07:14.334Z", "name": "CVSS", "description": "Malware CVSS identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--de9ca544-b544-4257-ac6c-c39d705aacae", "created": "2025-11-13T17:07:19.725Z", "modified": "2025-11-13T17:07:19.725Z", "name": "CVE-2025-43401", "description": "Malware CVE-2025-43401 identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--6b0847ff-13ba-45e6-bd76-51076e5ec93e", "created": "2025-11-13T17:07:24.766Z", "modified": "2025-11-13T17:07:24.766Z", "name": "Kraken", "description": "Malware Kraken identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://blog.talosintelligence.com/content/images/2025/11/Kraken.jpg", "description": "Unleashing the Kraken ransomware group" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--9c45a635-b01b-463b-96d8-62f8c44a9d3c", "created": "2025-11-13T17:07:24.766Z", "modified": "2025-11-13T17:07:24.766Z", "name": "HelloKitty", "description": "Malware HelloKitty identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://blog.talosintelligence.com/content/images/2025/11/Kraken.jpg", "description": "Unleashing the Kraken ransomware group" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--890b9b5b-ac66-40a6-b1e5-40c458ce0c8d", "created": "2025-11-13T17:07:24.767Z", "modified": "2025-11-13T17:07:24.767Z", "name": "Talos", "description": "Malware Talos identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://blog.talosintelligence.com/content/images/2025/11/Kraken.jpg", "description": "Unleashing the Kraken ransomware group" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--3705937f-0b7b-4617-9ebe-91764ad2b61b", "created": "2025-11-13T17:07:26.683Z", "modified": "2025-11-13T17:07:26.683Z", "name": "Amazon", "description": "Malware Amazon identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://securityaffairs.com/?p=184561", "description": "Amazon alerts: advanced threat actor exploits Cisco ISE & Citrix NetScaler zero-days" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e40008ba-b7f9-4aa9-b4be-fd45a38d6fa4", "created": "2025-11-13T17:07:28.410Z", "modified": "2025-11-13T17:07:28.410Z", "name": "October", "description": "Malware October identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://cyble.com/?p=104996", "description": "October 2025 Attacks Soar 30% as New Groups Redefine the Cyber Battlefield" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--0beaeefc-9c5e-47c9-9a3d-24b903b035a1", "created": "2025-11-13T17:07:32.428Z", "modified": "2025-11-13T17:07:32.428Z", "name": "Salt", "description": "Malware Salt identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://docs.saltproject.io/en/latest/topics/tutorials/walkthrough.html", "description": "Finding the grain of sand in a heap of Salt" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--00c46de3-f76c-46eb-87da-6ca1d922645c", "created": "2025-11-13T17:07:32.714Z", "modified": "2025-11-13T17:07:32.714Z", "name": "Sentinel", "description": "Malware Sentinel identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1ovxosi/problems_with_migration_to_sentinel_in_defender/", "description": "Problems with migration to Sentinel in Defender portal" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e67d7f07-42e5-4f67-ae71-99c5927d804d", "created": "2025-11-13T17:07:34.856Z", "modified": "2025-11-13T17:07:34.856Z", "name": "Elysium", "description": "Malware Elysium identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.bleepingcomputer.com/news/security/police-disrupts-rhadamanthys-venomrat-and-elysium-malware-operations/", "description": "Police disrupts Rhadamanthys, VenomRAT, and Elysium malware operations" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--78243444-6ba0-4ff1-af3d-9ccffa742e5e", "created": "2025-11-13T17:07:34.856Z", "modified": "2025-11-13T17:07:34.856Z", "name": "VenomRAT", "description": "Malware VenomRAT identified in threat intelligence", "malware_types": [ "trojan" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.bleepingcomputer.com/news/security/police-disrupts-rhadamanthys-venomrat-and-elysium-malware-operations/", "description": "Police disrupts Rhadamanthys, VenomRAT, and Elysium malware operations" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--cc9461e1-cf12-4cd5-b8f7-3a3ae1a615f4", "created": "2025-11-13T17:07:39.040Z", "modified": "2025-11-13T17:07:39.040Z", "name": "Ethereum", "description": "Malware Ethereum identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/fake-chrome-extension-safery-steals.html", "description": "Fake Chrome Extension “Safery” Steals Ethereum Wallet Seed Phrases Using Sui Blockchain" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2cb874cc-f490-4ba2-a3a1-d73633bea6be", "created": "2025-11-13T17:07:57.071Z", "modified": "2025-11-13T17:07:57.071Z", "name": "RAT", "description": "Malware RAT identified in threat intelligence", "malware_types": [ "trojan" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://securityaffairs.com/?p=184581", "description": "A new round of Europol’s Operation Endgame dismantled Rhadamanthys, Venom RAT, and Elysium botnet" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--dca3a109-93ad-41fd-bd29-fec2de7f81ce", "created": "2025-11-13T17:07:57.071Z", "modified": "2025-11-13T17:07:57.071Z", "name": "Venom", "description": "Malware Venom identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://securityaffairs.com/?p=184581", "description": "A new round of Europol’s Operation Endgame dismantled Rhadamanthys, Venom RAT, and Elysium botnet" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2d817ac6-8b68-4323-aa56-3830132a4b5c", "created": "2025-11-13T17:07:57.071Z", "modified": "2025-11-13T17:07:57.071Z", "name": "Europol’s Operation Endgame", "description": "Malware Europol’s Operation Endgame identified in threat intelligence", "malware_types": [ "trojan" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://securityaffairs.com/?p=184581", "description": "A new round of Europol’s Operation Endgame dismantled Rhadamanthys, Venom RAT, and Elysium botnet" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--c11cdc7d-5687-4827-8a79-d68fd283defb", "created": "2025-11-13T17:07:57.071Z", "modified": "2025-11-13T17:07:57.071Z", "name": "Europol", "description": "Malware Europol identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://securityaffairs.com/?p=184581", "description": "A new round of Europol’s Operation Endgame dismantled Rhadamanthys, Venom RAT, and Elysium botnet" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e6237a39-d678-4d31-91c2-ac4018bef9e7", "created": "2025-11-13T17:07:57.071Z", "modified": "2025-11-13T17:07:57.071Z", "name": "Eurojust", "description": "Malware Eurojust identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://securityaffairs.com/?p=184581", "description": "A new round of Europol’s Operation Endgame dismantled Rhadamanthys, Venom RAT, and Elysium botnet" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--333e9d98-282c-466d-a5df-a90890c6a455", "created": "2025-11-13T17:07:57.376Z", "modified": "2025-11-13T17:07:57.376Z", "name": "SecurityWeek", "description": "Malware SecurityWeek identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44285", "description": "1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--dff87144-5d54-4ff2-ac83-c06199fbea19", "created": "2025-11-13T17:08:01.428Z", "modified": "2025-11-13T17:08:01.428Z", "name": "Non-Human Identities", "description": "Malware Non-Human Identities identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://entro.security/?p=18715", "description": "Ensuring Scalability in Your NHI Security Practices" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--955b1b13-c3b7-4753-b56c-89baf54474bd", "created": "2025-11-13T17:08:03.467Z", "modified": "2025-11-13T17:08:03.467Z", "name": "Disruptive", "description": "Malware Disruptive identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44278", "description": "Synnovis Confirms Patient Information Stolen in Disruptive Ransomware Attack" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e11c6bf4-3acb-44ac-aa0c-bf713ac89bd2", "created": "2025-11-13T17:08:03.467Z", "modified": "2025-11-13T17:08:03.467Z", "name": "Stolen", "description": "Malware Stolen identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44278", "description": "Synnovis Confirms Patient Information Stolen in Disruptive Ransomware Attack" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1fafe0f0-70e0-4f1a-b7d0-c1af77d57bf1", "created": "2025-11-13T17:08:03.467Z", "modified": "2025-11-13T17:08:03.467Z", "name": "Synnovis Confirms Patient Information Stolen", "description": "Malware Synnovis Confirms Patient Information Stolen identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44278", "description": "Synnovis Confirms Patient Information Stolen in Disruptive Ransomware Attack" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--12cb64b8-d062-45b4-b068-051cdddbe637", "created": "2025-11-13T17:08:14.837Z", "modified": "2025-11-13T17:08:14.837Z", "name": "API", "description": "Malware API identified in threat intelligence", "malware_types": [ "unknown" ], "is_family": true, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1ovw5eh/aigenerated_code_security_requires_infrastructure/", "description": "AI-generated code security requires infrastructure enforcement, not review" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "malicious-activity" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--15408c8d-8182-42b6-9664-7f479e877bbc", "created": "2025-11-13T17:08:18.246Z", "modified": "2025-11-13T17:08:18.246Z", "name": " ZDI Campaign", "description": "Campaign involving using ZDI", "first_seen": "2025-11-13T06:00:00.000Z", "last_seen": "2025-11-13T06:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--9a265fcd-24f9-4de5-8c19-1647582aa0bf", "created": "2025-11-13T17:08:18.248Z", "modified": "2025-11-13T17:08:18.248Z", "name": " SecurityWeek Campaign", "description": "Campaign involving using SecurityWeek", "first_seen": "2025-11-13T15:05:20.000Z", "last_seen": "2025-11-13T15:05:20.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44288", "description": "CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--1191a542-bab8-4edc-a35d-63b76c09cb2d", "created": "2025-11-13T17:08:18.251Z", "modified": "2025-11-13T17:08:18.251Z", "name": " Kraken Campaign", "description": "Campaign involving using Kraken", "first_seen": "2025-11-13T11:00:38.000Z", "last_seen": "2025-11-13T11:00:38.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://blog.talosintelligence.com/content/images/2025/11/Kraken.jpg", "description": "Unleashing the Kraken ransomware group" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--705ed079-5747-413e-945d-9a6a0c041d3a", "created": "2025-11-13T17:08:18.253Z", "modified": "2025-11-13T17:08:18.253Z", "name": " Amazon Campaign", "description": "Campaign involving using Amazon", "first_seen": "2025-11-13T09:50:22.000Z", "last_seen": "2025-11-13T09:50:22.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44277", "description": "Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--11d5a993-d3cb-4988-9da5-e6da4608ed61", "created": "2025-11-13T17:08:18.255Z", "modified": "2025-11-13T17:08:18.255Z", "name": " October Campaign", "description": "Campaign involving using October", "first_seen": "2025-11-13T08:43:30.000Z", "last_seen": "2025-11-13T08:43:30.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://cyble.com/?p=104996", "description": "October 2025 Attacks Soar 30% as New Groups Redefine the Cyber Battlefield" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--f58ea61a-106f-453f-891f-9235af052ac1", "created": "2025-11-13T17:08:18.255Z", "modified": "2025-11-13T17:08:18.255Z", "name": " CVSS Campaign", "description": "Campaign involving using CVSS", "first_seen": "2025-11-13T07:23:00.000Z", "last_seen": "2025-11-13T07:23:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/cisa-flags-critical-watchguard-fireware.html", "description": "CISA Flags Critical WatchGuard Fireware Flaw Exposing 54,000 Fireboxes to No-Login Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--2cc5b45a-4591-4b63-a36f-baccc46ced95", "created": "2025-11-13T17:08:18.256Z", "modified": "2025-11-13T17:08:18.256Z", "name": " RAT Campaign", "description": "Campaign involving using RAT", "first_seen": "2025-11-13T14:00:20.000Z", "last_seen": "2025-11-13T14:00:20.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.securityweek.com/?p=44283", "description": "Webinar Today: The Future of Industrial Network Security" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--9ebd2e36-bc92-4d76-a0a7-9d6e15566cae", "created": "2025-11-13T17:08:18.264Z", "modified": "2025-11-13T17:08:18.264Z", "name": " Salt Campaign", "description": "Campaign involving using Salt", "first_seen": "2025-11-13T14:00:00.000Z", "last_seen": "2025-11-13T14:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://docs.saltproject.io/en/latest/topics/tutorials/walkthrough.html", "description": "Finding the grain of sand in a heap of Salt" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--de53a88b-ab70-4ddb-8573-325299be3eee", "created": "2025-11-13T17:08:18.265Z", "modified": "2025-11-13T17:08:18.265Z", "name": " Sentinel Campaign", "description": "Campaign involving using Sentinel", "first_seen": "2025-11-13T10:29:51.000Z", "last_seen": "2025-11-13T10:29:51.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1ovxosi/problems_with_migration_to_sentinel_in_defender/", "description": "Problems with migration to Sentinel in Defender portal" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--397c5d1c-b9c4-4797-8338-8042bbd2ffa1", "created": "2025-11-13T17:08:18.266Z", "modified": "2025-11-13T17:08:18.266Z", "name": " Elysium Campaign", "description": "Campaign involving using Elysium", "first_seen": "2025-11-13T10:53:39.000Z", "last_seen": "2025-11-13T10:53:39.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.bleepingcomputer.com/news/security/police-disrupts-rhadamanthys-venomrat-and-elysium-malware-operations/", "description": "Police disrupts Rhadamanthys, VenomRAT, and Elysium malware operations" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--d57449a6-543e-4528-a280-9e1d3d555b1a", "created": "2025-11-13T17:08:18.271Z", "modified": "2025-11-13T17:08:18.271Z", "name": " Ethereum Campaign", "description": "Campaign involving using Ethereum", "first_seen": "2025-11-13T13:04:00.000Z", "last_seen": "2025-11-13T13:04:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/11/fake-chrome-extension-safery-steals.html", "description": "Fake Chrome Extension “Safery” Steals Ethereum Wallet Seed Phrases Using Sui Blockchain" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--ccbd586b-0bd8-4c6f-abbd-93536364d79c", "created": "2025-11-13T17:08:18.276Z", "modified": "2025-11-13T17:08:18.276Z", "name": " API Campaign", "description": "Campaign involving using API", "first_seen": "2025-11-13T12:00:00.000Z", "last_seen": "2025-11-13T12:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://lab.wallarm.com/?p=55191", "description": "OWASP Top 10 Business Logic Abuse: What You Need to Know" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--fbea321d-865b-4578-a816-4e6439e6d89f", "created": "2025-11-13T17:08:18.277Z", "modified": "2025-11-13T17:08:18.277Z", "name": " Non-Human Identities Campaign", "description": "Campaign involving using Non-Human Identities", "first_seen": "2025-11-12T22:00:00.000Z", "last_seen": "2025-11-12T22:00:00.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://entro.security/?p=18719", "description": "How Smart NHI Solutions Enhance Security Measures" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--6e99d37a-92eb-496d-94df-97cd59e3a578", "created": "2025-11-13T17:08:18.308Z", "modified": "2025-11-13T17:08:18.308Z", "name": " Ransomware Campaign", "description": "Campaign involving using Ransomware", "first_seen": "2025-11-13T08:09:05.000Z", "last_seen": "2025-11-13T08:09:05.000Z", "objective": "Malicious cyber operations", "confidence": 70, "external_references": [ { "source_name": "article", "url": "https://www.reddit.com/r/cybersecurity/comments/1ovvj61/what_are_the_biggest_challenges_you_faced_with/", "description": "What are the biggest challenges you faced with enterprise cybersecurity in 2025?" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--b5055d44-4ee3-46d9-9ec4-4e6b7d115d8d", "created": "2025-11-13T17:08:18.330Z", "modified": "2025-11-13T17:08:18.330Z", "name": "Mitigate CVE-2025-5777", "description": "Apply security updates and patches to address CVE-2025-5777", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5777", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.techrepublic.com/?p=4335918", "description": "Google Sues ‘Lighthouse’ Phishing Service After $1B+ Scams Target Millions" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--0b0f486d-4632-4a52-95ca-b7cc9021b101", "created": "2025-11-13T17:08:18.330Z", "modified": "2025-11-13T17:08:18.330Z", "name": "Mitigate CVE-2025-20337", "description": "Apply security updates and patches to address CVE-2025-20337", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20337", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.techrepublic.com/?p=4335918", "description": "Google Sues ‘Lighthouse’ Phishing Service After $1B+ Scams Target Millions" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--a43864f3-b3c9-40b9-bfa9-e7b40bb2e356", "created": "2025-11-13T17:08:18.331Z", "modified": "2025-11-13T17:08:18.331Z", "name": "Mitigate CVE-2025-43401", "description": "Apply security updates and patches to address CVE-2025-43401", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43401", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=44288", "description": "CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--3da35019-3ba2-46d6-a9b3-68d723579a9b", "created": "2025-11-13T17:08:18.331Z", "modified": "2025-11-13T17:08:18.331Z", "name": "Mitigate CVE-2025-9242", "description": "Apply security updates and patches to address CVE-2025-9242", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9242", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=44288", "description": "CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b116fc38-91a9-4b6e-9c4f-a052496bd261", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: the lazarus group uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cc06fb91-f99f-4c2a-bbc1-3c2cb26bd457", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: the lazarus group uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2a3f3f8b-23fe-4c38-a759-babd61f09cc8", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--26eca839-6996-4355-b556-31d7e4bd0671", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 85, "description": "MITRE ATT&CK mapping: the lazarus group uses supply chain compromise (T1195)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--48040348-a080-49b2-aafb-dd9cbef498fd", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: callisto/star blizzard/unc4057 uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--83b846f0-a8b1-46c0-a307-b48a2ae2c973", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--ff08fc2e-94c4-4b43-9534-46cf3ca829d7", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: callisto/star blizzard/unc4057 uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0036d0bc-1596-4abd-bebd-651d6b9bf4b1", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: lulzsec uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4f35c094-6adc-43c3-9ab9-4751d750f4a5", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--d31be0f2-c18f-47fc-8c98-44257348d6ca", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: lulzsec uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a9f34d13-9d19-424f-911d-2f61ad982087", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: charming kitten uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--62b6953b-7b6e-42d0-b7b0-7cd02f94d805", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--632cf54c-908b-4cc4-aed0-0d1937468924", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: charming kitten uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--db693b90-8eea-4ef1-b5ef-fd25986c9028", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: lazarus uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--be449e06-c98c-4bd6-b10e-7f234dc6e61b", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: lazarus uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--845c17f6-df64-4be7-a807-1156d55dadde", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--4252968b-3f54-481e-bb3b-2e3b30c275e3", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 85, "description": "MITRE ATT&CK mapping: lazarus uses supply chain compromise (T1195)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--60997a60-81ba-4e12-9186-9ddff93c6234", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--58a5fc18-e9d9-47ba-927e-0fd54a71cf9e", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d5cd5b99-95a8-4c26-9037-dcbf5569a41d", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--2607de8b-b3f2-45d2-beb8-6277dfbeb4b9", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: cl0p uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cac2697d-0c9f-4f58-8c24-f957a101752e", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--2607de8b-b3f2-45d2-beb8-6277dfbeb4b9", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: cl0p uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--665459a8-1f8d-42b3-af8e-aacc74901768", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: shinyhunters uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b5ea106a-25fa-47af-98cd-e42436d2b3de", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: shinyhunters uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2af9c668-12ab-41e1-b407-c89f2847d75d", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--aed4bc51-33b0-4736-bcb7-17aea7c56aa9", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: qilin uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c2da1cf9-f608-40ad-816c-f8c7df483934", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--aed4bc51-33b0-4736-bcb7-17aea7c56aa9", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: qilin uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b2922f74-b42d-40ea-8ef6-ba6c7622d6eb", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--59aae272-74d1-4419-b6d7-48ca8d0af280", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: qilin group uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--128a2567-14f9-42a6-8af1-921de311392f", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--59aae272-74d1-4419-b6d7-48ca8d0af280", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: qilin group uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--05d12b0e-b364-470b-a492-a020a78e2e25", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: aleksei olegovich volkov uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ef7a26e4-bede-4dbf-98da-53dad3fec34f", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--fa23fba6-5aba-458c-b415-59ec946c866d", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: aleksei olegovich volkov uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--12c8ec50-b6f5-42de-a3b0-10bcc69441c9", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: chubaka.kor uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e3dd32ac-19e2-4ed8-80bf-7f15a529b279", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--d61efa5c-464b-456c-a119-3d0fa06440fc", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: chubaka.kor uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--67d4e1a3-fa39-4f3b-bafa-0c663709daea", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: dragonforce uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1de96e42-89a2-498e-b872-069f9a66c3f0", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--a2bc0cc6-3e55-464a-9a42-f48e7d9b9fd5", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: dragonforce uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7128294c-45a2-4f0e-a5ed-549f0f3fb707", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: aleksey olegovich volkov uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8c98901b-6813-4791-ad40-596bcbe337e8", "created": "2025-11-13T17:08:18.386Z", "modified": "2025-11-13T17:08:18.386Z", "relationship_type": "uses", "source_ref": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: aleksey olegovich volkov uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9d0c0e70-0399-4483-871b-929405d3a190", "created": "2025-11-13T17:08:18.388Z", "modified": "2025-11-13T17:08:18.388Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--362cd1ff-34a1-4935-9407-8b30c34a131f", "target_ref": "course-of-action--a43864f3-b3c9-40b9-bfa9-e7b40bb2e356", "description": "CVE-2025-43401 is mitigated by Mitigate CVE-2025-43401" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b9897b38-4f50-4377-ab16-b83195ae87cf", "created": "2025-11-13T17:08:18.388Z", "modified": "2025-11-13T17:08:18.388Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--d1ead664-b882-4b60-bef9-8a0b4fda9f0a", "target_ref": "course-of-action--b5055d44-4ee3-46d9-9ec4-4e6b7d115d8d", "description": "CVE-2025-5777 is mitigated by Mitigate CVE-2025-5777" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8600711a-d077-485c-8c1f-c2c44dc889dc", "created": "2025-11-13T17:08:18.388Z", "modified": "2025-11-13T17:08:18.388Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--61ba0d91-d1f9-4517-9645-530acdbf5905", "target_ref": "course-of-action--0b0f486d-4632-4a52-95ca-b7cc9021b101", "description": "CVE-2025-20337 is mitigated by Mitigate CVE-2025-20337" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f2e9ac04-e86d-4bf1-bdc9-756d096d03e5", "created": "2025-11-13T17:08:18.388Z", "modified": "2025-11-13T17:08:18.388Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--08a8d2cb-3748-4d46-a42a-eb4feb0e2ae1", "target_ref": "course-of-action--3da35019-3ba2-46d6-a9b3-68d723579a9b", "description": "CVE-2025-9242 is mitigated by Mitigate CVE-2025-9242" } ] }

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

EXECUTIVE INSIGHTS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.