Retell AI's API has been found to lack sufficient guardrails, leading to "Excessive Agency" (LLM08). This vulnerability allows AI voice agents to perform actions beyond their intended scope, which attackers can leverage for large-scale social engineering and phishing campaigns.
Business impact
Organizations using this AI service may inadvertently facilitate fraud or misinformation campaigns, leading to severe reputational damage and potential legal liability under consumer protection laws.
Recommended action
Review all integrations with Retell AI. Implement strict strict output validation and limit the permissions granted to AI agents until the vendor provides a comprehensive fix.
Threat actors are actively exploiting a recently patched vulnerability in Windows Server Update Services (WSUS) to deliver the ShadowPad malware. Researchers at AhnLab Security Intelligence Center observed attackers using the flaw to gain initial access, subsequently deploying PowerCat for shell access and installing the backdoor.
Business impact
This exploitation vector turns a trusted patch management system into a malware distribution point, potentially compromising the entire server estate managed by the infected WSUS instance. Successful compromise allows for persistent long-term espionage and data exfiltration.
Recommended action
Verify that all WSUS servers are patched against CVE-2025-59287 immediately. Audit WSUS logs for unexpected content synchronization or approval activities.
SonicWall has identified a high-severity stack-based buffer overflow vulnerability in its SonicOS SSLVPN feature affecting Gen7 and Gen8 firewalls. The flaw allows remote attackers to cause a Denial of Service (DoS) condition, crashing the firewall appliances.
Business impact
A successful exploit can take offline critical network perimeter defenses, disrupting remote workforce access and potentially serving as a distraction for other malicious activities. Downtime of edge firewalls directly impacts business continuity.
Recommended action
Apply the latest firmware updates to Gen7 and Gen8 firewalls immediately. If patching is not possible, restrict SSLVPN access to trusted IP addresses.
A summary of the week's major threats highlights a new Chrome zero-day vulnerability and ongoing attacks against Fortinet devices. Major tech firms including Google and Microsoft have been forced to react rapidly to these evolving threats.
Business impact
The presence of a Chrome zero-day puts all browser-based workflows at risk of compromise via drive-by downloads or malicious sites. Unpatched Fortinet devices remain a primary entry point for ransomware groups.
Recommended action
Ensure Google Chrome is updated to the latest version across the enterprise. Verify Fortinet appliances are patched against recent known exploits.
Microsoft has highlighted significant security risks introduced by new "Agentic AI" features. Without proper controls, these autonomous agents could be manipulated to perform malicious actions such as data exfiltration or malware installation.
Business impact
As organizations rush to adopt AI agents for automation, they may bypass traditional security controls, creating a shadow IT layer that can execute privileged actions without human oversight.
Recommended action
Establish a governance framework for AI agents. Restrict agent permissions to the minimum necessary and monitor their activity logs for anomalous behavior.
The Cl0p ransomware group has listed Mazda on its leak site, linking the incident to an Oracle EBS campaign. Mazda has stated there is currently no evidence of data leakage or operational impact.
Business impact
While operations appear unaffected, the listing suggests a breach of perimeter defenses or third-party systems. This highlights the persistent threat of ransomware groups targeting large manufacturing entities.
Recommended action
Review third-party connections and ensure Oracle EBS instances are patched and not exposed to the public internet.
Kaspersky reports a surge in cybercriminal activity targeting the global e-commerce market ahead of Black Friday. Attackers are capitalizing on the 7-9% annual growth in online retail to launch phishing and fraud campaigns.
Cloudflare has introduced payload logging for its Web Application Firewall (WAF) to help customers better analyze attacks and reduce false positives. This feature addresses the high cardinality of modern web workloads.
Despite government advocacy, the adoption of Software Bills of Materials (SBOMs) is struggling to keep pace with the rapid development of AI-generated code. Hidden vulnerabilities in open-source components remain a significant risk.
Multiple vulnerabilities have been discovered in Fluent Bit, a widely used logging processor for cloud and container environments. The flaws include stack buffer overflows, authentication bypass, and path traversal, potentially allowing for Remote Code Execution (RCE) and DoS.
Business impact
As a core component of observability pipelines, compromised Fluent Bit instances can allow attackers to intercept sensitive logs, disrupt monitoring, or pivot into the underlying container infrastructure.
Recommended action
Upgrade Fluent Bit to the latest stable release immediately. Audit network exposure of Fluent Bit's HTTP server and ensure it is not accessible from the public internet.
Spotlight Rationale: Google is currently addressing a critical Chrome 0-day vulnerability (Item 4) while simultaneously shaping the workforce through its certification programs.
Platform Focus: Google Chrome Enterprise / Google Cybersecurity Professional Certificate
Google is central to the current threat landscape, with Chrome being a primary target for zero-day exploits. Their rapid response mechanisms in Chrome Enterprise allow for enforced patching, which is critical when zero-days are active. Concurrently, their Cybersecurity Professional Certificate is a key resource for upskilling teams to defend against these very threats.
Actionable Platform Guidance: For immediate defense, enforce Chrome updates via Group Policy or Chrome Enterprise Core. For long-term resilience, leverage their training resources to upskill junior analysts on identifying browser-based threats.
4. PowerShell Script — Check WSUS Patch Status (CVE-2025-59287)
$computers = "localhost", "WSUS-SERVER-01"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Invoke-Command -ComputerName $computer -ScriptBlock {
$hotfix = Get-HotFix -Id "KB5044287" -ErrorAction SilentlyContinue
if ($hotfix) {
Write-Host "[SECURE] $env:COMPUTERNAME has patch KB5044287 installed."
} else {
Write-Host "[ALERT] $env:COMPUTERNAME is MISSING patch for CVE-2025-59287!" -ForegroundColor Red
}
}
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--cfe604e4-3ff6-4fd4-8cdc-3482326220a0",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--fee65938-693c-4865-9dd7-02bef2ac01af",
"created": "2025-11-24T14:58:45.205Z",
"modified": "2025-11-24T14:58:45.205Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--89b2fdb7-1de5-4f6c-95f6-b0b00746abe7",
"created": "2025-11-24T14:58:45.205Z",
"modified": "2025-11-24T14:58:45.205Z",
"name": "Threat Intelligence Report - 2025-11-24",
"description": "Threat Intelligence Report - 2025-11-24\n\nThis report consolidates actionable cybersecurity intelligence from 80 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Attackers deliver ShadowPad via newly patched WSUS RCE bug (Score: 100)\n• ⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More (Score: 100)\n• Microsoft Highlights Security Risks Introduced by New Agentic AI Feature (Score: 100)\n• To buy or not to buy: How cybercriminals capitalize on Black Friday (Score: 100)\n• Fake Prettier Extension on VSCode Marketplace Dropped Anivia Stealer (Score: 100)\n\nEXTRACTED ENTITIES:\n• 25 Attack Pattern(s)\n• 2 Malware(s)\n• 1 Marking Definition(s)\n• 1 Threat Actor(s)\n• 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-24T14:58:45.205Z",
"object_refs": [
"identity--fee65938-693c-4865-9dd7-02bef2ac01af",
"identity--9e221940-56db-4bff-9bec-74d128f9e398",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"identity--a728a080-82ff-441a-9f7b-f80ed1280225",
"identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"identity--19a47e75-bfa8-4832-b1dd-4959d7d4a190",
"identity--0186ae1b-86aa-44d7-b12e-8dd8db99009b",
"vulnerability--eef4f13e-fbf3-4cca-a8b8-d83a3a4349dd",
"identity--a32754ce-47e5-4775-be04-f6984bc030d4",
"identity--d1ae695c-0b7c-460c-82ca-aee412ad2be6",
"identity--5839c70b-4177-4f97-8015-33c3a7596260",
"identity--5ccdf7bc-6dc4-4348-ac05-2f7e1ccfb271",
"identity--8802ab17-c52d-4bca-9705-2caf1a71c434",
"identity--666fc7fe-c911-419e-a1d6-ea47e6b3646f",
"identity--c5ee4b6e-5085-4c3b-b1ec-8dcdf4b2b313",
"threat-actor--8587f106-7cb6-432d-a1d6-96b518ad99b2",
"malware--2ece065e-3aae-40cb-95de-0577e8e0d0ae",
"identity--5d393703-17ab-4d70-8400-b43a4b79d42e",
"vulnerability--2602bc7a-afdf-4d1b-b016-14b0b2cc89d1",
"identity--6a864992-4e3e-4b5d-b572-b3ffeba9339c",
"identity--72a19049-3a4f-405f-a043-79e7f91b0c7a",
"identity--5039659d-dd2c-4481-9616-bafd2abf019d",
"identity--f7293d42-d0fa-463c-8991-fb03d2ecb59f",
"identity--3a3c0bca-dfaf-4a64-b34f-394c109c6302",
"identity--1dbd2f0a-4adf-4aaf-aec8-5223b0e0acb8",
"identity--4b93ac4e-61d4-4322-a80e-3a69001ab505",
"identity--9bafa8cc-056c-4e34-bb2d-61e718a0438b",
"identity--6741006f-839c-40a5-9d6e-5c3499671c57",
"malware--b1526fef-688f-44c8-960a-95786d39f740",
"identity--9b06977e-0c45-4bfb-bb2c-0433e8d386e2",
"identity--4bbfd461-c3c4-4f8b-ba51-ebd6d9ef0a2e",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--2cecb29c-a2c6-4961-bed1-a4055f51534d",
"attack-pattern--cd061a92-a819-4f73-99dc-228176018577",
"attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314",
"attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c",
"attack-pattern--af705332-242d-4c31-9955-6dca77d560de",
"attack-pattern--75f8063e-1388-4007-8255-4523fceba24e",
"attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716",
"attack-pattern--3785d15d-1c0c-4464-9200-10b744888e29",
"attack-pattern--3dfbd980-9c7a-4d3d-9e53-14e24b1fabdf",
"attack-pattern--7aa19707-a8bb-4175-a9ce-0dc6a85cf429",
"attack-pattern--fd1090dd-887f-49dd-b669-779349a8b66d",
"attack-pattern--52da8eaa-7af6-4d99-8b27-b0b7baf7a14c",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"attack-pattern--6f441f0d-2af5-4ab6-853d-745c0cc303e9",
"attack-pattern--d8b65044-438a-43fb-a9f9-cda77057975d",
"attack-pattern--c1ff2266-1a4b-4292-80e6-f593eb2569a9",
"attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--fee65938-693c-4865-9dd7-02bef2ac01af",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--9e221940-56db-4bff-9bec-74d128f9e398",
"name": "Chrome",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Chrome is a web browser developed by Google that allows users to access and navigate the internet securely and efficiently.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--a728a080-82ff-441a-9f7b-f80ed1280225",
"name": "Salesforce",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Salesforce is a cloud-based software company that provides customer relationship management (CRM) solutions for businesses to manage sales, marketing, and customer service operations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"name": "Google",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Google is a multinational technology company specializing in Internet-related services and products, including search engines, online advertising technologies, cloud computing, and software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--19a47e75-bfa8-4832-b1dd-4959d7d4a190",
"name": "Kaspersky",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Kaspersky is a cybersecurity company that provides antivirus software and threat detection services to protect computers and mobile devices from malware and other online threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--0186ae1b-86aa-44d7-b12e-8dd8db99009b",
"name": "SonicWall",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "SonicWall is a cybersecurity company that provides network security solutions, including firewalls, intrusion prevention systems, and VPNs, to protect against cyber threats and data breaches.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--eef4f13e-fbf3-4cca-a8b8-d83a3a4349dd",
"name": "CVE-2025-40601",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-40601",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40601"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-40601",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40601"
}
],
"description": "SonicWall warns of a high-severity buffer overflow flaw in SonicOS SSLVPN (CVE-2025-40601) that lets attackers crash Gen7 and Gen8 firewalls. A new high-severity SonicOS SSLVPN flaw, tracked as CVE-2025-40601 (CVSS score of 7.5), allows attackers to crash SonicWall Gen7 and Gen8 firewalls. SonicWall",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--a32754ce-47e5-4775-be04-f6984bc030d4",
"name": "Microsoft Ignite",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft Ignite is an annual conference for technology professionals to learn about Microsoft products, services, and solutions, and network with peers and industry experts.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--d1ae695c-0b7c-460c-82ca-aee412ad2be6",
"name": "Nanjing University of Science and Technology",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Nanjing University of Science and Technology is a public research university in Nanjing, Jiangsu, China. It is a key comprehensive university under the national '211 Project' and is ranked among the top universities in China.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--5839c70b-4177-4f97-8015-33c3a7596260",
"name": "CrowdStrike",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "CrowdStrike is a cloud-delivered endpoint security company that provides threat intelligence, incident response, and vulnerability management solutions to protect against cyber threats and advanced persistent threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--5ccdf7bc-6dc4-4348-ac05-2f7e1ccfb271",
"name": "Cloudflare",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Cloudflare is a company that provides a suite of cybersecurity services, including content delivery networks, web application firewalls, and distributed denial-of-service (DDoS) protection, to help protect websites and applications from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--8802ab17-c52d-4bca-9705-2caf1a71c434",
"name": "Hoxhunt",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Hoxhunt is a phishing simulation and training platform that helps organizations educate employees on identifying and reporting suspicious emails to improve their cybersecurity awareness and resilience.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--666fc7fe-c911-419e-a1d6-ea47e6b3646f",
"name": "Known Exploited Vulnerabilities",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Known Exploited Vulnerabilities is a US government database that tracks and publicly discloses known exploited vulnerabilities in software and hardware, allowing organizations to prioritize patching and mitigation efforts to prevent cyber attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "identity",
"id": "identity--c5ee4b6e-5085-4c3b-b1ec-8dcdf4b2b313",
"name": "Grafana",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Grafana is a software company that provides data visualization and monitoring tools, including Grafana Enterprise, which is a commercial version of their open-source platform. The company has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--8587f106-7cb6-432d-a1d6-96b518ad99b2",
"name": "APT24",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "APT24 is a Chinese cyberespionage group known for its sophisticated attacks on various industries. They have been linked to several high-profile breaches and are believed to be sponsored by the Chinese government. APT24 is known for its use of advanced malware and social engineering tactics to gain access to sensitive information.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.203Z",
"modified": "2025-11-24T14:58:45.203Z",
"confidence": 95,
"type": "malware",
"id": "malware--2ece065e-3aae-40cb-95de-0577e8e0d0ae",
"name": "RONINGLOADER",
"is_family": true,
"malware_types": [
"dropper"
],
"labels": [
"malicious-activity"
],
"description": "RONINGLOADER is a malware loader associated with the DragonBreath threat actor group, used for delivering malicious payloads and exploiting vulnerabilities in software. It is specifically designed to evade detection and facilitate post-exploitation activities, making it a significant threat in the cybersecurity landscape.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--5d393703-17ab-4d70-8400-b43a4b79d42e",
"name": "cyble.com",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Cyble.com is a cybersecurity company that helps organizations track, monitor, and combat cyber threats, and provides intelligence on dark web activities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--2602bc7a-afdf-4d1b-b016-14b0b2cc89d1",
"name": "CVE-2025-59287",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-59287",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59287"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-59287",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59287"
}
],
"description": "Attackers exploited a patched WSUS flaw (CVE-2025-59287) to gain access, use PowerCat for a shell, and deploy the ShadowPad malware. AhnLab SEcurity intelligence Center (ASEC) researchers reported that threat actors exploited a recently patched WSUS flaw ( CVE-2025-59287 ) to deliver the ShadowPad m",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--6a864992-4e3e-4b5d-b572-b3ffeba9339c",
"name": "AhnLab SEcurity intelligence Center (ASEC",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "AhnLab SEcurity intelligence Center (ASEC) is a research organization that identifies and reports on emerging cyber threats, providing intelligence to help protect against various types of malware and attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--72a19049-3a4f-405f-a043-79e7f91b0c7a",
"name": "McKinsey Global Institute",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "McKinsey Global Institute is a business and economics research organization that provides insights and analysis on global trends and market shifts. In the context of cybersecurity, McKinsey Global Institute's research can provide valuable insights into the impact of emerging technologies on the global economy and the potential risks and opportunities associated with them.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--5039659d-dd2c-4481-9616-bafd2abf019d",
"name": "Microsoft Windows Server Update Services",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Microsoft Windows Server Update Services is a server software component that enables the management and distribution of updates, patches, and hotfixes for Microsoft Windows operating systems and other Microsoft products.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--f7293d42-d0fa-463c-8991-fb03d2ecb59f",
"name": "Google Cybersecurity Professional Certificate",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Google Cybersecurity Professional Certificate is a professional certification program that provides training and skills in cybersecurity to help individuals prepare for entry-level cybersecurity roles.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--3a3c0bca-dfaf-4a64-b34f-394c109c6302",
"name": "Europol",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Europol is the European Union Agency for Law Enforcement Cooperation, responsible for coordinating efforts to combat cross-border crime, including cybercrime. As part of Operation Endgame 3.0, Europol played a key role in taking down over 1000 servers and seizing 20 domains associated with major malware platforms.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--1dbd2f0a-4adf-4aaf-aec8-5223b0e0acb8",
"name": "DeepSeek",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "DeepSeek is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--4b93ac4e-61d4-4322-a80e-3a69001ab505",
"name": "Airline Iberia Notifies Customers of Data Breach",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Airline Iberia Notifies Customers of Data Breach is a company that informs its customers about a security incident involving unauthorized access to their personal data.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--9bafa8cc-056c-4e34-bb2d-61e718a0438b",
"name": "Cybersecurity",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Cybersecurity is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--6741006f-839c-40a5-9d6e-5c3499671c57",
"name": "Cisco",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Cisco is a multinational technology conglomerate that specializes in designing, manufacturing, and selling networking hardware, software, telecommunications equipment, and other high-technology services and products.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "malware",
"id": "malware--b1526fef-688f-44c8-960a-95786d39f740",
"name": "access trojan",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "VenomRAT is a type of remote access trojan (RAT) malware that allows attackers to remotely control infected systems, steal sensitive information, and execute malicious commands. The malware is part of a larger threat landscape, with various strains and variants emerging over time. In this context, the entity 'access trojan' seems to refer to the VenomRAT malware, which was targeted by Operation Endgame 3.0, a coordinated effort by international cybercrime-fighting agencies to dismantle malware platforms.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--9b06977e-0c45-4bfb-bb2c-0433e8d386e2",
"name": "proton.me",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Proton.me is a company that provides secure email services and other privacy-focused online tools.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 95,
"type": "identity",
"id": "identity--4bbfd461-c3c4-4f8b-ba51-ebd6d9ef0a2e",
"name": "the VenomRAT remote access",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "The VenomRAT remote access is a type of malware that allows attackers to remotely access and control compromised systems, granting them unauthorized access to sensitive data and system functionality.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2cecb29c-a2c6-4961-bed1-a4055f51534d",
"name": "Exfiltration Over C2 Channel",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"x_mitre_id": "T1041",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1041/",
"external_id": "T1041"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--cd061a92-a819-4f73-99dc-228176018577",
"name": "Exfiltration Over Alternative Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"x_mitre_id": "T1048",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1048/",
"external_id": "T1048"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314",
"name": "Remote Services",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_id": "T1021",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1021/",
"external_id": "T1021"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c",
"name": "Lateral Tool Transfer",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_id": "T1570",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1570/",
"external_id": "T1570"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--af705332-242d-4c31-9955-6dca77d560de",
"name": "Modify Registry",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1112",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1112/",
"external_id": "T1112"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--75f8063e-1388-4007-8255-4523fceba24e",
"name": "Registry Run Keys / Startup Folder",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1547.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1547/001/",
"external_id": "T1547.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716",
"name": "Python",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/006/",
"external_id": "T1059.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 85,
"type": "attack-pattern",
"id": "attack-pattern--3785d15d-1c0c-4464-9200-10b744888e29",
"name": "Python Startup Hooks",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1546.018",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1546/018/",
"external_id": "T1546.018"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 79,
"type": "attack-pattern",
"id": "attack-pattern--3dfbd980-9c7a-4d3d-9e53-14e24b1fabdf",
"name": "Compromise Software Dependencies and Development Tools",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/001/",
"external_id": "T1195.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 71,
"type": "attack-pattern",
"id": "attack-pattern--7aa19707-a8bb-4175-a9ce-0dc6a85cf429",
"name": "DNS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1071.004",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1071/004/",
"external_id": "T1071.004"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--fd1090dd-887f-49dd-b669-779349a8b66d",
"name": "Component Object Model Hijacking",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1546.015",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1546/015/",
"external_id": "T1546.015"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--52da8eaa-7af6-4d99-8b27-b0b7baf7a14c",
"name": "Local Job Scheduling",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1168",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1168/",
"external_id": "T1168"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"name": "Scheduled Task",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/005/",
"external_id": "T1053.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1",
"name": "Socket Filters",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1205.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1205/002/",
"external_id": "T1205.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530",
"name": "Malicious Shell Modification",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_id": "T1156",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1156/",
"external_id": "T1156"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 67,
"type": "attack-pattern",
"id": "attack-pattern--6f441f0d-2af5-4ab6-853d-745c0cc303e9",
"name": "DNS Server",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1583.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1583/002/",
"external_id": "T1583.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 67,
"type": "attack-pattern",
"id": "attack-pattern--d8b65044-438a-43fb-a9f9-cda77057975d",
"name": "Container Orchestration Job",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.007",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/007/",
"external_id": "T1053.007"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.204Z",
"modified": "2025-11-24T14:58:45.204Z",
"confidence": 65,
"type": "attack-pattern",
"id": "attack-pattern--c1ff2266-1a4b-4292-80e6-f593eb2569a9",
"name": "Code Signing Certificates",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/003/",
"external_id": "T1588.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-24T14:58:45.205Z",
"modified": "2025-11-24T14:58:45.205Z",
"confidence": 65,
"type": "attack-pattern",
"id": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d",
"name": "Search Threat Vendor Data",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"x_mitre_id": "T1681",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1681/",
"external_id": "T1681"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
}
]
}
Finance (PCI-DSS)
ELEVATED
CRITICAL ITEMS
HIGH SEVERITY ITEMS
MEDIUM SEVERITY ITEMS
DETECTION & RESPONSE KIT