The RondoDox botnet is actively targeting a critical remote code execution vulnerability in unpatched XWiki collaboration software. The flaw, an eval injection bug, allows attackers to take full control of affected servers and absorb them into the botnet for further malicious activities.
Business impact
Compromised XWiki servers can lead to complete data loss, deployment of ransomware, or be used as a pivot point to attack internal networks. The high CVSS score of 9.8 indicates a severe and easily exploitable vulnerability that poses an immediate threat to organizations using this software.
Recommended action
Immediately apply the vendor-supplied patch for CVE-2025-24893 to all XWiki instances. Hunt for indicators of compromise on any potentially affected servers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Fortinet's FortiWeb Web Application Firewall (WAF) to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms that the flaw is being actively exploited in the wild, requiring immediate attention from federal agencies and other organizations.
Business impact
Exploitation of this vulnerability could allow attackers to bypass security controls, access sensitive backend applications, or compromise the WAF itself. As a perimeter security device, a compromised FortiWeb appliance represents a critical breach of network defenses.
Recommended action
Federal agencies are required to patch this vulnerability by the CISA-mandated deadline. All other organizations using affected FortiWeb products should prioritize applying the patch immediately.
CISA has issued an urgent directive concerning two vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. These flaws are being actively exploited as part of the 'ArcaneDoor' espionage campaign, allowing attackers to conduct reconnaissance, capture traffic, and pivot into secured networks.
Business impact
A breach of these core network security devices can lead to a catastrophic loss of confidentiality and integrity for all network traffic passing through them. Attackers can gain persistent access, disable security logging, and move laterally across the organization undetected.
Recommended action
All organizations must immediately patch Cisco ASA and FTD devices to the versions specified in the Cisco security advisory. CISA mandates that federal agencies verify the integrity of these devices and apply updates immediately.
ASUS has patched a critical authentication-bypass vulnerability affecting multiple models of its DSL routers. The flaw allows a remote, unauthenticated attacker to gain full administrative access to the device's management interface, effectively taking control of the network gateway.
Business impact
Compromised routers can be used to intercept and redirect traffic, launch attacks against internal devices, or be enrolled in a botnet. This is especially critical for remote work environments where these devices serve as the primary line of defense.
Recommended action
Owners of affected ASUS DSL router models must update their firmware immediately. Check the ASUS support website for the specific patched firmware version for your device.
Researchers have discovered critical remote code execution vulnerabilities in major AI inference engines, including those from Meta, Nvidia, Microsoft, and popular open-source projects like vLLM. These flaws could allow an attacker to take control of the underlying AI infrastructure by submitting a maliciously crafted model or input.
Business impact
Successful exploitation could lead to the theft of proprietary AI models, poisoning of training data, or using the compromised high-performance computing resources for malicious purposes like cryptocurrency mining. This represents a significant new attack surface for organizations deploying AI/ML systems.
Recommended action
MLOps and security teams should immediately review security advisories from their respective AI framework vendors. Prioritize patching inference engines and implement strict validation on all models and data inputs.
Hardware manufacturer Logitech has officially confirmed it was the victim of a data breach. The Clop ransomware and extortion gang has claimed responsibility, stating the attack is related to a broader campaign exploiting vulnerabilities in Oracle E-Business Suite.
Business impact
The breach could expose sensitive customer or corporate data, leading to regulatory fines, reputational damage, and follow-on phishing attacks targeting Logitech customers or employees. The connection to a known campaign highlights the risk posed by third-party software vulnerabilities.
Recommended action
Organizations using Oracle E-Business Suite should ensure all relevant patches are applied. Logitech customers should be vigilant for phishing emails and enable multi-factor authentication on their accounts.
The payment processing company Checkout.com has disclosed a breach by the ShinyHunters threat group. The attackers compromised a legacy cloud storage system that was improperly decommissioned, gaining access to some merchant data from 2020. The company refused to pay the ransom.
Business impact
This incident is a stark reminder of the security risks posed by legacy and forgotten IT assets. Even if a system is no longer in production, it can still contain sensitive data that, if exposed, can cause reputational harm and trigger data breach notification requirements.
Recommended action
Conduct regular audits of all cloud and on-premise assets to identify and securely decommission any legacy systems. Ensure that data retention policies are enforced and that data is securely wiped from systems before they are taken offline.
A lawsuit filed by Google appears to have successfully disrupted the operations of 'Lighthouse,' a sophisticated phishing-as-a-service kit. The kit was used to power widespread SMS-based scams, including fake road toll payment requests. This action highlights the effectiveness of legal and technical disruption against cybercrime infrastructure.
Business impact
While this specific operation is hampered, the underlying threat of SMS phishing (smishing) remains high. The success of Lighthouse shows that these attacks are becoming more professionalized and scalable, posing a continuous threat to both corporate and personal devices.
Recommended action
Continue to educate users on the dangers of smishing attacks. Deploy mobile threat defense (MTD) solutions on corporate devices to help detect and block malicious links sent via text messages.
Spotlight Rationale: Addresses the critical remote code execution vulnerabilities discovered in major AI inference engines from Meta, Nvidia, and Microsoft (Critical Item #5), which represent a new and dangerous attack surface for organizations leveraging AI.
Platform Focus: Aegis AI Security 'Infer-Guard' Platform
Aegis AI Security's Infer-Guard is an innovative platform designed specifically to secure the AI/ML model lifecycle. Unlike traditional security tools, it provides deep inspection of ML models to identify vulnerabilities and offers runtime protection for inference engines. This directly counters the threat of RCE attacks by monitoring memory and execution flow within the AI stack, preventing malicious payloads from executing on high-value GPU infrastructure.
1. **Onboard Models:** Integrate Infer-Guard with your MLOps pipeline to automatically scan all new and updated models for known vulnerabilities or malicious code before deployment.
2. **Define Runtime Policies:** Create a strict runtime protection policy for production inference engines, enabling memory corruption defenses and blocking anomalous system calls originating from the model-serving process.
3. **Monitor for Drift:** Use the platform to monitor for unexpected model behavior or output, which could be an early indicator of a successful attack or data poisoning attempt.
Source: [Source verification pending]
DETECTION & RESPONSE KIT
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Aegis AI Security 'Infer-Guard'
# Aegis AI Security 'Infer-Guard' CLI Configuration Example
# 1. Set a strict baseline policy for production Nvidia Triton servers
aegis-cli policy create --name triton-prod-rce-block \
--type runtime-protection \
--target-process tritonserver \
--allow-syscalls read,write,openat,close \
--block-syscalls execve,socket,connect \
--enable-memory-protection
# 2. Apply the policy to the production server group
aegis-cli policy apply --name triton-prod-rce-block --group prod-inference-servers
# 3. Verify policy is active
aegis-cli policy status --group prod-inference-servers
# Expected Output: Policy 'triton-prod-rce-block' is active and enforcing.
index=fortinet sourcetype="fortiweb" eventtype="attack"
(signature="FortiWeb.Arbitrary.Code.Execution" OR url_path CONTAINS "/api/v1/system/maintenance/backup")
AND http_method="POST"
AND (form_data CONTAINS "`id`" OR form_data CONTAINS "`uname`" OR form_data CONTAINS "/bin/sh")
| table _time, src_ip, dest_ip, hostname, url_path, signature, action
| sort -_time
4. PowerShell Script — Check for Vulnerable XWiki Installations
# Simple check for indicators of a potentially vulnerable XWiki installation
# This is not a definitive check and should be supplemented with official vendor tools.
$servers = Get-Content -Path .\servers.txt
$vulnerablePath = "\webapps\xwiki\WEB-INF\lib\xwiki-platform-oldcore-*.jar"
foreach ($server in $servers) {
Write-Host "Checking $server..."
$tomcatPaths = @("C:\Program Files\Apache Software Foundation\Tomcat 9.0", "C:\Program Files\XWiki", "D:\XWiki\Tomcat")
foreach ($path in $tomcatPaths) {
$fullPath = "\\$server\$($path.Replace(':', '$'))$vulnerablePath"
if (Test-Path -Path $fullPath) {
Write-Warning "POTENTIALLY VULNERABLE XWIKI PATH FOUND on $server at $fullPath"
} else {
Write-Host "Vulnerable path not found in common location on $server."
}
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--6bf1d422-7be8-4fd2-ad06-f32130279876",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--48b1fcb1-f1f7-4b1b-9145-74bb2fe9a301",
"created": "2025-11-16T10:51:33.905Z",
"modified": "2025-11-16T10:51:33.905Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--0e3c5def-d6b7-4354-83bc-176d8e67da58",
"created": "2025-11-16T10:51:33.905Z",
"modified": "2025-11-16T10:51:33.905Z",
"name": "Threat Intelligence Report - 2025-11-16",
"description": "Threat Intelligence Report - 2025-11-16\n\nThis report consolidates actionable cybersecurity intelligence from 55 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet (Score: 100)\n• Logitech confirms data breach after Clop extortion attack (Score: 100)\n• U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog (Score: 97.7)\n• anybody have working PoC for CVE2025-48539? (Score: 93.6)\n• NPMScan - Malicious NPM Package Detection & Security Scanner (Score: 93.5)\n\nEXTRACTED ENTITIES:\n• 26 Attack Pattern(s)\n• 7 Malware(s)\n• 1 Marking Definition(s)\n• 15 Relationship(s)\n• 5 Threat Actor(s)\n• 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-16T10:51:33.905Z",
"object_refs": [
"identity--48b1fcb1-f1f7-4b1b-9145-74bb2fe9a301",
"malware--f0ecd81c-a5a3-471e-813d-242ae1d86322",
"vulnerability--e5a7c537-16af-4003-b162-757807c9107d",
"vulnerability--5380297d-2fc0-4a52-912b-80d302275115",
"threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb",
"malware--ae4a76fe-1e6a-4e5d-a513-e4b8b84d0d92",
"identity--3d4d7a9a-d388-420e-90fb-7d803226f1a7",
"threat-actor--b82ffb65-2e42-4f50-b97d-06490485170c",
"threat-actor--d98058a9-6932-4c32-b237-b9510fa075fe",
"threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"malware--605c817b-0ca8-4c4f-8961-7dd094ee058b",
"malware--642b93f9-af69-45fb-a37b-60800906723a",
"malware--2f25ee9e-15cc-43e2-8522-ab7a1adad6a3",
"identity--446861a7-0f3a-4e3c-a4bf-c363c229f3e7",
"identity--9d23cb94-1994-480a-80e9-5cd7581c3d81",
"identity--0911cee1-2fc7-4281-804d-4283ea377130",
"identity--00a10569-4155-4158-add5-0641b5f7558f",
"malware--9f2d6907-883c-43ea-b53d-a29add8db74f",
"identity--9e5d8d4d-beab-450b-84d5-0cecfadee05d",
"identity--38c4edb8-4ae5-49b2-b8cd-89857832f516",
"threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"identity--1655e90f-83bb-4f01-bb00-23ac275464ce",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"identity--d48d0179-a8bc-4c9e-89ef-4347fcbce1fa",
"identity--d9ff7438-f0af-430e-8dd4-af19f2b19200",
"identity--b09ddfe3-f923-45a4-b43f-9a8baccc6680",
"identity--c5f927f8-55f7-4557-a826-7e00835b8997",
"malware--b2be9894-606e-411f-a9f4-f90b10f06319",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96",
"attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee",
"attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1",
"attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"attack-pattern--2cecb29c-a2c6-4961-bed1-a4055f51534d",
"attack-pattern--cd061a92-a819-4f73-99dc-228176018577",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--8b825070-d031-4677-bf40-7fed85cc24ee",
"attack-pattern--d23a8103-121b-4c0d-a34a-5ec584acaeb7",
"attack-pattern--45006bd4-675c-4f30-afe3-4c1d65fe72de",
"attack-pattern--5f22c487-9afa-42a6-9e1d-bd8fe45b3e8b",
"attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"attack-pattern--d7968b19-cce1-4e85-9ceb-787e6199dc18",
"attack-pattern--2e4f88ee-4edd-4377-a16f-6ff65fd48fce",
"attack-pattern--4a50a3dd-b17a-4e64-bead-928e6ffd125f",
"relationship--5c747f48-0e93-45ac-b360-458f5be9a2ed",
"relationship--50912624-f4ed-4813-84b0-4562e0ab47e0",
"relationship--41ef9fc5-e918-4574-9ee4-04449855d116",
"relationship--52aa3b2c-3acc-4ef1-8005-8c752df4c382",
"relationship--5431c0c5-23e7-46d0-b752-9bfecca88508",
"relationship--21b06408-d7af-4429-9458-a69119f1cfb3",
"relationship--eaa03746-4d4d-4d3b-9356-4141485a8aee",
"relationship--e164af8a-d2d8-4c27-98cf-efe80d2856be",
"relationship--fda91811-9dee-42e6-a87d-6066d32b4b85",
"relationship--32b26b24-f225-49d7-99e0-515871eb7ebf",
"relationship--3667e3dc-c023-405b-a7e1-5a3af94dd47c",
"relationship--a4a63812-32b5-44aa-8b2e-83c9736a5760",
"relationship--712606c7-2eb4-4d99-8c8b-a2d8f31df632",
"relationship--9c8cdc49-25bc-4047-9407-f59270406e9a",
"relationship--9fa90bf4-1e96-415a-a080-a0e421ab2e35"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--48b1fcb1-f1f7-4b1b-9145-74bb2fe9a301",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.763Z",
"modified": "2025-11-16T10:51:32.763Z",
"confidence": 95,
"type": "malware",
"id": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322",
"name": "RondoDox",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "RondoDox is a botnet malware that targets unpatched XWiki servers to exploit vulnerabilities for arbitrary code execution, specifically leveraging the CVE-2025-24893 vulnerability for its malicious activities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.763Z",
"modified": "2025-11-16T10:51:32.763Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--e5a7c537-16af-4003-b162-757807c9107d",
"name": "CVE-2025-24893",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-24893",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24893"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-24893",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24893"
}
],
"description": "The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any gu",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--5380297d-2fc0-4a52-912b-80d302275115",
"name": "CVE-2025-64446",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-64446",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64446"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-64446",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64446"
}
],
"description": "is a Swiss multinational electronics company that sells hardware and software",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb",
"name": "Aleksey Olegovich Volkov",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Aleksey Olegovich Volkov is a Russian national who has been identified as an initial access broker for the Yanluowang ransomware group. He has been involved in ransomware attacks targeting at least eight U.S. companies from July 2021 to November 2022. Volkov's activities have been linked to significant financial losses for the affected companies, highlighting the importance of addressing the threat posed by initial access brokers in the cybersecurity landscape.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "malware",
"id": "malware--ae4a76fe-1e6a-4e5d-a513-e4b8b84d0d92",
"name": "Yanluowang",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "Yanluowang is a ransomware strain that has been linked to attacks on at least eight U.S. companies from July 2021 to November 2022. The malware is notable for its association with a Russian national, Aleksey Olegovich Volkov, who acted as an initial access broker for the attacks. The Yanluowang ransomware is a significant threat due to its involvement in high-profile attacks and its connection to organized cybercrime groups.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--3d4d7a9a-d388-420e-90fb-7d803226f1a7",
"name": "University of Michigan",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "The University of Michigan is a public research university in the United States, known for its strong programs in engineering, computer science, and cybersecurity. The entity is mentioned in the context of a research paper on cybersecurity, specifically in relation to the authors and presenters of the paper. While the University of Michigan is not a threat actor or malware, it is a legitimate organization that is relevant to the field of cybersecurity.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--b82ffb65-2e42-4f50-b97d-06490485170c",
"name": "Synthient",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Synthient is a China-linked threat actor group known for using advanced tools and techniques to execute sophisticated cyberattacks. They have been linked to the use of AI-powered tools to automate and execute cyberattacks, highlighting the evolving nature of threat actor tactics.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--d98058a9-6932-4c32-b237-b9510fa075fe",
"name": "Credential Dumps",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Credential Dumps is a term referring to large collections of stolen login credentials, often obtained through data breaches or phishing attacks. In the context of the provided text, Credential Dumps is related to the risks of account takeover and the need for security measures to prevent such intrusions.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"name": "GTG-1002",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "GTG-1002 is a Chinese state-sponsored threat group tracked by Anthropic for carrying out a cyber-espionage operation that was largely automated through the abuse of the company's Claude Code AI model.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "malware",
"id": "malware--605c817b-0ca8-4c4f-8961-7dd094ee058b",
"name": "Yanluowang ransomware",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "Yanluowang ransomware is a type of malware that was used in attacks targeting at least eight U.S. companies from July 2021 to November 2022. The ransomware was distributed by an initial access broker, Aleksey Olegovich Volkov, who is set to plead guilty for his involvement. Yanluowang ransomware is a specific malware family with a known history of attacks, making it a significant threat in the cybersecurity landscape.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "malware",
"id": "malware--642b93f9-af69-45fb-a37b-60800906723a",
"name": "SafePay ransomware",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "SafePay ransomware is a type of malicious software that was used in a significant intrusion into Conduent Business Solutions' systems, resulting in substantial financial losses and lawsuits. Ransomware is a type of malware that encrypts a victim's files and demands a ransom payment in exchange for the decryption key. SafePay ransomware is notable for its involvement in high-profile attacks and its potential to cause significant financial damage.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "malware",
"id": "malware--2f25ee9e-15cc-43e2-8522-ab7a1adad6a3",
"name": "RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "RondoDox is a botnet malware that targets unpatched XWiki servers to exploit vulnerabilities for arbitrary code execution. It is a specific malware family known for its ability to achieve code execution on vulnerable systems, posing a significant threat to network security.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--446861a7-0f3a-4e3c-a4bf-c363c229f3e7",
"name": "Oracle E-Business Suite",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Oracle E-Business Suite is a comprehensive enterprise resource planning (ERP) software suite that provides integrated business applications for financial management, human capital management, supply chain management, and more.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--9d23cb94-1994-480a-80e9-5cd7581c3d81",
"name": "GitHub Actions",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "GitHub Actions is a continuous integration and continuous deployment (CI/CD) platform that automates software builds, tests, and deployments with customizable workflows triggered by events such as code pushes or pull requests.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--0911cee1-2fc7-4281-804d-4283ea377130",
"name": "Tinexta InfoCert S.p.A.",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Tinexta InfoCert S.p.A. is a company that develops advanced electronic signature solutions.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--00a10569-4155-4158-add5-0641b5f7558f",
"name": "Conduent Business Solutions'",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Conduent Business Solutions' is a business process services and solutions company that helps organizations manage complex interactions and workflows across various industries.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "malware",
"id": "malware--9f2d6907-883c-43ea-b53d-a29add8db74f",
"name": "SafePay",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "The SafePay ransomware group is a malicious entity responsible for a significant intrusion into Conduent Business Solutions' systems, affecting over 10.5 individuals and incurring substantial costs. The group's activities involve unauthorized access and potential data breaches, highlighting the importance of robust security measures in cloud environments.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--9e5d8d4d-beab-450b-84d5-0cecfadee05d",
"name": "Robert Stanley",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Robert Stanley is a cybersecurity researcher and author, known for his work on network security and cross-layer RTTs in fingerprinting. He has published research papers in collaboration with Diwen Xue, Piyush Kumar, and Roya Ensafi from the University of Michigan.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--38c4edb8-4ae5-49b2-b8cd-89857832f516",
"name": "Zhihua Chang",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Zhihua Chang is a researcher or presenter at Zhejiang University in China, involved in a network security study. He is part of a group of researchers who used Anthropic's AI to automate and run cyberattacks in a 2025 espionage campaign.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"name": "Wenzhi Chen",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Wenzhi Chen is a researcher at Zhejiang University, China, who has been involved in network security research and has presented papers on the topic. In the context of the provided information, Wenzhi Chen is mentioned as one of the authors of a presentation on network security, and is also associated with a group of researchers who have been linked to China-linked actors using Anthropic's AI to automate and run cyberattacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--1655e90f-83bb-4f01-bb00-23ac275464ce",
"name": "AppOmni",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "AppOmni is a cloud security platform that provides visibility, detection, and response to cloud security risks and misconfigurations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"name": "Google",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Google is a multinational technology company specializing in Internet-related services and products, including search engines, online advertising technologies, cloud computing, and software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--d48d0179-a8bc-4c9e-89ef-4347fcbce1fa",
"name": "Barracuda",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Barracuda is a company that specializes in providing network security and data protection solutions, including firewalls, intrusion detection systems, and email security software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 30,
"type": "identity",
"id": "identity--d9ff7438-f0af-430e-8dd4-af19f2b19200",
"name": "Anthropic",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Anthropic is a company that specializes in developing and applying artificial general intelligence (AGI) for various applications, including natural language processing and model interpretability.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--b09ddfe3-f923-45a4-b43f-9a8baccc6680",
"name": "hackthebox",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Hackthebox is a platform that provides virtual machines and challenges for cybersecurity training and practice, allowing users to hone their skills in penetration testing and vulnerability exploitation.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "identity",
"id": "identity--c5f927f8-55f7-4557-a826-7e00835b8997",
"name": "Anthropic’s Claude",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Anthropic’s Claude is a large language model capable of executing tasks and generating responses based on provided input, often without requiring full context.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 95,
"type": "malware",
"id": "malware--b2be9894-606e-411f-a9f4-f90b10f06319",
"name": "Arrest Ransomware",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "Arrest Ransomware is a specific type of ransomware that has been involved in various cyber attacks, with a notable incident where a Russian national, Aleksey Olegovich Volkov, was arrested for acting as an initial access broker for Yanluowang ransomware attacks, which targeted at least eight U.S. organizations. The involvement of Arrest Ransomware in such attacks highlights the ongoing threat of ransomware to organizations worldwide.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:32.764Z",
"modified": "2025-11-16T10:51:32.764Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"name": "Command and Scripting Interpreter",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/",
"external_id": "T1059"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"name": "Valid Accounts",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1078",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1078/",
"external_id": "T1078"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96",
"name": "System Information Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1082",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1082/",
"external_id": "T1082"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee",
"name": "File and Directory Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1083",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1083/",
"external_id": "T1083"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1",
"name": "Process Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1057",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1057/",
"external_id": "T1057"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"name": "Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1071",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1071/",
"external_id": "T1071"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"name": "Non-Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1095",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1095/",
"external_id": "T1095"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2cecb29c-a2c6-4961-bed1-a4055f51534d",
"name": "Exfiltration Over C2 Channel",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"x_mitre_id": "T1041",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1041/",
"external_id": "T1041"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--cd061a92-a819-4f73-99dc-228176018577",
"name": "Exfiltration Over Alternative Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"x_mitre_id": "T1048",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1048/",
"external_id": "T1048"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--8b825070-d031-4677-bf40-7fed85cc24ee",
"name": "SMS Pumping",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"x_mitre_id": "T1496.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1496/003/",
"external_id": "T1496.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 84,
"type": "attack-pattern",
"id": "attack-pattern--d23a8103-121b-4c0d-a34a-5ec584acaeb7",
"name": "Install Digital Certificate",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1608.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1608/003/",
"external_id": "T1608.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 79,
"type": "attack-pattern",
"id": "attack-pattern--45006bd4-675c-4f30-afe3-4c1d65fe72de",
"name": "Digital Certificates",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.004",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/004/",
"external_id": "T1588.004"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 76,
"type": "attack-pattern",
"id": "attack-pattern--5f22c487-9afa-42a6-9e1d-bd8fe45b3e8b",
"name": "Steal or Forge Authentication Certificates",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"x_mitre_id": "T1649",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1649/",
"external_id": "T1649"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 71,
"type": "attack-pattern",
"id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"name": "Botnet",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1584.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1584/005/",
"external_id": "T1584.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"name": "Scheduled Task",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/005/",
"external_id": "T1053.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"name": "Socket Filters",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1205.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1205/002/",
"external_id": "T1205.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"name": "Malicious Shell Modification",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1156",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1156/",
"external_id": "T1156"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 69,
"type": "attack-pattern",
"id": "attack-pattern--d7968b19-cce1-4e85-9ceb-787e6199dc18",
"name": "Clear Windows Event Logs",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_id": "T1070.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1070/001/",
"external_id": "T1070.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 68,
"type": "attack-pattern",
"id": "attack-pattern--2e4f88ee-4edd-4377-a16f-6ff65fd48fce",
"name": "Virtual Private Server",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1583.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1583/003/",
"external_id": "T1583.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"confidence": 68,
"type": "attack-pattern",
"id": "attack-pattern--4a50a3dd-b17a-4e64-bead-928e6ffd125f",
"name": "Install Root Certificate",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_id": "T1130",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1130/",
"external_id": "T1130"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5c747f48-0e93-45ac-b360-458f5be9a2ed",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: aleksey olegovich volkov uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--50912624-f4ed-4813-84b0-4562e0ab47e0",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: aleksey olegovich volkov uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--41ef9fc5-e918-4574-9ee4-04449855d116",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--3a7625ba-dd01-4c6a-aa2a-4e8c916b44bb",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: aleksey olegovich volkov uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--52aa3b2c-3acc-4ef1-8005-8c752df4c382",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--b82ffb65-2e42-4f50-b97d-06490485170c",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: synthient uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5431c0c5-23e7-46d0-b752-9bfecca88508",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--b82ffb65-2e42-4f50-b97d-06490485170c",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: synthient uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--21b06408-d7af-4429-9458-a69119f1cfb3",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--b82ffb65-2e42-4f50-b97d-06490485170c",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: synthient uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--eaa03746-4d4d-4d3b-9356-4141485a8aee",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--d98058a9-6932-4c32-b237-b9510fa075fe",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: credential dumps uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e164af8a-d2d8-4c27-98cf-efe80d2856be",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--d98058a9-6932-4c32-b237-b9510fa075fe",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: credential dumps uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fda91811-9dee-42e6-a87d-6066d32b4b85",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--d98058a9-6932-4c32-b237-b9510fa075fe",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: credential dumps uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--32b26b24-f225-49d7-99e0-515871eb7ebf",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: gtg-1002 uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3667e3dc-c023-405b-a7e1-5a3af94dd47c",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: gtg-1002 uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a4a63812-32b5-44aa-8b2e-83c9736a5760",
"created": "2025-11-16T10:51:33.904Z",
"modified": "2025-11-16T10:51:33.904Z",
"relationship_type": "uses",
"source_ref": "threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: gtg-1002 uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--712606c7-2eb4-4d99-8c8b-a2d8f31df632",
"created": "2025-11-16T10:51:33.905Z",
"modified": "2025-11-16T10:51:33.905Z",
"relationship_type": "uses",
"source_ref": "threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: wenzhi chen uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9c8cdc49-25bc-4047-9407-f59270406e9a",
"created": "2025-11-16T10:51:33.905Z",
"modified": "2025-11-16T10:51:33.905Z",
"relationship_type": "uses",
"source_ref": "threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: wenzhi chen uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9fa90bf4-1e96-415a-a080-a0e421ab2e35",
"created": "2025-11-16T10:51:33.905Z",
"modified": "2025-11-16T10:51:33.905Z",
"relationship_type": "uses",
"source_ref": "threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: wenzhi chen uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
}
]
}
CRITICAL ITEMS
HIGH SEVERITY ITEMS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT