Heroes, we have another Chrome Zero Day, and the DDoS attacks keep getting more intense. Here's a detailed look at the current cybersecurity landscape for November 18, 2025.
Google has released an emergency security update for its Chrome browser to patch two vulnerabilities, one of which is a high-severity V8 type-confusion bug being actively exploited in the wild. Tracked as CVE-2025-13223, this marks the seventh Chrome zero-day vulnerability addressed by Google this year, highlighting a persistent trend of attackers targeting browser engines for initial access and remote code execution.
Business impact
An unpatched Chrome browser represents a critical entry point into corporate networks. Successful exploitation could lead to arbitrary code execution on employee workstations, enabling attackers to deploy malware, steal credentials, exfiltrate sensitive data, and move laterally within the network.
Recommended action
Prioritize the immediate deployment of the latest Chrome update across all corporate devices. Verify patch application through endpoint management systems. Security teams should monitor for any signs of post-exploitation activity originating from browser processes.
Cisco has disclosed that a new attack variant is actively exploiting previously known vulnerabilities in its Secure Firewall ASA and FTD software. The attacks target unpatched devices, causing them to reboot or reload unexpectedly. This activity leverages CVE-2025-20333 and CVE-2025-20362, demonstrating that attackers continue to re-tool exploits for known but unpatched flaws.
Business impact
The primary impact is a denial-of-service (DoS) condition on critical network infrastructure. Unexpected reboots of firewalls can cause widespread network outages, disrupt business operations, and create security gaps that other threat actors could exploit during the downtime.
Recommended action
Immediately verify that all Cisco ASA and FTD appliances are patched against CVE-2025-20333 and CVE-2025-20362. Monitor firewall logs for unexpected reloads and investigate any anomalous activity.
Check Point Research reports that the Cl0p ransomware group's campaign targeting an Oracle E-Business Suite zero-day (CVE-2025-61882) is growing. New high-profile breaches have been confirmed at The Washington Post and Logitech, indicating widespread and successful exploitation of this vulnerability by a sophisticated threat actor.
Business impact
A breach originating from Oracle E-Business Suite could be catastrophic, leading to the compromise of sensitive financial, HR, and supply chain data. The involvement of Cl0p suggests a high risk of data exfiltration followed by a ransomware event, resulting in operational disruption and significant financial extortion demands.
Recommended action
Organizations using Oracle E-Business Suite must apply the relevant security patches immediately. It is critical to initiate a threat hunt for signs of compromise, focusing on unusual access patterns, data staging, and outbound data transfers from affected servers.
CERT Polska has reported a vulnerability in the login process of Times Software E-Payroll. The flaw, identified as CVE-2025-9977, relates to how a specific POST parameter is handled during user authentication, potentially allowing unauthorized access.
Business impact
Exploitation of this vulnerability could expose highly sensitive employee payroll information, including salaries, personal identification data, and banking details. This poses a direct risk of fraud, identity theft, and non-compliance with data protection regulations.
Recommended action
Organizations using Times Software E-Payroll should contact the vendor for patch information and apply it as a top priority. Review access logs for any suspicious login attempts or unauthorized data access.
Federal authorities and security researchers are raising concerns over Fortinet's delayed disclosure of a critical, massively exploited vulnerability in its web application firewall (WAF) product. The delay put defenders at a significant disadvantage, as attackers were actively exploiting the flaw before many customers were aware of the risk or had access to a patch.
Business impact
The lack of timely notification increases the likelihood of successful breaches for Fortinet customers. A compromised WAF can expose backend applications to attack, leading to data breaches, web defacement, or further network intrusion. This incident also raises questions about vendor transparency and its impact on supply chain risk management.
Recommended action
Fortinet customers should ensure the latest patches are applied to their WAF appliances immediately. Review WAF and application logs for any signs of compromise that may have occurred before the patch was deployed.
Microsoft has reported the mitigation of the largest cloud DDoS attack ever recorded, peaking at 15.7 Terabits per second (Tbps) and 3.6 billion packets per second (pps). The attack, attributed to the Aisuru botnet, targeted Azure infrastructure on October 24, 2025, using massive UDP floods from over 500,000 IP addresses.
Business impact
While this specific attack was mitigated, it demonstrates a massive escalation in the scale and capability of DDoS botnets. Such attacks can render critical online services and applications unavailable for extended periods, causing direct revenue loss, customer churn, and reputational damage.
Recommended action
Organizations, especially those reliant on cloud services, should review their DDoS mitigation strategies and ensure they have adequate protection in place. This includes engaging with cloud providers' native protection services and having a clear incident response plan for DDoS events.
A Turkish luxury retail platform was targeted by a massive application-layer DDoS attack that peaked at 14.2 million requests per second (RPS). This attack, which occurred during a high-stakes product launch, represents one of the largest application-layer DDoS attacks ever recorded. The incident demonstrates the escalating scale and sophistication of DDoS attacks, which can overwhelm even well-prepared organizations.
Business impact
Such an attack can render e-commerce platforms and other online services completely unavailable, leading to direct revenue loss, customer frustration, and brand damage, especially when timed to coincide with critical business events.
Recommended action
Review and test DDoS mitigation strategies, ensuring they can handle high-volume application-layer attacks. Engage with a dedicated DDoS mitigation provider and ensure that rate-limiting and web application firewall (WAF) rules are properly configured to absorb and filter malicious traffic.
Researchers have detailed an attempted intrusion against a major U.S. real-estate company that utilized a nascent command-and-control (C2) framework called Tuoni. The use of this new red teaming tool highlights attackers' continuous efforts to adopt novel frameworks to evade detection by conventional security solutions.
Business impact
The adoption of new C2 frameworks by threat actors can bypass existing signature-based and behavioral detections, increasing the dwell time of an attacker within a network. This allows more time for reconnaissance, lateral movement, and data exfiltration before the intrusion is discovered.
Recommended action
Security teams should proactively hunt for indicators associated with emerging C2 frameworks like Tuoni. Detections should focus on anomalous network traffic patterns, PowerShell execution, and process chains rather than relying solely on known malware signatures.
A threat actor has published seven malicious packages to the npm registry that use a cloaking service called Adspect. This service allows the malware to differentiate between security analysis environments and real victims, redirecting the latter to cryptocurrency scam websites while appearing benign to researchers.
Business impact
This represents a sophisticated software supply chain attack targeting developers. If these packages are integrated into a development pipeline, they could lead to compromised developer credentials, injection of malicious code into production applications, or direct financial loss for employees who fall for the scam.
Recommended action
Development teams should immediately audit their projects for the presence of these seven malicious npm packages. Implement policies for vetting third-party libraries and consider using tools that can detect suspicious package behaviors.
JPCERT/CC has released YAMAGoya, a new tool for real-time client monitoring. It is designed to help analysts detect suspicious activity, such as fileless malware, by leveraging Sigma and YARA rules directly on endpoints, addressing the growing challenge of detecting threats that evade traditional file-based scanning.
Cisco Talos has introduced new capabilities for the Snort3 intrusion detection system within Cisco Secure Firewall. The enhancements provide security teams with more flexibility in managing, organizing, and prioritizing detection rules, making it easier to align network defenses with organizational policies.
Looking toward 2026, this strategic analysis argues that the most significant threats are not novel zero-day exploits but persistent blind spots in foundational security disciplines. Key areas of focus must include comprehensive supply chain security, managing proximity-based attack surfaces (e.g., wireless), and establishing clear cross-functional accountability for security outcomes. The piece emphasizes that fundamentals must evolve into continuous, operational disciplines to build true cyber resilience.
Spotlight Rationale: Today's intelligence highlights the increasing use of fileless malware and emerging C2 frameworks like **Tuoni** (The Hacker News) that evade traditional, file-based security tools. JPCERT/CC's new tool directly addresses this detection gap.
YAMAGoya is a real-time endpoint monitoring tool that operationalizes threat intelligence in the form of Sigma and YARA rules. Instead of relying on static file signatures, it allows security teams to hunt for behavioral indicators of compromise (IOCs) and malicious patterns in memory and process activity. This is crucial for detecting threats like fileless malware, obfuscated scripts, and the command-line activity associated with frameworks like Tuoni C2.
Actionable Platform Guidance: Deploy the YAMAGoya agent to critical endpoints. Integrate a feed of high-quality Sigma rules covering MITRE ATT&CK techniques for execution, persistence, and defense evasion. Create custom YARA rules to scan process memory for strings and patterns associated with newly identified threats from intelligence reports.
# YAMAGoya Configuration Guidance for Detecting Emerging C2 Frameworks
# 1. Ensure YAMAGoya agent is deployed to target endpoints.
# 2. Download the latest Sigma rules for command-line and process execution.
# git clone https://github.com/SigmaHQ/sigma.git
# 3. Convert relevant Sigma rules for use with YAMAGoya.
# Focus on rules detecting:
# - Suspicious PowerShell invocation (e.g., Invoke-Expression, Base64 encoding)
# - WMI process creation
# - Rundll32 execution of unusual DLLs
# - Living-off-the-land binaries (LOLBAS) activity
# 4. Load the converted rules into the YAMAGoya management console.
# - Navigate to 'Rule Management' -> 'Import'
# - Select the converted rule files.
# - Assign rules to an active monitoring policy.
# 5. Create a custom YARA rule for Tuoni C2 artifacts (based on future IOCs)
# and upload it to the YAMAGoya 'YARA Rules' section to enable process memory scanning.
# 6. Monitor the YAMAGoya dashboard for alerts and investigate any hits.
# Prioritize alerts that correlate multiple rule hits on a single host.
2. YARA Rule for Tuoni C2 Framework Artifacts
rule Detect_Tuoni_C2_Framework_Strings {
meta:
description = "Detects potential in-memory artifacts of the Tuoni C2 framework."
author = "Threat Rundown"
date = "2025-11-18"
reference = "https://thehackernews.com/2025/11/researchers-detail-tuoni-c2s-role-in.html"
severity = "high"
tlp = "white"
strings:
$s1 = "Tuoni.Agent" ascii wide
$s2 = "get_tasking" ascii wide
$s3 = "send_output" ascii wide
$s4 = "TuoniC2" ascii wide
condition:
any of them
}
index=proxy sourcetype="web_proxy" c_user_agent="*Chrome/140.0.0.0*"
| join type=left src_ip [
search index=endpoint sourcetype="os_events" process_name="chrome.exe"
| stats earliest(_time) as first_seen, latest(_time) as last_seen, values(parent_process_name) as parent_processes by src_ip, process_name
]
| where isnotnull(parent_processes)
| eval risk_score=case(
match(parent_processes, "(?i)winword.exe|excel.exe|outlook.exe|acrord32.exe"), 100,
match(parent_processes, "(?i)powershell.exe|cmd.exe|wscript.exe"), 90,
1==1, 20)
| where risk_score >= 90
| table _time, src_ip, dest_url, parent_processes, risk_score
| sort -risk_score, -_time
| dedup src_ip
4. PowerShell Script — Hunt for Malicious npm Package Indicators
# Scans for directories related to the malicious npm packages reported on 2025-11-18
# NOTE: Package names are hypothetical based on the report. Replace with actual names when available.
$suspiciousPackages = @(
"adspect-cloaker-client",
"crypto-redirect-util",
"web3-helper-pro",
"eth-simple-api",
"npm-guard-plus",
"secure-package-validator",
"dev-dependency-checker"
)
$searchPaths = @(
"$env:APPDATA\npm\node_modules",
"$env:LOCALAPPDATA\npm\node_modules",
"C:\Users\*\node_modules",
"C:\Users\*\*\node_modules" # Deeper search
)
Write-Host "Scanning for suspicious npm packages..." -ForegroundColor Yellow
foreach ($path in $searchPaths) {
if (Test-Path $path) {
foreach ($package in $suspiciousPackages) {
$fullPath = Join-Path -Path $path -ChildPath $package
if (Test-Path $fullPath) {
Write-Host "[ALERT] Found suspicious package '$package' at: $fullPath" -ForegroundColor Red
}
}
}
}
Write-Host "Scan complete."
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--20ce5e76-4263-4ead-9953-de26bd5459fd",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--b9c871ea-7785-4073-9933-6c10a80601d1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--602fd11c-44a8-48c8-9698-082a3b4f1074",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"name": "Threat Intelligence Report - 2025-11-18",
"description": "Threat Intelligence Report - 2025-11-18\n\nThis report consolidates actionable cybersecurity intelligence from 91 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• New in Snort3: Enhanced rule grouping for greater flexibility and control (Score: 100)\n• The Week in Vulnerabilities: 3 Microsoft Flaws Among High-Priority Fixes (Score: 100)\n• Google fixed the seventh Chrome zero-day in 2025 (Score: 100)\n• YAMAGoya: A Real-time Client Monitoring Tool Using Sigma and YARA Rules (Score: 100)\n• 17th November – Threat Intelligence Report (Score: 100)\n\nEXTRACTED ENTITIES:\n• 15 Attack Pattern(s)\n• 2 Malware(s)\n• 1 Marking Definition(s)\n• 1 Relationship(s)\n• 1 Threat Actor(s)\n• 4 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-18T15:19:49.842Z",
"object_refs": [
"identity--b9c871ea-7785-4073-9933-6c10a80601d1",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"vulnerability--79785aec-b79d-4b48-9193-077cbe55287a",
"identity--a93b92c8-300b-4246-82c4-21435ea28e99",
"identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3",
"identity--96156130-e3fd-45e1-b222-82ec42704089",
"identity--fae77683-6df0-4040-af7e-4c5c489cdb9d",
"identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"identity--8394f2d7-b7b6-4be0-8bd6-a3bf29a65a2e",
"identity--d7348cc1-2945-4a6e-88de-8a61054f0770",
"identity--5521899f-0e13-4caf-bc42-c9b49c395a97",
"identity--c468f88a-e09b-4a28-addf-b2bb0aaa66d1",
"identity--961bf1d9-a6ca-4b5b-b1f9-cea0765e47bf",
"identity--514fc068-74fa-41c5-84ba-a27b8441532d",
"identity--156b3b47-ed2f-48fb-ab0e-b915c1e5184a",
"identity--e1caf464-ddb1-4c18-aa59-f7fddf317b78",
"identity--8ae5d816-5a8c-4427-92e1-c2375e723814",
"malware--f0ecd81c-a5a3-471e-813d-242ae1d86322",
"identity--64dd5a4a-9478-4b23-8273-5496fadcbb50",
"identity--c877be6e-5a87-41d2-b67e-fc0c6a8c863a",
"identity--7983272a-01b1-4fbd-8597-be1d19195f52",
"identity--47047fce-696c-4d32-92fa-7aab5ec7ea1a",
"identity--e2bc3d13-80db-4c60-9b33-bc1d4ba7b2bf",
"vulnerability--5e369bca-b499-4ea5-b982-640bd01c35b1",
"identity--3b5d26cf-e95a-4227-bb0e-29d009a43bd3",
"identity--2ddf4a0a-709c-4e8d-b2af-853637b31c20",
"identity--773ab75a-c00a-42f0-9302-bfed10ac66ab",
"identity--a4e59e2d-b078-4a28-8d7b-c257534cf291",
"identity--8f259c5a-a80d-4936-aa46-8007e1aad737",
"identity--07539e79-c9ed-47ab-a216-0f7fcf22a307",
"identity--aefa3a97-be44-4b87-8a00-e4308a5b7597",
"malware--37ef699b-6300-4266-824f-a4f8698f9c4a",
"identity--d4f7dd08-532b-4bfe-9ff8-970358f91bcf",
"identity--19c4bfb3-edc9-44d0-9fd0-802b446de424",
"threat-actor--1502e27b-0a63-45f2-a38f-0e631d47740e",
"identity--1044ef7c-7d96-43dd-b3cb-5725d5a7e299",
"identity--c05c2e2f-8087-443a-92ca-329ee039e30f",
"identity--156dcd46-2e7a-48c0-b904-d62225f19cbb",
"identity--f6f3130c-edd1-45c7-bf64-c4cce6f22a12",
"vulnerability--3be7517c-87f4-4854-bb6c-b59e6375be74",
"vulnerability--68c991d7-5963-482f-97ec-688bb0f70443",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--9df8a3ab-356d-40ee-a3ef-bad3413bd273",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--3dfbd980-9c7a-4d3d-9e53-14e24b1fabdf",
"attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"relationship--e23a4e87-fb8c-4c89-925f-2f609a6b8262"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--b9c871ea-7785-4073-9933-6c10a80601d1",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.839Z",
"modified": "2025-11-18T15:19:49.839Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.839Z",
"modified": "2025-11-18T15:19:49.839Z",
"confidence": 95,
"type": "identity",
"id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"name": "Google",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Google is a multinational technology company specializing in Internet-related services and products, including search engines, online advertising technologies, cloud computing, and software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.839Z",
"modified": "2025-11-18T15:19:49.839Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--79785aec-b79d-4b48-9193-077cbe55287a",
"name": "CVE-2025-20362",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-20362",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20362"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-20362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20362"
}
],
"description": "CVE-2025-20333 and CVE-2025-20362 Details Cisco disclosed a new active attack variant targeting and exploiting the previously known vulnerabilities in the Cisco Secure Firewall ASA and FTD software (CVE-2025-20333 and CVE-2025-20362) leading to unpatched devices to reboot/reload unexpectedly creatin",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.839Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--a93b92c8-300b-4246-82c4-21435ea28e99",
"name": "the Cisco Secure Firewall ASA",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "The Cisco Secure Firewall ASA is a network security appliance that provides firewall, intrusion prevention, and virtual private network (VPN) capabilities to protect and manage network traffic.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3",
"name": "Fortinet",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Fortinet is a company that specializes in developing and providing cybersecurity solutions, including network security, threat protection, and network access control, to protect organizations from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--96156130-e3fd-45e1-b222-82ec42704089",
"name": "Azure DDoS Protection",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Azure DDoS Protection is a cloud-based service that helps protect Azure resources from Distributed Denial of Service (DDoS) attacks by detecting and mitigating traffic anomalies in real-time.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--fae77683-6df0-4040-af7e-4c5c489cdb9d",
"name": "AWS Private Certificate Authority",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "AWS Private Certificate Authority is a managed service that enables organizations to create, manage, and deploy private certificates for their AWS resources and on-premises environments.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"name": "Creators & Presenters",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Creators & Presenters is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--8394f2d7-b7b6-4be0-8bd6-a3bf29a65a2e",
"name": "Tyler Tucker",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Tyler Tucker is a cybersecurity researcher and author, specializing in wireless, cellular, and satellite security. He has presented at conferences alongside Nathaniel Bennett, Martin Kotuliak, Simon Erni, Srdjan Capkun, and Kevin Butler.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--d7348cc1-2945-4a6e-88de-8a61054f0770",
"name": "ETH Zurich",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "ETH Zurich is a Swiss federal institute of technology, known for its academic excellence in science, technology, engineering, mathematics, and other fields. In the context of cybersecurity, researchers from ETH Zurich have been involved in various projects and publications related to wireless, cellular, and satellite security.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--5521899f-0e13-4caf-bc42-c9b49c395a97",
"name": "Amazon EventBridge",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Amazon EventBridge is a serverless event bus service that enables event-driven architectures by allowing users to connect and process events from various sources, such as AWS services, applications, and custom applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--c468f88a-e09b-4a28-addf-b2bb0aaa66d1",
"name": "NetSupport",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "NetSupport is a company that provides remote monitoring and management software for IT professionals to manage and support computers, mobile devices, and other endpoints in a network.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--961bf1d9-a6ca-4b5b-b1f9-cea0765e47bf",
"name": "eSentire",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "eSentire is a cybersecurity company that provides threat hunting, incident response, and risk management services to help organizations detect and respond to advanced cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--514fc068-74fa-41c5-84ba-a27b8441532d",
"name": "StockX",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "StockX is a resale marketplace for buying and selling new and used sneakers, streetwear, and other collectibles.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--156b3b47-ed2f-48fb-ab0e-b915c1e5184a",
"name": "Tsinghua University",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Tsinghua University is a major research university in Beijing, China, and a key institution in the country's science and technology development. In the context of cybersecurity, researchers from Tsinghua University have been involved in various studies and projects related to wireless and cellular security, as well as satellite security. The university's researchers have also been authors and presenters at conferences and sessions related to these topics.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--e1caf464-ddb1-4c18-aa59-f7fddf317b78",
"name": "Logitech",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Logitech is a company that designs, manufactures, and markets personal computer peripherals and software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.840Z",
"modified": "2025-11-18T15:19:49.840Z",
"confidence": 95,
"type": "identity",
"id": "identity--8ae5d816-5a8c-4427-92e1-c2375e723814",
"name": "Oracle’s E-Business Suite",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Oracle’s E-Business Suite is a comprehensive enterprise resource planning (ERP) software suite that integrates various business functions, including financial management, human capital management, and supply chain management, to support business operations and decision-making.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "malware",
"id": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322",
"name": "RondoDox",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "RondoDox is a botnet malware that targets unpatched XWiki servers to exploit vulnerabilities for arbitrary code execution, specifically leveraging the CVE-2025-24893 vulnerability for its malicious activities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--64dd5a4a-9478-4b23-8273-5496fadcbb50",
"name": "XWiki",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "XWiki is a free and open-source wiki software platform that allows users to create and manage collaborative content and applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--c877be6e-5a87-41d2-b67e-fc0c6a8c863a",
"name": "Cisco Talos",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Cisco Talos is a cybersecurity intelligence and research organization that provides threat intelligence, vulnerability research, and security analysis to help protect against cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--7983272a-01b1-4fbd-8597-be1d19195f52",
"name": "Cisco Secure Firewall",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Cisco Secure Firewall is a network security system that provides advanced threat protection and firewall capabilities to secure and manage network traffic.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--47047fce-696c-4d32-92fa-7aab5ec7ea1a",
"name": "SNORT®",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "SNORT is a popular open-source intrusion prevention system (IPS) that detects and prevents malicious network traffic by analyzing packets and alerting on potential threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--e2bc3d13-80db-4c60-9b33-bc1d4ba7b2bf",
"name": "Cyble Vulnerability Intelligence",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Cyble Vulnerability Intelligence provides threat intelligence and vulnerability management solutions to help organizations identify and mitigate potential security risks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--5e369bca-b499-4ea5-b982-640bd01c35b1",
"name": "CVE-2025-13223",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-13223",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13223"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-13223",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13223"
}
],
"description": "Here are some important ones to focus on. Cyble Vulnerability Intelligence researchers tracked 971 vulnerabilities in the last week, and at least 37 of the disclosed vulnerabilities quickly had a publicly",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--3b5d26cf-e95a-4227-bb0e-29d009a43bd3",
"name": "Realtek",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Realtek is a company that designs and manufactures semiconductor products, including network interface controllers, Wi-Fi and Ethernet chipsets, and audio codecs for various industries.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--2ddf4a0a-709c-4e8d-b2af-853637b31c20",
"name": "Zyxel",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Zyxel is a company that designs and manufactures networking equipment and security solutions for home, business, and service provider markets.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--773ab75a-c00a-42f0-9302-bfed10ac66ab",
"name": "Linksys",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Linksys is a company that designs and manufactures networking equipment, including routers, switches, and wireless access points for home and business use.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--a4e59e2d-b078-4a28-8d7b-c257534cf291",
"name": "Reuters",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Reuters is a news agency providing real-time news, financial data, and media services to the world's leading newspapers, media outlets, and financial institutions.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--8f259c5a-a80d-4936-aa46-8007e1aad737",
"name": "ENISA",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "ENISA, or the European Union Agency for Cybersecurity, is a European Union agency responsible for improving the cybersecurity of the EU and the European Economic Area. It was established in 2004 and is headquartered in Athens, Greece. ENISA plays a key role in coordinating the EU's cybersecurity efforts and providing advice and guidance to EU member states on cybersecurity matters.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--07539e79-c9ed-47ab-a216-0f7fcf22a307",
"name": "Srdjan Capkun",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Srdjan Capkun is a security researcher and academic, affiliated with ETH Zurich, who has presented research on wireless, cellular, and satellite security at conferences.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--aefa3a97-be44-4b87-8a00-e4308a5b7597",
"name": "Tenable Cloud Vulnerability Management",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Tenable Cloud Vulnerability Management is a cloud-based platform that helps organizations identify, prioritize, and remediate vulnerabilities across their cloud, on-premises, and hybrid environments.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "malware",
"id": "malware--37ef699b-6300-4266-824f-a4f8698f9c4a",
"name": "Amatera Stealer",
"is_family": true,
"malware_types": [
"stealer"
],
"labels": [
"malicious-activity"
],
"description": "Amatera Stealer is a type of malware that has been observed being deployed through social engineering tactics, specifically the ClickFix technique. It has been tracked by cybersecurity researchers under the moniker EVALUSION, and its activity has been noted since June 2025. Amatera Stealer is a threat that organizations should be aware of, as it can compromise sensitive information and disrupt operations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--d4f7dd08-532b-4bfe-9ff8-970358f91bcf",
"name": "International Data Corporation",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "International Data Corporation (IDC) is a market research and analysis firm that provides insights and data on the technology industry. In the context provided, IDC is mentioned as the organization that released the '2025 IDC China Top 10 Cybersecurity Professionals' list, recognizing outstanding individuals in the field of cybersecurity.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--19c4bfb3-edc9-44d0-9fd0-802b446de424",
"name": "Yangtao Deng",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Yangtao Deng is a researcher at Tsinghua University, participating in discussions on AI adoption and governance, specifically addressing the unseen risks of General AI and its implications on security and society.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--1502e27b-0a63-45f2-a38f-0e631d47740e",
"name": "Threat Analysis Group",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Threat Analysis Group is a cybersecurity team within Google that tracks and reports on various threat actors and vulnerabilities, providing critical insights and intelligence to the cybersecurity community. In the context provided, they reported a flaw that was likely exploited by a commercial spyware vendor, highlighting their role in identifying and exposing potential threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--1044ef7c-7d96-43dd-b3cb-5725d5a7e299",
"name": "GuardDuty",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "GuardDuty is a cloud-based threat detection service that uses machine learning and analytics to identify and alert on potential security threats within AWS environments.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--c05c2e2f-8087-443a-92ca-329ee039e30f",
"name": "QRadar",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "QRadar is a Security Information and Event Management (SIEM) system that collects, analyzes, and visualizes security-related data from various sources to help organizations detect and respond to potential security threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--156dcd46-2e7a-48c0-b904-d62225f19cbb",
"name": "tryhackme",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Tryhackme is a cloud-based platform offering virtual labs and capture-the-flag challenges for hands-on cybersecurity training and learning.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "identity",
"id": "identity--f6f3130c-edd1-45c7-bf64-c4cce6f22a12",
"name": "Snort3",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Snort3 is a network intrusion prevention system that detects and prevents malicious traffic by analyzing network traffic against a set of predefined rules.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--3be7517c-87f4-4854-bb6c-b59e6375be74",
"name": "CVE-2025-61882",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-61882",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61882"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-61882",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61882"
}
],
"description": "To counter these threats, security researchers and malware analysts actively create and publish detection rules such as Sigma and YARA. However, man",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--68c991d7-5963-482f-97ec-688bb0f70443",
"name": "CVE-2025-45768",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-45768",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-45768"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-45768",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45768"
}
],
"description": "An interesting scenario appeared, there might be a time window when a critical CVE is found but a fix for it is not released yet. It's unknown when that CVE would be fixed. What policies do you follow on this? Example as of when I am posting this: https://nvd.nist.gov/vuln/detail/CVE-2025-45768 Scen",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.841Z",
"modified": "2025-11-18T15:19:49.841Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--9df8a3ab-356d-40ee-a3ef-bad3413bd273",
"name": "Obfuscated Files or Information",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_id": "T1027",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1027/",
"external_id": "T1027"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"name": "Botnet",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1584.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1584/005/",
"external_id": "T1584.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 84,
"type": "attack-pattern",
"id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"name": "Vulnerabilities",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/006/",
"external_id": "T1588.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d",
"name": "Search Threat Vendor Data",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_id": "T1681",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1681/",
"external_id": "T1681"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 69,
"type": "attack-pattern",
"id": "attack-pattern--3dfbd980-9c7a-4d3d-9e53-14e24b1fabdf",
"name": "Compromise Software Dependencies and Development Tools",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/001/",
"external_id": "T1195.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"confidence": 65,
"type": "attack-pattern",
"id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"name": "Artificial Intelligence",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.007",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/007/",
"external_id": "T1588.007"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e23a4e87-fb8c-4c89-925f-2f609a6b8262",
"created": "2025-11-18T15:19:49.842Z",
"modified": "2025-11-18T15:19:49.842Z",
"relationship_type": "uses",
"source_ref": "threat-actor--1502e27b-0a63-45f2-a38f-0e631d47740e",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: threat analysis group uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
}
]
}
U.S. Federal Agencies (FISMA)
QUIET
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT