Heroes, EU updates AWS designation, 7zip vulnerability is being exploited, Microsoft recommends users enable Copilot Actions only “if you understand the security implications outlined”, and more. Here's a look at the current cybersecurity landscape for November 20, 2025.
A critical remote code execution vulnerability in the popular file archiver 7-Zip is being actively exploited in the wild. The flaw, CVE-2025-11001, is a symbolic link-based vulnerability that allows attackers to execute arbitrary code. The U.K.'s NHS England Digital issued an advisory confirming active exploitation, elevating the urgency for patching.
Business impact
Given 7-Zip's widespread use in both personal and enterprise environments, this vulnerability poses a significant risk. Attackers can distribute malicious archives via email or downloads, which, when opened by a user, could lead to system compromise, ransomware deployment, or data exfiltration.
Recommended action
Prioritize the deployment of the patched version of 7-Zip across all endpoints immediately. Scan for vulnerable installations and monitor for suspicious processes originating from 7-Zip.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity type confusion vulnerability in the Google Chromium V8 JavaScript engine to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-13223, this flaw is under active exploitation. The inclusion in the KEV catalog signifies a confirmed threat to federal agencies and a strong recommendation for all organizations to patch immediately.
Business impact
Failure to patch this vulnerability exposes organizations to remote code execution attacks through web browsers. An attacker could craft a malicious webpage to compromise user systems, leading to data theft, malware installation, or lateral movement within the network.
Recommended action
Immediately apply the latest security updates for all Chromium-based browsers (Google Chrome, Microsoft Edge, etc.) across the enterprise. Federal agencies are required to patch by the CISA-mandated deadline.
The European Supervisory Authorities (ESAs) have officially designated Amazon Web Services (AWS) as a critical third-party provider (CTPP) under the Digital Operational Resilience Act (DORA). This designation places AWS under direct oversight by EU financial regulators, imposing stringent operational resilience and reporting requirements.
Business impact
Financial institutions in the EU using AWS must ensure their cloud architecture and contracts align with DORA's rigorous standards. This designation reinforces the systemic importance of major cloud providers and will likely lead to increased scrutiny and compliance overhead for their financial sector customers.
Recommended action
EU-based financial organizations using AWS should review their DORA compliance programs immediately. Engage with legal and compliance teams to assess the impact of this designation on third-party risk management and incident reporting obligations.
Microsoft has issued a warning that an experimental AI Agent integrated into Windows is capable of being manipulated to infect devices and exfiltrate sensitive user data. This admission has drawn criticism from security experts who question the wisdom of deploying powerful, autonomous AI features before their security implications are fully understood.
Business impact
The integration of powerful AI agents directly into the OS creates a new and significant attack surface. If exploited, these agents could bypass traditional security controls, providing attackers with privileged access to perform actions on behalf of the user, leading to severe data breaches and system compromise.
Recommended action
Security teams should develop policies governing the use of integrated AI agents. Disable experimental or non-essential AI features via group policy until their security posture can be thoroughly vetted.
A new malware campaign is targeting users in Brazil, using a Python-based worm that spreads through WhatsApp to deliver the Eternidade Stealer. This Delphi-based banking trojan uses social engineering and WhatsApp hijacking to propagate and steal sensitive financial information.
Business impact
This campaign highlights the risk of using personal messaging apps for business communication. A successful infection on an employee's device could lead to the theft of corporate credentials, financial data, and the use of the compromised account to attack colleagues and business partners.
Recommended action
Reinforce user awareness training about social engineering attacks on messaging platforms. Implement mobile device management (MDM) policies to detect and block known malicious applications.
In a major industry move, Palo Alto Networks has announced its intent to acquire Chronosphere, a platform specializing in observability for AI workloads, for $3.35 billion. This acquisition signals a strategic push by major security vendors to integrate advanced AI monitoring and security capabilities directly into their platforms.
Business impact
This acquisition reflects the growing importance of securing complex, AI-driven cloud environments. For customers of Palo Alto Networks, this will likely lead to enhanced capabilities for monitoring and securing AI applications, but may also require integration planning and potential shifts in their observability strategy.
Recommended action
Organizations using Palo Alto Networks products should monitor communications regarding the integration of Chronosphere's technology. Teams responsible for cloud and AI security should evaluate how this new capability could enhance their security posture.
Cybersecurity startup Secure.com has emerged from stealth, launching its "Digital Security Teammate" (DST) and announcing $4.5 million in funding. The DST is a new category of AI-native agent designed to automate security operations tasks like investigation and triage to assist understaffed security teams.
Amazon's threat intelligence teams have identified a significant trend where nation-state actors are using cyber operations to enable physical, real-world attacks. Termed "cyber-enabled kinetic targeting," this strategy involves breaching digital systems to gather intelligence for directing conventional military or physical operations. This blurs the line between cyber warfare and traditional kinetic warfare.
Business impact
Organizations in critical infrastructure, defense, and logistics sectors are at high risk. A breach could not only lead to data loss but also facilitate physical threats to assets, supply chains, and personnel, posing a direct risk to national security and operational continuity.
Recommended action
Critical infrastructure organizations should re-evaluate their threat models to include scenarios where digital breaches are precursors to physical attacks. Enhance monitoring of systems that control or provide intelligence on physical operations and strengthen collaboration with national security agencies.
Spotlight Rationale: Selected due to the increasing focus on AI in both offensive and defensive security, as highlighted by today's intelligence on Microsoft's risky experimental AI Agent and the industry's push for AI-driven automation to combat threat actor innovation.
Platform Focus: Secure.com Digital Security Teammate (DST)
Secure.com is introducing a new category of "agentic security" with its Digital Security Teammate. As OS-integrated AI like Microsoft's creates new attack surfaces, defensive AI must evolve beyond simple pattern matching. The DST concept aims to provide an autonomous agent for security teams that can independently investigate, triage, and escalate alerts, effectively acting as an AI-powered SOC analyst. This approach is designed to augment lean security teams, allowing them to handle the increasing volume and complexity of alerts generated by modern threats.
Actionable Platform Guidance: Organizations should begin evaluating the emerging category of "agentic security." When assessing platforms like Secure.com's DST, focus on their integration capabilities with existing SIEM and SOAR tools, the transparency of their AI decision-making processes, and the level of human oversight required. Start by identifying a high-volume, low-complexity alert category (e.g., phishing email analysis) as a potential pilot use case.
# When evaluating new AI security platforms like Secure.com's DST:
# 1. Define a Pilot Use Case:
# - Select a specific, measurable task (e.g., triage of inbound phishing alerts from a specific mailbox).
# - Establish baseline metrics: Mean Time to Triage (MTTT), analyst hours spent per week.
# 2. Assess Integration Hooks:
# - Verify API compatibility with your primary SIEM (e.g., Splunk, Sentinel) and SOAR platforms.
# - Confirm the agent can pull context from your EDR and threat intelligence feeds.
# 3. Evaluate AI Transparency:
# - Require the platform to provide a clear, human-readable log of its investigation steps and reasoning for its conclusions.
# - Ensure there is a manual override and escalation path for every automated action.
# 4. Conduct a Proof-of-Concept (PoC):
# - Run the platform in a monitor-only mode first to benchmark its findings against your human analysts.
# - Introduce controlled, automated actions (e.g., ticket creation, endpoint isolation in a test environment) and verify outcomes.
2. YARA Rule for Eternidade Stealer Indicators
rule Detect_Eternidade_Stealer_Delphi {
meta:
description = "Detects potential indicators associated with the Delphi-based Eternidade Stealer malware."
author = "Threat Rundown"
date = "2025-11-20"
reference = "https://lifeboat.com/blog/2025/11/python-based-whatsapp-worm-spreads-eternidade-stealer-across-brazilian-devices"
severity = "high"
tlp = "white"
strings:
// Common strings found in Delphi applications
$delphi1 = "Borland" wide ascii
$delphi2 = "VCL" wide ascii
// Hypothetical strings based on malware name and function
$s1 = "Eternidade" wide ascii
$s2 = "IMAP_Client_Login" wide ascii
$s3 = "whatsapp_hijack_payload" wide ascii
condition:
uint16(0) == 0x5a4d and // Check for MZ header
all of ($delphi*) and
1 of ($s*)
}
# This script queries the registry on local and remote machines to find installed versions of 7-Zip.
# Manually verify if the found versions are vulnerable to CVE-2025-11001.
$computers = "localhost" # Add remote computer names here, e.g., "SERVER01", "WKSTN01"
$results = @()
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer..."
try {
# Invoke command to check both 32-bit and 64-bit registry paths
$regKeys = Invoke-Command -ComputerName $computer -ScriptBlock {
Get-ItemProperty -Path @(
'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*',
'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
) -ErrorAction SilentlyContinue
}
$sevenZip = $regKeys | Where-Object { $_.DisplayName -like '7-Zip*' }
if ($sevenZip) {
foreach ($app in $sevenZip) {
$results += [PSCustomObject]@{
ComputerName = $computer
DisplayName = $app.DisplayName
DisplayVersion = $app.DisplayVersion
InstallLocation = $app.InstallLocation
}
}
}
}
catch {
Write-Warning "Failed to query registry on $computer. Error: $($_.Exception.Message)"
}
} else {
Write-Warning "Cannot connect to $computer."
}
}
$results | Format-Table
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--2822f167-2bfc-4bea-aae4-897909d2eba9",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--1e48f734-a6bd-4d1f-86e9-9cf3969a0da2",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--aff9ca72-aa87-44c9-ad6a-5683b30777c9",
"created": "2025-11-20T11:02:23.307Z",
"modified": "2025-11-20T11:02:23.307Z",
"name": "Threat Intelligence Report - 2025-11-20",
"description": "Threat Intelligence Report - 2025-11-20\n\nThis report consolidates actionable cybersecurity intelligence from 85 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Palo Alto Networks to Acquire AI Observability Platform Chronosphere for $3.35 Billion (Score: 100)\n• AWS designated as a critical third-party provider under EU’s DORA regulation (Score: 100)\n• Palo Alto Networks to acquire observability firm Chronosphere for $3.35 billion (Score: 100)\n• U.S. CISA adds a Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog (Score: 100)\n• News alert: Secure.com debuts AI-native ‘Digital Security Teammate’ to help lean security teams (Score: 100)\n\nEXTRACTED ENTITIES:\n• 25 Attack Pattern(s)\n• 2 Malware(s)\n• 1 Marking Definition(s)\n• 6 Relationship(s)\n• 2 Threat Actor(s)\n• 3 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-20T11:02:23.307Z",
"object_refs": [
"identity--1e48f734-a6bd-4d1f-86e9-9cf3969a0da2",
"identity--666fc7fe-c911-419e-a1d6-ea47e6b3646f",
"vulnerability--5e369bca-b499-4ea5-b982-640bd01c35b1",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"identity--1cfa9111-ae8b-4e07-b1bb-e4830f7ef190",
"vulnerability--6643f5db-a06a-43cf-b9d0-39b421db4cf8",
"identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"identity--5ccdf7bc-6dc4-4348-ac05-2f7e1ccfb271",
"identity--91889494-9896-493d-855f-219340c5ad50",
"identity--156dcd46-2e7a-48c0-b904-d62225f19cbb",
"identity--9e221940-56db-4bff-9bec-74d128f9e398",
"identity--0e410a98-7b4b-4c2b-826b-fb341c9cc4fd",
"identity--a0ef8353-a3c3-4d74-bb09-de1363f68f61",
"identity--e5be0d04-5c47-487d-9781-fdb0a0acbf05",
"identity--c82491fa-478b-4178-8ccc-588f1d8048ae",
"identity--ccca0b57-df09-41e7-a71d-83c5ebe64ed0",
"identity--91451c72-8eb8-4969-89f3-1ca93748d3ca",
"identity--d9262202-0b75-4741-8988-9ec09c4ef39f",
"identity--addee744-7b9c-42b7-ad33-81e05bd54288",
"identity--5653d5fd-3625-41d2-b03e-b4bf2db2b5f8",
"identity--cfa38253-c485-4d1d-b2f0-cf7e54a58911",
"identity--80187847-d398-43be-8dff-f0260720e3d4",
"identity--7be00105-2c62-468b-ba74-0ee86ec689e6",
"identity--6b00abde-6daa-4b0c-acfc-f61410f356f1",
"vulnerability--5922ecee-2ad9-4b6d-94c3-fdeab789c1c3",
"identity--f266b010-faaf-43f3-8630-18cc2adfbdda",
"identity--3c3a9dcd-75b9-456c-b903-7783970510b8",
"identity--5e73c7d8-0b40-487c-9234-bf59fb753453",
"identity--a04504b2-a380-40ae-816a-e5302a523273",
"identity--84f8f64b-bb8a-4aeb-9e4b-941237e2f154",
"identity--1a034a22-aade-4345-91aa-ead21367e38a",
"threat-actor--3b7a32e4-0cc3-480c-82ba-15d3bc5d6f18",
"threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"identity--22adc8cf-bc50-4bc0-9266-ca8b9bdf4494",
"identity--7e99cd42-146f-4eb9-88a2-92276aefde91",
"identity--858fbef3-8db8-4bef-89ef-c7f0bcc49c2e",
"identity--a810078e-1cc7-4d06-b6aa-fb737dcc14c6",
"identity--9602c33d-5759-40f1-83ac-74cf4aed6790",
"malware--d79262f4-9d58-48a0-87c4-9a18b6d2aabf",
"identity--426bc3c6-fa61-4f3d-afee-1c8c0988aec1",
"identity--e364ad90-7577-414f-b4c3-873c5e843001",
"malware--a03aeea6-2f00-4d3d-ae3b-b53480ca8c16",
"identity--464e1ba2-b374-4fb7-8772-b7604deeec8d",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927",
"attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"attack-pattern--3cfe33ad-33e7-4370-a083-fd1b2c9457ab",
"attack-pattern--a45b8295-9056-4ed5-b811-6e7d2a71483e",
"attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"attack-pattern--886a4798-e626-4753-818e-9a4cb8b7255a",
"attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d",
"attack-pattern--d908f54b-aa9a-4701-a98f-01c43e462d86",
"attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e",
"relationship--ca859b2d-2ad2-42b3-b408-8bb62fbf10f4",
"relationship--ad859233-ac0f-4cb6-bb5e-43c9ea650b9f",
"relationship--5e9a4164-f258-4478-9752-a3dcba8d2bb9",
"relationship--bf2ab967-654c-47dd-8a26-48520001ba52",
"relationship--c1d3c827-2df5-450d-82de-6ff7738e32dd",
"relationship--8b37a7fc-99a8-4f67-a875-835b9cd83a6c"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--1e48f734-a6bd-4d1f-86e9-9cf3969a0da2",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.304Z",
"modified": "2025-11-20T11:02:23.304Z",
"confidence": 95,
"type": "identity",
"id": "identity--666fc7fe-c911-419e-a1d6-ea47e6b3646f",
"name": "Known Exploited Vulnerabilities",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Known Exploited Vulnerabilities is a US government database that tracks and publicly discloses known exploited vulnerabilities in software and hardware, allowing organizations to prioritize patching and mitigation efforts to prevent cyber attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.304Z",
"modified": "2025-11-20T11:02:23.304Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--5e369bca-b499-4ea5-b982-640bd01c35b1",
"name": "CVE-2025-13223",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-13223",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13223"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-13223",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13223"
}
],
"description": "Here are some important ones to focus on. Cyble Vulnerability Intelligence researchers tracked 971 vulnerabilities in the last week, and at least 37 of the disclosed vulnerabilities quickly had a publicly",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.304Z",
"modified": "2025-11-20T11:02:23.304Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--1cfa9111-ae8b-4e07-b1bb-e4830f7ef190",
"name": "Fortinet FortiWeb",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Fortinet FortiWeb is a web application firewall (WAF) that protects against web-based attacks by filtering and blocking malicious traffic, and enforcing security policies to prevent data breaches and cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--6643f5db-a06a-43cf-b9d0-39b421db4cf8",
"name": "CVE-2025-58034",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-58034",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58034"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-58034",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58034"
}
],
"description": "By integrating Varonis signals into Purview, data security teams gain unified visibility into sensitive data across third-party platforms like Salesforce alongside their Microsoft data. “This security integration be",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"name": "Creators & Presenters",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Creators & Presenters is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--5ccdf7bc-6dc4-4348-ac05-2f7e1ccfb271",
"name": "Cloudflare",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Cloudflare is a company that provides a suite of cybersecurity services, including content delivery networks, web application firewalls, and distributed denial-of-service (DDoS) protection, to help protect websites and applications from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--91889494-9896-493d-855f-219340c5ad50",
"name": "DoorDash",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "DoorDash is a U.S.-based food delivery and logistics company that experienced a social engineering attack leading to a data breach, exposing users' names, addresses, emails, and phone numbers.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--156dcd46-2e7a-48c0-b904-d62225f19cbb",
"name": "tryhackme",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Tryhackme is a cloud-based platform offering virtual labs and capture-the-flag challenges for hands-on cybersecurity training and learning.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--9e221940-56db-4bff-9bec-74d128f9e398",
"name": "Chrome",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Chrome is a web browser developed by Google that allows users to access and navigate the internet securely and efficiently.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--0e410a98-7b4b-4c2b-826b-fb341c9cc4fd",
"name": "Palo Alto Networks Inc.",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Palo Alto Networks Inc. is a cybersecurity company that provides network security solutions, including firewalls, threat prevention, and cloud security, to protect organizations from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--a0ef8353-a3c3-4d74-bb09-de1363f68f61",
"name": "Chronosphere",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Chronosphere is a next-generation observability platform designed for artificial intelligence (AI) workloads.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--e5be0d04-5c47-487d-9781-fdb0a0acbf05",
"name": "Amazon Web Services",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Amazon Web Services is a cloud computing platform that provides a wide range of services for computing, storage, databases, analytics, machine learning, and more, enabling businesses to build, deploy, and manage applications and workloads in the cloud.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--c82491fa-478b-4178-8ccc-588f1d8048ae",
"name": "Google Chromium V8",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Google Chromium V8 is a high-performance JavaScript engine used in Google Chrome and other browsers, providing fast execution of web page scripts and enabling responsive web applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--ccca0b57-df09-41e7-a71d-83c5ebe64ed0",
"name": "Secure.com",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Secure.com is a company that provides cybersecurity solutions and services, including threat intelligence and vulnerability management.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 30,
"type": "identity",
"id": "identity--91451c72-8eb8-4969-89f3-1ca93748d3ca",
"name": "Network Firewall",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "A Network Firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules to prevent unauthorized access, malicious activities, and data breaches.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 85,
"type": "identity",
"id": "identity--d9262202-0b75-4741-8988-9ec09c4ef39f",
"name": "AWS Partners",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "AWS Partners is a company",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--addee744-7b9c-42b7-ad33-81e05bd54288",
"name": "CyberArk",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "CyberArk is a company that specializes in Privileged Access Management (PAM) solutions to secure and manage access to sensitive data and systems.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--5653d5fd-3625-41d2-b03e-b4bf2db2b5f8",
"name": "Amazon",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Amazon is a multinational technology company that specializes in e-commerce, cloud computing, digital streaming, and artificial intelligence.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--cfa38253-c485-4d1d-b2f0-cf7e54a58911",
"name": "Yuqing Yang",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Yuqing Yang is a researcher and author in the field of cybersecurity, specifically focusing on mobile security. He is affiliated with The Ohio State University and has co-authored papers on topics such as identifying and dissecting malware in mini-apps.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--80187847-d398-43be-8dff-f0260720e3d4",
"name": "Zhiqiang Lin",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Zhiqiang Lin is a researcher and author in the field of cybersecurity, specifically in mobile security. He is affiliated with The Ohio State University and has co-authored papers on malware identification and dissection, as well as presented at cybersecurity conferences.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--7be00105-2c62-468b-ba74-0ee86ec689e6",
"name": "Miniapp Malware: Identification, Dissection",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Miniapp Malware: Identification, Dissection is a research paper that explores the identification, dissection, and characteristics of miniapp malware, a type of malicious software designed to evade detection and compromise mobile devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--6b00abde-6daa-4b0c-acfc-f61410f356f1",
"name": "7-Zip",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "7-Zip is a free and open-source file archiver that compresses and extracts files in various formats, including its own 7z format, and supports encryption and password protection.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--5922ecee-2ad9-4b6d-94c3-fdeab789c1c3",
"name": "CVE-2025-11001",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-11001",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11001"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-11001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11001"
}
],
"description": "CVE-2025-11001 is a vulnerability identifier tracked in the CVE (Common Vulnerabilities and Exposures) database",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--f266b010-faaf-43f3-8630-18cc2adfbdda",
"name": "Checkmarx’s AppSec",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Checkmarx’s AppSec is a software security solution that scans code for vulnerabilities and provides recommendations to fix security flaws, ensuring the integrity and protection of applications and APIs.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--3c3a9dcd-75b9-456c-b903-7783970510b8",
"name": "Checkmarx",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Checkmarx is a software security company that provides application security testing and code analysis solutions to identify and remediate vulnerabilities in source code.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--5e73c7d8-0b40-487c-9234-bf59fb753453",
"name": "Yizhe Shi",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Yizhe Shi is a researcher at Fudan University, presenting on mobile security topics and contributing to papers on the subject",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--a04504b2-a380-40ae-816a-e5302a523273",
"name": "Fudan University",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Fudan University is a public research university located in Shanghai, China. It is one of the most prestigious universities in China and has a strong reputation for academic excellence. In the context of cybersecurity, researchers from Fudan University have made significant contributions to the field, including the discovery of vulnerabilities and the development of new security technologies.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--84f8f64b-bb8a-4aeb-9e4b-941237e2f154",
"name": "Guangliang Yang",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Guangliang Yang is a cybersecurity researcher and author, known for contributing to the Mobile Security research field with Yizhe Shi, Zhemin Yang, Kangwei Zhong, Yifan Yang, Xiaohan Zhang, and others.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--1a034a22-aade-4345-91aa-ead21367e38a",
"name": "Yifan Yang",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Yifan Yang is a researcher at Fudan University who contributed to a mobile security session with co-authors Zhemin Yang, Kangwei Zhong, Guangliang Yang, Yizhe Shi, Xiaohan Zhang, and possibly others.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 92,
"type": "threat-actor",
"id": "threat-actor--3b7a32e4-0cc3-480c-82ba-15d3bc5d6f18",
"name": "Operation WrtHug",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "Operation WrtHug is a malicious campaign that compromises tens of thousands of outdated or end-of-life ASUS routers worldwide, mainly in Taiwan, the U.S., and Russia, forming a large botnet. This campaign is significant as it highlights the risks of using outdated and unsupported devices, which can be easily exploited by attackers to gain unauthorized access and control over networks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 90,
"type": "threat-actor",
"id": "threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"name": "CyLab-Africa",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "CyLab-Africa is a research group that partners with mobile security providers to explore the security of common financial services apps used across Africa.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--22adc8cf-bc50-4bc0-9266-ca8b9bdf4494",
"name": "Approov",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Approov is a company",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--7e99cd42-146f-4eb9-88a2-92276aefde91",
"name": "GreyNoise",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "GreyNoise is a cybersecurity company that provides a threat intelligence platform tobring noise to the signal of malicious traffic, helping to filter out false positives and improve threat detection.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--858fbef3-8db8-4bef-89ef-c7f0bcc49c2e",
"name": "FIDO2",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "FIDO2 is an authentication protocol that enables passwordless login and provides secure, phishing-resistant authentication using public key cryptography and biometric authentication methods.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--a810078e-1cc7-4d06-b6aa-fb737dcc14c6",
"name": "InfluxData",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "InfluxData is a technology company that provides a platform for collecting, processing, and analyzing time-series data. They developed the open-source time-series database, InfluxDB, and offer a suite of related tools for data ingest, query, and visualization.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "identity",
"id": "identity--9602c33d-5759-40f1-83ac-74cf4aed6790",
"name": "KnowBe4",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "KnowBe4 is a cybersecurity awareness training company that provides educational resources, including interactive simulations and videos, to help organizations improve their employees' cybersecurity knowledge and behaviors.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.305Z",
"modified": "2025-11-20T11:02:23.305Z",
"confidence": 95,
"type": "malware",
"id": "malware--d79262f4-9d58-48a0-87c4-9a18b6d2aabf",
"name": "LockBit",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "LockBit is a ransomware family that encrypts files on victims' systems and demands payment in exchange for the decryption key. LockBit gains initial access to networks by exploiting vulnerabilities or through phishing emails. Once inside, it spreads laterally and encrypts files, changing their extensions. The group behind LockBit is known for stealing data before encrypting it and threatening to release it if the ransom demand is not met.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 95,
"type": "identity",
"id": "identity--426bc3c6-fa61-4f3d-afee-1c8c0988aec1",
"name": "SolarWinds Serv-U",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "SolarWinds Serv-U is a secure file transfer protocol (SFTP) server software that enables secure file exchange and management between organizations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 95,
"type": "identity",
"id": "identity--e364ad90-7577-414f-b4c3-873c5e843001",
"name": "SolarWinds",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "SolarWinds is a company that provides network management software and tools for IT professionals to monitor, manage, and optimize their IT infrastructure.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "malware",
"id": "malware--a03aeea6-2f00-4d3d-ae3b-b53480ca8c16",
"name": "Akira",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "Akira is a ransomware that exploits Multi-Factor Authentication (MFA) push-spam, weak VPN security, and identity gaps to compromise systems. It is part of a larger campaign called Operation WrtHug, which has compromised tens of thousands of outdated or end-of-life ASUS routers worldwide, mainly in Taiwan, the U.S., and Russia.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 95,
"type": "identity",
"id": "identity--464e1ba2-b374-4fb7-8772-b7604deeec8d",
"name": "Treasury Links Russian Bulletproof Host Network to Prolific",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Treasury Links Russian Bulletproof Host Network to Prolific is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"name": "Command and Scripting Interpreter",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/",
"external_id": "T1059"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927",
"name": "Create or Modify System Process",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1543",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1543/",
"external_id": "T1543"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400",
"name": "Boot or Logon Autostart Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1547",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1547/",
"external_id": "T1547"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"name": "Valid Accounts",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1078",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1078/",
"external_id": "T1078"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--3cfe33ad-33e7-4370-a083-fd1b2c9457ab",
"name": "Pluggable Authentication Modules",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1556.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1556/003/",
"external_id": "T1556.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--a45b8295-9056-4ed5-b811-6e7d2a71483e",
"name": "Multi-Factor Authentication",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1556.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1556/006/",
"external_id": "T1556.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba",
"name": "Browser Session Hijacking",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1185",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1185/",
"external_id": "T1185"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 78,
"type": "attack-pattern",
"id": "attack-pattern--886a4798-e626-4753-818e-9a4cb8b7255a",
"name": "Multi-Factor Authentication Request Generation",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"x_mitre_id": "T1621",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1621/",
"external_id": "T1621"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 73,
"type": "attack-pattern",
"id": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d",
"name": "Search Threat Vendor Data",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_id": "T1681",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1681/",
"external_id": "T1681"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d908f54b-aa9a-4701-a98f-01c43e462d86",
"name": "Domains",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1583.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1583/001/",
"external_id": "T1583.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"name": "Scheduled Task",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/005/",
"external_id": "T1053.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"name": "Socket Filters",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1205.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1205/002/",
"external_id": "T1205.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"name": "Malicious Shell Modification",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1156",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1156/",
"external_id": "T1156"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 68,
"type": "attack-pattern",
"id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"name": "Vulnerabilities",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/006/",
"external_id": "T1588.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 67,
"type": "attack-pattern",
"id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"name": "Artificial Intelligence",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.007",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/007/",
"external_id": "T1588.007"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"confidence": 67,
"type": "attack-pattern",
"id": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e",
"name": "Browser Extensions",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1176.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1176/001/",
"external_id": "T1176.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ca859b2d-2ad2-42b3-b408-8bb62fbf10f4",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"relationship_type": "uses",
"source_ref": "threat-actor--3b7a32e4-0cc3-480c-82ba-15d3bc5d6f18",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: operation wrthug uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ad859233-ac0f-4cb6-bb5e-43c9ea650b9f",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"relationship_type": "uses",
"source_ref": "threat-actor--3b7a32e4-0cc3-480c-82ba-15d3bc5d6f18",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: operation wrthug uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5e9a4164-f258-4478-9752-a3dcba8d2bb9",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"relationship_type": "uses",
"source_ref": "threat-actor--3b7a32e4-0cc3-480c-82ba-15d3bc5d6f18",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: operation wrthug uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bf2ab967-654c-47dd-8a26-48520001ba52",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"relationship_type": "uses",
"source_ref": "threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 75,
"description": "MITRE ATT&CK mapping: cylab-africa uses command and scripting interpreter (T1059)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c1d3c827-2df5-450d-82de-6ff7738e32dd",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"relationship_type": "uses",
"source_ref": "threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: cylab-africa uses spearphishing attachment (T1566.001)",
"x_validation_method": "mitre-mapper"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8b37a7fc-99a8-4f67-a875-835b9cd83a6c",
"created": "2025-11-20T11:02:23.306Z",
"modified": "2025-11-20T11:02:23.306Z",
"relationship_type": "uses",
"source_ref": "threat-actor--11b59dfe-0df2-47ce-9305-82c2821d5449",
"target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c",
"confidence": 75,
"description": "MITRE ATT&CK mapping: cylab-africa uses valid accounts (T1078)",
"x_validation_method": "mitre-mapper"
}
]
}
California-based Organizations (CCPA)
ELEVATED
Financial Services (Payment Processing) (PCI DSS)
QUIET
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT