The RondoDox botnet is actively exploiting a critical eval injection vulnerability (CVSS 9.8) in unpatched XWiki servers. This flaw allows unauthenticated attackers to achieve arbitrary code execution, enabling them to compromise the server and enroll it into the botnet infrastructure for use in future attacks. The active exploitation of a publicly known, high-severity vulnerability poses an immediate threat to organizations using XWiki.
Business impact
A compromised XWiki server can lead to a full network breach, data exfiltration, service disruption, and the use of corporate assets in criminal activities. This could result in significant reputational damage, operational downtime, and regulatory fines.
Recommended action
Immediately apply the patch for CVE-2025-24893 to all XWiki instances. If patching is not possible, restrict access to the affected servers and monitor web and network logs for indicators of compromise related to RondoDox activity.
CISA has added a critical vulnerability in Fortinet's FortiWeb Web Application Firewall (WAF) to its Known Exploited Vulnerabilities (KEV) catalog. The flaw (CVSS 9.1) is being actively exploited in the wild. Inclusion in the KEV catalog indicates a high-priority threat that requires immediate attention from federal agencies and all organizations using the affected products.
Business impact
Exploitation of a vulnerability in a security appliance like a WAF can undermine the entire security posture, allowing attackers to bypass protections and gain access to sensitive web applications and backend data. This can lead to severe data breaches and non-compliance with regulations like SOX and FISMA.
Recommended action
All organizations, especially U.S. federal agencies, must immediately apply the vendor-provided patch for CVE-2025-64446. Hunt for signs of compromise on affected FortiWeb devices by reviewing logs for anomalous activity.
ASUS has patched a critical authentication bypass vulnerability (CVSS 9.3) affecting multiple models of its DSL routers. The flaw allows a remote, unauthenticated attacker to easily gain full access to the device's management interface. This vulnerability exposes home and small business networks to takeover, man-in-the-middle attacks, and eavesdropping.
Business impact
Compromised routers can serve as a pivot point into internal networks, exposing all connected devices to attack. Attackers can steal sensitive data, redirect traffic to malicious sites, or use the router in a botnet, impacting both business operations and employee privacy.
Recommended action
Immediately identify all affected ASUS DSL router models and apply the firmware updates provided by the vendor. Change default administrative credentials and disable remote management if not essential.
Concerns are growing over data harvesting by IronSource, an Israeli-founded software company, through its bloatware pre-installed on Samsung mobile devices in West Asia and North Africa (WANA). The software, part of an expanded partnership with Samsung, is reportedly collecting user data, raising significant digital surveillance and privacy issues in the region.
Business impact
For organizations with a BYOD policy, this poses a risk of corporate data being exfiltrated from employee devices without their knowledge. This can lead to compliance violations under GDPR and SOX, intellectual property theft, and a loss of trust from customers and employees.
Recommended action
Review and update BYOD policies to address the risks of pre-installed bloatware. Deploy Mobile Device Management (MDM) solutions to monitor and control data access on employee devices. Advise employees in the affected regions about the risks.
Electronics manufacturer Logitech has confirmed it was breached by the Clop extortion gang. The attack is linked to a series of data theft campaigns in July that exploited vulnerabilities in Oracle E-Business Suite. Clop is known for exfiltrating data and then extorting victims for payment to prevent its public release.
Business impact
The breach could expose sensitive employee, customer, or partner data, leading to identity theft and fraud. The incident carries significant financial risk from extortion demands, regulatory fines, and potential lawsuits, as well as long-term damage to the Logitech brand.
Recommended action
Organizations using Oracle E-Business Suite should ensure all patches from July have been applied. Monitor for any data leaks related to Logitech and advise employees to be vigilant against phishing attacks that may leverage stolen information.
The notorious threat group ShinyHunters breached a poorly decommissioned legacy cloud storage system belonging to payment processor Checkout.com. The system, last used in 2020, contained merchant data. Instead of paying the ransom, the company plans to donate the equivalent amount to cybersecurity research groups.
Business impact
This incident highlights the critical importance of proper asset decommissioning. Even legacy systems can contain valuable data, and failure to secure or properly wipe them creates a significant attack surface and potential for data breaches long after they are out of service.
Recommended action
Review and enforce asset management and decommissioning policies. Ensure all legacy systems, especially cloud storage, are either securely wiped and deleted or isolated and monitored if they must be retained for compliance reasons.
AttackIQ has released a new assessment template for emulating the TTPs of the Sandworm threat actor, based on a recent intrusion targeting Ukrainian organizations. This allows organizations to test their defensive controls against the techniques used by this highly destructive, state-sponsored adversary.
Spotlight Rationale: Today's intelligence highlights multiple actively exploited vulnerabilities, including a critical eval injection in XWiki ([CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)) used by the RondoDox botnet and a Fortinet flaw ([CVE-2025-64446](https://nvd.nist.gov/vuln/detail/CVE-2025-64446)) added to the CISA KEV catalog. Palo Alto Networks' Threat Prevention service is designed to provide virtual patching against such exploits, protecting unpatched systems from initial compromise.
Platform Focus: Palo Alto Networks NGFW with Threat Prevention
Palo Alto Networks' Next-Generation Firewall (NGFW) with an active Threat Prevention subscription can identify and block the specific exploit traffic targeting vulnerabilities like CVE-2025-24893. By using signature-based and anomaly-based detection at the network perimeter, it provides a critical layer of defense, known as "virtual patching," that can prevent attackers from gaining initial access to vulnerable servers, even before an official patch is applied. This directly counters the tactics used by threats like the RondoDox botnet.
Actionable Platform Guidance: For organizations using Palo Alto Networks, the platform can be configured to block exploits targeting the vulnerabilities mentioned in today's rundown. The provided guidance offers immediate actions to enhance protection.
# Guidance based on general platform knowledge. Verify against current Palo Alto Networks documentation.
# --- Immediate Actions ---
# 1. Update Threat Prevention Signatures:
# Ensure your NGFW is pulling the latest content updates.
# Navigate to -> Device -> Dynamic Updates -> Check Now.
# 2. Create/Modify Vulnerability Protection Profile:
# Navigate to -> Objects -> Security Profiles -> Vulnerability Protection.
# Create a new profile or edit an existing one applied to your internet-facing policies.
# Under the 'Rules' tab, add a new rule. Set 'Threat Name' to include signatures for XWiki and FortiWeb if available.
# Set 'Action' to 'reset-both' or 'block' for any threats with 'critical' severity.
# 3. Apply Profile to Security Policy:
# Navigate to -> Policies -> Security.
# Identify the rule allowing traffic to your XWiki servers or other vulnerable assets.
# In the 'Profile Setting' section, apply the Vulnerability Protection profile you just configured.
# --- Verification Steps ---
# 1. Check for Relevant Threat IDs:
# Use the Threat Vault (https://threatvault.paloaltonetworks.com/) to search for threat IDs related to
# CVE-2025-24893 and CVE-2025-64446.
# 2. Monitor Threat Logs:
# Navigate to -> Monitor -> Logs -> Threat.
# Filter for traffic matching your vulnerable server's IP and look for logs where the action was 'reset-both' or 'block'
# and the Threat ID matches the vulnerabilities. This confirms the profile is working.
2. YARA Rule for RondoDox XWiki Exploitation Artifacts
rule RondoDox_XWiki_Exploit_Attempt {
meta:
description = "Detects potential artifacts related to the RondoDox botnet exploiting XWiki CVE-2025-24893."
author = "Threat Rundown"
date = "2025-11-16"
reference = "https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html"
severity = "high"
tlp = "white"
strings:
// Strings related to XWiki eval injection
$s1 = "xwiki-platform-core" ascii wide
$s2 = ".eval.vm" ascii wide
$s3 = "services.security.authorization.Right" ascii wide
// Generic botnet-related strings often found in droppers
$s4 = "/bin/busybox" ascii
$s5 = "wget -q -O-" ascii
$s6 = "chmod 777" ascii
condition:
// A high-confidence XWiki string AND a generic botnet command
(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and (all of ($s1,$s2,$s3) or (1 of ($s1,$s2) and 2 of ($s4,$s5,$s6)))
}
// Splunk Example
index=web sourcetype=web_logs status=200 http_method=POST
// Look for URI patterns associated with XWiki and potential injection keywords
(uri_path="*/xwiki/bin/get/*" OR uri_path="*/xwiki/bin/view/*") AND (form_data="*eval*" OR form_data="*Runtime.getRuntime*")
// Exclude traffic from known internal scanners or administrative IPs
NOT (src_ip IN (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12))
| eval risk_score=case(
match(form_data, "(?i)exec|passthru|shell_exec"), 100,
match(form_data, "(?i)eval|Runtime"), 75,
1==1, 50)
| where risk_score >= 75
| table _time, src_ip, dest_ip, uri_path, form_data, risk_score
| sort -_time
4. PowerShell Script — Hunt for Web Shells on IIS Servers
# This script hunts for suspicious files in web directories that could indicate a web shell drop post-exploitation.
# Target servers that might be running vulnerable web applications.
$webDirectories = @("C:\inetpub\wwwroot", "D:\Websites")
$suspiciousExtensions = @("*.jsp", "*.aspx", "*.php", "*.sh")
$timeframeDays = 7 # Look for files created in the last week
$computers = "localhost", "WEBSRV01", "WEBSRV02"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "--- Checking $computer for suspicious web files ---"
foreach ($dir in $webDirectories) {
$targetPath = "\\$computer\$($dir.Replace(':', '$'))"
if (Test-Path $targetPath) {
Get-ChildItem -Path $targetPath -Include $suspiciousExtensions -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.CreationTime -ge (Get-Date).AddDays(-$timeframeDays) } | ForEach-Object {
Write-Warning "Suspicious file found on $computer: $($_.FullName) (Created: $($_.CreationTime))"
}
}
}
} else {
Write-Error "$computer is not reachable."
}
}
This rundown should provide a solid
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--c63f7b1f-c13e-4e7b-9ce2-f181151b9939",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--bc479685-ab07-4ceb-a787-34f461129935",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--7b7682c8-dba2-427d-8068-2b8e26a3ef71",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"name": "Threat Intelligence Report - 2025-11-16",
"description": "Threat Intelligence Report - 2025-11-16\n\nThis report consolidates actionable cybersecurity intelligence from 50 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Invasive Israeli-founded bloatware is harvesting data from Samsung users in WANA (Score: 100)\n• RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet (Score: 100)\n• Logitech confirms data breach after Clop extortion attack (Score: 100)\n• U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog (Score: 97.7)\n• Google sues to dismantle Chinese phishing platform behind US toll scams (Score: 94.9)\n\nEXTRACTED ENTITIES:\n• 27 Attack Pattern(s)\n• 1 Location(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 4 Relationship(s)\n• 2 Threat Actor(s)\n• 2 Tool(s)\n• 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-16T17:03:32.510Z",
"object_refs": [
"identity--bc479685-ab07-4ceb-a787-34f461129935",
"identity--761cd93a-a971-4661-b3e1-42658e4849c6",
"location--723dcd64-e1b3-47d5-97e9-e044d4c1dc83",
"malware--f0ecd81c-a5a3-471e-813d-242ae1d86322",
"identity--64dd5a4a-9478-4b23-8273-5496fadcbb50",
"vulnerability--e5a7c537-16af-4003-b162-757807c9107d",
"identity--446861a7-0f3a-4e3c-a4bf-c363c229f3e7",
"identity--0693bc48-9075-4fd5-ad67-abcf1687f937",
"identity--1cfa9111-ae8b-4e07-b1bb-e4830f7ef190",
"identity--666fc7fe-c911-419e-a1d6-ea47e6b3646f",
"vulnerability--5380297d-2fc0-4a52-912b-80d302275115",
"identity--9d23cb94-1994-480a-80e9-5cd7581c3d81",
"identity--0911cee1-2fc7-4281-804d-4283ea377130",
"tool--1a3c1a13-b0dc-485c-93cd-3a89192559af",
"tool--cf11f079-c7d6-4937-b26c-4e21af600e62",
"threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"identity--489a8859-b504-4d5b-b691-0f5586819ace",
"identity--bdf77040-fc84-41e8-8664-548bac2acbd9",
"identity--38c4edb8-4ae5-49b2-b8cd-89857832f516",
"threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"identity--82c383e2-93b5-4b46-9654-5da51b92ed5e",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"identity--91729c8a-7f28-4a90-a279-b54ca9809441",
"identity--bd8321bb-6350-4fc4-87b3-a79e5b964fb6",
"identity--d9ff7438-f0af-430e-8dd4-af19f2b19200",
"identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"identity--b09ddfe3-f923-45a4-b43f-9a8baccc6680",
"identity--4374f8b0-7844-4bff-9a66-92d49d3e0b15",
"identity--29491c15-366f-4380-8c68-51dbf98e0f2d",
"identity--b33d5b9a-3066-48c0-ad56-8882db624f0f",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"attack-pattern--2cecb29c-a2c6-4961-bed1-a4055f51534d",
"attack-pattern--cd061a92-a819-4f73-99dc-228176018577",
"attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96",
"attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee",
"attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--d23a8103-121b-4c0d-a34a-5ec584acaeb7",
"attack-pattern--45006bd4-675c-4f30-afe3-4c1d65fe72de",
"attack-pattern--5f22c487-9afa-42a6-9e1d-bd8fe45b3e8b",
"attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"attack-pattern--d7968b19-cce1-4e85-9ceb-787e6199dc18",
"attack-pattern--2e4f88ee-4edd-4377-a16f-6ff65fd48fce",
"attack-pattern--4a50a3dd-b17a-4e64-bead-928e6ffd125f",
"relationship--6c42f85b-f7a2-40bf-917e-66aac52d7011",
"relationship--1eb4962c-89ca-407e-9a00-4de384b0762d",
"relationship--39ce2056-826f-4857-b533-28a913eca994",
"relationship--9a52ba55-2077-4852-8aa2-ccb82c9849a2"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--bc479685-ab07-4ceb-a787-34f461129935",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.519Z",
"modified": "2025-11-16T17:03:31.519Z",
"confidence": 95,
"type": "identity",
"id": "identity--761cd93a-a971-4661-b3e1-42658e4849c6",
"name": "IronSource",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "IronSource is a legitimate Israeli software company that provides mobile software distribution and monetization services. It has partnered with Samsung to expand its reach in the Middle East and North Africa (MENA) region. While IronSource is not a threat actor or malware, it is a relevant entity in the context of cybersecurity and mobile software development.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.519Z",
"modified": "2025-11-16T17:03:31.519Z",
"confidence": 95,
"type": "location",
"id": "location--723dcd64-e1b3-47d5-97e9-e044d4c1dc83",
"name": "North Africa",
"region": "unknown",
"labels": [
"location"
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 90,
"type": "malware",
"id": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322",
"name": "RondoDox",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "RondoDox is a botnet malware that targets unpatched XWiki servers to exploit vulnerabilities for arbitrary code execution, specifically leveraging the CVE-2025-24893 vulnerability for its malicious activities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--64dd5a4a-9478-4b23-8273-5496fadcbb50",
"name": "XWiki",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "XWiki is a free and open-source wiki software platform that allows users to create and manage collaborative content and applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--e5a7c537-16af-4003-b162-757807c9107d",
"name": "CVE-2025-24893",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-24893",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24893"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-24893",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24893"
}
],
"description": "The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any gu",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--446861a7-0f3a-4e3c-a4bf-c363c229f3e7",
"name": "Oracle E-Business Suite",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Oracle E-Business Suite is a comprehensive enterprise resource planning (ERP) software suite that provides integrated business applications for financial management, human capital management, supply chain management, and more.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--0693bc48-9075-4fd5-ad67-abcf1687f937",
"name": "Logitech International S.A.",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Logitech International S.A. is a company",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--1cfa9111-ae8b-4e07-b1bb-e4830f7ef190",
"name": "Fortinet FortiWeb",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Fortinet FortiWeb is a web application firewall (WAF) that protects against web-based attacks by filtering and blocking malicious traffic, and enforcing security policies to prevent data breaches and cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--666fc7fe-c911-419e-a1d6-ea47e6b3646f",
"name": "Known Exploited Vulnerabilities",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Known Exploited Vulnerabilities is a US government database that tracks and publicly discloses known exploited vulnerabilities in software and hardware, allowing organizations to prioritize patching and mitigation efforts to prevent cyber attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--5380297d-2fc0-4a52-912b-80d302275115",
"name": "CVE-2025-64446",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-64446",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64446"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-64446",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64446"
}
],
"description": "is a Swiss multinational electronics company that sells hardware and software",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--9d23cb94-1994-480a-80e9-5cd7581c3d81",
"name": "GitHub Actions",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "GitHub Actions is a continuous integration and continuous deployment (CI/CD) platform that automates software builds, tests, and deployments with customizable workflows triggered by events such as code pushes or pull requests.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--0911cee1-2fc7-4281-804d-4283ea377130",
"name": "Tinexta InfoCert S.p.A.",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Tinexta InfoCert S.p.A. is a company that develops advanced electronic signature solutions.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "tool",
"id": "tool--1a3c1a13-b0dc-485c-93cd-3a89192559af",
"name": "Slither-MCP",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "Slither-MCP is a tool that augments Language Model Monitors (LLMs) with Slither's static analysis engine, allowing LLMs to find critical code faster and navigate codebases more efficiently.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "tool",
"id": "tool--cf11f079-c7d6-4937-b26c-4e21af600e62",
"name": "Slither",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "Slither is a static analysis engine that helps identify critical code vulnerabilities and navigate codebases more efficiently. It is part of Slither-MCP, a tool that augments Large Language Models (LLMs) with Slither's analysis capabilities to improve their performance.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"name": "GTG-1002",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "GTG-1002 is a Chinese state-sponsored threat group tracked by Anthropic for carrying out a cyber-espionage operation that was largely automated through the abuse of the company's Claude Code AI model.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"name": "Creators & Presenters",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Creators & Presenters is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--489a8859-b504-4d5b-b691-0f5586819ace",
"name": "Zhejiang University",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Zhejiang University is a public research university in Hangzhou, China, that has been involved in various cybersecurity research and development projects. The university has a strong focus on computer science and engineering, and its researchers have published numerous papers on topics such as network security, artificial intelligence, and cryptography.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--bdf77040-fc84-41e8-8664-548bac2acbd9",
"name": "Chunling Yang",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Chunling Yang is a researcher affiliated with Zhejiang University, who has co-authored papers on network security and has presented at conferences.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--38c4edb8-4ae5-49b2-b8cd-89857832f516",
"name": "Zhihua Chang",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Zhihua Chang is a researcher or presenter at Zhejiang University in China, involved in a network security study. He is part of a group of researchers who used Anthropic's AI to automate and run cyberattacks in a 2025 espionage campaign.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"name": "Wenzhi Chen",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Wenzhi Chen is a researcher at Zhejiang University, China, who has been involved in network security research and has presented papers on the topic. In the context of the provided information, Wenzhi Chen is mentioned as one of the authors of a presentation on network security, and is also associated with a group of researchers who have been linked to China-linked actors using Anthropic's AI to automate and run cyberattacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--82c383e2-93b5-4b46-9654-5da51b92ed5e",
"name": "Zhou Ma",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Zhou Ma is a researcher or academic affiliated with Zhejiang University, credited as a presenter or author in a network security session.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--91729c8a-7f28-4a90-a279-b54ca9809441",
"name": "KB5068781",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "KB5068781 is a security update patch for Windows 10 and Windows 11, addressing vulnerabilities and improving overall system security.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--bd8321bb-6350-4fc4-87b3-a79e5b964fb6",
"name": "Qualys",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Qualys is a cloud-based security and compliance platform that helps organizations identify, classify, and remediate vulnerabilities across their IT assets.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 30,
"type": "identity",
"id": "identity--d9ff7438-f0af-430e-8dd4-af19f2b19200",
"name": "Anthropic",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Anthropic is a company that specializes in developing and applying artificial general intelligence (AGI) for various applications, including natural language processing and model interpretability.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"name": "Google",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Google is a multinational technology company specializing in Internet-related services and products, including search engines, online advertising technologies, cloud computing, and software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--b09ddfe3-f923-45a4-b43f-9a8baccc6680",
"name": "hackthebox",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Hackthebox is a platform that provides virtual machines and challenges for cybersecurity training and practice, allowing users to hone their skills in penetration testing and vulnerability exploitation.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--4374f8b0-7844-4bff-9a66-92d49d3e0b15",
"name": "Crisis24",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Crisis24 is a global risk management and crisis intelligence company providing real-time threat intelligence and emergency response services to governments, corporations, and individuals.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--29491c15-366f-4380-8c68-51dbf98e0f2d",
"name": "blog.risingstack.com",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "blog.risingstack.com is a technology blog that provides articles and tutorials on software development, DevOps, and related topics.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 95,
"type": "identity",
"id": "identity--b33d5b9a-3066-48c0-ad56-8882db624f0f",
"name": "anchore.com",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Anchore.com is a container security platform that provides vulnerability management, compliance, and risk analysis for containerized applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:31.520Z",
"modified": "2025-11-16T17:03:31.520Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"name": "Command and Scripting Interpreter",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/",
"external_id": "T1059"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"name": "Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1071",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1071/",
"external_id": "T1071"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"name": "Non-Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1095",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1095/",
"external_id": "T1095"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2cecb29c-a2c6-4961-bed1-a4055f51534d",
"name": "Exfiltration Over C2 Channel",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"x_mitre_id": "T1041",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1041/",
"external_id": "T1041"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--cd061a92-a819-4f73-99dc-228176018577",
"name": "Exfiltration Over Alternative Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"x_mitre_id": "T1048",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1048/",
"external_id": "T1048"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96",
"name": "System Information Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1082",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1082/",
"external_id": "T1082"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee",
"name": "File and Directory Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1083",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1083/",
"external_id": "T1083"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1",
"name": "Process Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1057",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1057/",
"external_id": "T1057"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 84,
"type": "attack-pattern",
"id": "attack-pattern--d23a8103-121b-4c0d-a34a-5ec584acaeb7",
"name": "Install Digital Certificate",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1608.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1608/003/",
"external_id": "T1608.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 79,
"type": "attack-pattern",
"id": "attack-pattern--45006bd4-675c-4f30-afe3-4c1d65fe72de",
"name": "Digital Certificates",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.004",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/004/",
"external_id": "T1588.004"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 76,
"type": "attack-pattern",
"id": "attack-pattern--5f22c487-9afa-42a6-9e1d-bd8fe45b3e8b",
"name": "Steal or Forge Authentication Certificates",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"x_mitre_id": "T1649",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1649/",
"external_id": "T1649"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 71,
"type": "attack-pattern",
"id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"name": "Botnet",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1584.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1584/005/",
"external_id": "T1584.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.509Z",
"modified": "2025-11-16T17:03:32.509Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"name": "Scheduled Task",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/005/",
"external_id": "T1053.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"name": "Socket Filters",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1205.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1205/002/",
"external_id": "T1205.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"name": "Malicious Shell Modification",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1156",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1156/",
"external_id": "T1156"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"confidence": 69,
"type": "attack-pattern",
"id": "attack-pattern--d7968b19-cce1-4e85-9ceb-787e6199dc18",
"name": "Clear Windows Event Logs",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_id": "T1070.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1070/001/",
"external_id": "T1070.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"confidence": 68,
"type": "attack-pattern",
"id": "attack-pattern--2e4f88ee-4edd-4377-a16f-6ff65fd48fce",
"name": "Virtual Private Server",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1583.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1583/003/",
"external_id": "T1583.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"confidence": 68,
"type": "attack-pattern",
"id": "attack-pattern--4a50a3dd-b17a-4e64-bead-928e6ffd125f",
"name": "Install Root Certificate",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_id": "T1130",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1130/",
"external_id": "T1130"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6c42f85b-f7a2-40bf-917e-66aac52d7011",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"relationship_type": "uses",
"source_ref": "threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: gtg-1002 uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1eb4962c-89ca-407e-9a00-4de384b0762d",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"relationship_type": "uses",
"source_ref": "threat-actor--c9a019b4-cc8d-420f-ba01-2795a3aea0c8",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: gtg-1002 uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--39ce2056-826f-4857-b533-28a913eca994",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"relationship_type": "uses",
"source_ref": "threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: wenzhi chen uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9a52ba55-2077-4852-8aa2-ccb82c9849a2",
"created": "2025-11-16T17:03:32.510Z",
"modified": "2025-11-16T17:03:32.510Z",
"relationship_type": "uses",
"source_ref": "threat-actor--814d56e7-b3c8-4b15-a240-72f304e906b1",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: wenzhi chen uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
}
]
}
U.S. Federal Cloud Services (FedRAMP)
STEADY
CRITICAL ITEMS
HIGH SEVERITY ITEMS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT