Cybersecurity Latest Rundown

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

SOX: 18 HIPAA: 5 FISMA: 1 General Enterprise: 1 PCI DSS: 1

Industry Watch

🚨 Critical Infrastructure (SOX/FISMA) CRITICAL

Active exploitation of ICS/SCADA vulnerabilities

Key threat: OpenPLC ScadaBR Flaw (CVE-2021-26829) added to CISA KEV...

Action: Review OpenPLC ScadaBR Flaw, ShadowPad Malware Deployed via WSUS Vulnerability

Finance (PCI-DSS) ELEVATED

Surge in mobile banking fraud malware

Key threat: Albiriox Android MaaS targeting 400+ banking and crypto apps...

Action: Review Albiriox Android Malware, Agentic AI Browser Threats

CyberSecurity Latest Rundown

Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for December 1, 2025.

CRITICAL ITEMS

CISA Adds OpenPLC ScadaBR Flaw to Known Exploited Vulnerabilities
Date & Time: 2025-12-01T08:59:15

CISA has confirmed active exploitation of a critical vulnerability in OpenPLC ScadaBR, a system used in industrial control environments, mandating immediate federal remediation. This signals that attackers are actively targeting operational technology (OT) networks right now.

Business impact

If exploited, attackers could manipulate physical industrial processes, causing production stoppages, safety hazards, or equipment damage - leading to massive operational downtime and regulatory fines under FISMA/SOX.

Recommended action

Ask your IT/OT team: "Do we have any OpenPLC ScadaBR instances exposed to the internet, and have we applied the patch for CVE-2021-26829 immediately?"

CVE: CVE-2021-26829 | Compliance: SOX, FISMA | Source: Security Affairs ↗
ShadowPad Malware Exploiting WSUS Remote Code Execution
Date & Time: 2025-11-30T16:11:57

Advanced threat actors are deploying the ShadowPad backdoor by exploiting a vulnerability in Windows Server Update Services (WSUS), effectively turning the tool meant to patch systems into a malware distribution vector. This allows attackers to compromise the entire corporate network from a trusted internal server.

Business impact

A compromised WSUS server allows attackers to push malware to every Windows machine in the organization - resulting in total domain compromise, massive data theft, and potential ransomware deployment across the entire fleet.

Recommended action

Ask your Infrastructure team: "Is our WSUS server patched against CVE-2025-59287, and are we monitoring for unexpected process execution from the WSUS service?"

CVE: CVE-2025-59287 | Compliance: SOX, HIPAA | Source: Security Affairs ↗
Emerging Android Threat 'Albiriox' Enables Full On-Device Fraud
Date & Time: 2025-12-01T10:38:16

A new Malware-as-a-Service called Albiriox is targeting over 400 banking, fintech, and crypto applications with capabilities to perform on-device fraud and real-time control. This sophisticated malware bypasses traditional two-factor authentication by operating directly on the victim's device.

Business impact

Financial institutions and app providers face direct fraud losses, increased customer reimbursement costs, and reputational damage if their apps are successfully targeted by this campaign.

Recommended action

Ask your Mobile Security team: "Does our mobile app fraud detection identify the behavioral patterns associated with Albiriox, specifically on-device remote control indicators?"

CVE: n/a | Compliance: PCI DSS, HIPAA | Source: Security Affairs ↗

HIGH SEVERITY ITEMS

The Agentic Trojan Horse: AI Browsers as a Security Nightmare
Date & Time: 2025-12-01T11:55:00

The rise of "Agentic AI" browsers introduces a new attack surface where AI agents can autonomously interact with web content, potentially bypassing traditional security controls. These tools can be weaponized to act as Trojan horses, executing malicious actions within the browser context under the guise of legitimate AI assistance.

Business impact

Unregulated use of AI browsers could lead to inadvertent data exfiltration or internal system access, bypassing DLP controls and violating SOX compliance mandates regarding data integrity.

Recommended action

Ask your CISO: "Have we updated our Acceptable Use Policy to specifically address Agentic AI browsers and extensions?"

CVE: n/a | Compliance: SOX | Source: The Hacker News ↗
Attackers Steal Member Data from French Soccer Federation
Date & Time: 2025-11-30T15:30:07

The French Soccer Federation has suffered a data breach resulting in the theft of member data, highlighting the persistent threat to organizations holding large databases of PII. This incident underscores the risks associated with third-party data handling and database security.

Business impact

Data breaches of this nature trigger GDPR notification requirements, potential regulatory fines, and significant reputational damage that can erode member trust.

Recommended action

Ask your Data Privacy Officer: "Are our third-party data processors fully compliant with our security addendums, and when was their last audit?"

CVE: n/a | Compliance: SOX, HIPAA | Source: Security Affairs ↗

MEDIUM SEVERITY ITEMS

South Africa Aligns Local Realities with Global Cybersecurity Standards
Date & Time: 2025-12-01T11:43:42

South Africa is updating its cybersecurity framework to align with global standards like SOX and HIPAA, reflecting a growing trend of international regulatory harmonization. This impacts multinational organizations with operations in the region.

CVE: n/a | Compliance: SOX, HIPAA | Source: Cyble ↗

OTHER NOTEWORTHY ITEMS

Australian Man Sentenced to Prison for Wi-Fi Attacks at Airports
Date & Time: 2025-12-01T09:03:07

A cybercriminal has been sentenced to over 7 years for setting up "evil twin" Wi-Fi hotspots at airports to steal sensitive data. This serves as a reminder of the physical layer risks to traveling executives.

Source: SecurityWeek ↗

EXECUTIVE INSIGHTS

Agentic AI Security: Preventing Global Breaches from Hygiene Failures
Date & Time: 2025-12-01T11:00:00

New research indicates that the weaponization of Agentic AI (like Claude Code) is democratizing attack capabilities, allowing low-skill actors to execute massive-scale attacks. The key defense is not just AI-specific tools, but reinforcing fundamental cyber hygiene to prevent these automated agents from finding easy entry points.

Source: Tenable ↗

VENDOR SPOTLIGHT

Spotlight Rationale: Tenable is selected due to their timely release of intelligence on Agentic AI and AI-led attacks (Dec 1, 2025), which directly addresses the emerging threat landscape where AI tools are being weaponized to exploit fundamental hygiene failures.

Threat Context: Agentic AI Security: Keep Your Cyber Hygiene Failures from Becoming a Global Breach

Platform Focus: Tenable Exposure Management (Tenable One)

Tenable's approach shifts focus from reactive detection to preemptive exposure management. Their platform specifically identifies the "cyber hygiene failures" that Agentic AI tools are programmed to exploit. By unifying vulnerability data across IT, OT (relevant to the OpenPLC threat), and identity, Tenable provides the visibility needed to close the gaps before AI-driven campaigns can automate their exploitation.

Actionable Platform Guidance: Implement exposure scoring for AI-adjacent assets and prioritize remediation of "low-hanging fruit" vulnerabilities that automated AI agents target first.

Source: Tenable ↗, Tenable ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Tenable

# Tenable Exposure Management Configuration for AI Threat Surface
# Based on actionable guidance for preemptive exposure management

1. ASSET DISCOVERY & TAGGING
- Navigate to Asset Management
- Create dynamic tag: "AI-Infrastructure"
- Rule: System Type = "Server" AND Software Installed contains "Python" OR "TensorFlow" OR "PyTorch"

2. VULNERABILITY PRIORITIZATION (VPR)
- Configure Scan Policy: "AI-Defense-Critical"
- Focus: CVEs with VPR score > 9.0 (Targeting known exploited flaws like CVE-2021-26829)
- Enable "Malware Exploitable" filter to catch ShadowPad vectors

3. VERIFICATION
- Run "AI-Defense-Critical" scan against "AI-Infrastructure" tag
- Verify VPR scores are updating based on CISA KEV integration

2. YARA Rule for ShadowPad/WSUS Exploitation

rule ShadowPad_WSUS_Indicator {
meta:
description = "Detects artifacts associated with ShadowPad malware often deployed via WSUS"
author = "Threat Rundown"
date = "2025-12-01"
reference = "https://securityaffairs.com/?p=185181"
severity = "high"
tlp = "white"
strings:
$s1 = "ShadowPad" ascii wide
$s2 = "Plugins\\Plugins" ascii wide
$s3 = "svchost.exe" wide fullword
$h1 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 }
$pdb = "\\ShadowPad\\" ascii
condition:
uint16(0) == 0x5A4D and
(any of ($s*) or $pdb)
}

3. SIEM Query — WSUS Suspicious Process Spawning

index=security sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(ParentImage="*\\w3wp.exe" OR ParentImage="*\\wsusservice.exe")
(Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\certutil.exe")
| eval risk_score=case(
Image LIKE "%powershell.exe%", 100,
Image LIKE "%cmd.exe%", 80,
1==1, 50)
| where risk_score >= 80
| table _time, dest, ParentImage, Image, CommandLine, risk_score
| sort -_time

4. PowerShell Script — OpenPLC Service Detection

$computers = "localhost", "SCADA-SRV-01", "ICS-WS-02"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer for OpenPLC services..."
try {
$service = Get-Service -Name "OpenPLC" -ComputerName $computer -ErrorAction Stop
if ($service) {
Write-Warning "ALERT: OpenPLC service found on $computer. Status: $($service.Status). Verify CVE-2021-26829 patch status immediately."
}
} catch {
Write-Host "OpenPLC service not found on $computer." -ForegroundColor Green
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--14b34ecb-868c-4768-ba3c-7345bbbc65e1", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--d8f66a41-a73b-48d0-92bf-3559d88d17a4", "created": "2025-12-01T13:33:12.110Z", "modified": "2025-12-01T13:33:12.110Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--473c0d21-2740-43ab-83e4-b23e45a77e86", "created": "2025-12-01T13:33:12.111Z", "modified": "2025-12-01T13:33:12.111Z", "name": "Threat Intelligence Report - 2025-12-01", "description": "Threat Intelligence Report - 2025-12-01\n\nThis report consolidates actionable cybersecurity intelligence from 33 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• South Africa Aligns Local Realities with Global Cybersecurity Standards (Score: 100)\n• U.S. CISA adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog (Score: 100)\n• SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 73 (Score: 100)\n• What is your opinion on forced app installation by governments? (Score: 94.5)\n• A Practical Defense Against AI-led Attacks (Score: 92.1)\n\nEXTRACTED ENTITIES:\n• 13 Attack Pattern(s)\n• 7 Domain Name(s)\n• 8 Indicator(s)\n• 1 Ipv4 Addr(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 21 Relationship(s)\n• 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-12-01T13:33:12.111Z", "object_refs": [ "identity--d8f66a41-a73b-48d0-92bf-3559d88d17a4", "vulnerability--c749cbed-b4ca-499a-ba6d-b652e9f6977b", "malware--80a624ef-749e-4989-8aec-e572082cd049", "identity--f6a99f72-a94f-4e68-a5ba-aafcaac79603", "vulnerability--2602bc7a-afdf-4d1b-b016-14b0b2cc89d1", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e", "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9", "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "relationship--51e9a79d-30d6-4b7e-9a84-d9cd40b77d0f", "relationship--87f46bca-d43a-4cd0-9b38-91a4485a2850", "relationship--406be34a-b841-4111-b9b6-e0312d034b5d", "relationship--b670f42c-bc7f-465a-8f40-73d737a2fc7c", "relationship--1a251af0-7c99-4374-8a34-32304b03781d", "relationship--fa31f2c3-943e-4e8b-8a36-c64899385580", "relationship--a9de6f1d-d6bb-41d3-8038-5aa64c06d6ca", "relationship--b7dc3781-7bf0-4961-9c8e-7daf557f3397", "relationship--4d92a687-4f42-4570-9bed-47f66c13413e", "relationship--5e5e2a6d-6b78-48a8-9bde-41017a4734dc", "relationship--f8d625d4-3a9d-4f2b-b5d3-fba402ae53f0", "relationship--4502cedf-a080-4c10-af87-77e5fe05f690", "relationship--8ce621d0-548e-4b84-972f-4374cfc12f62", "ipv4-addr--aaab1471-4f87-482f-8cf7-dffb10c2820b", "domain-name--dcf5ed31-05fc-47d2-bdc9-92aa14800579", "domain-name--ef98ca14-ff66-4304-9d03-aa123768b3af", "domain-name--60162788-6efb-4272-b6de-1c5477349625", "domain-name--d4abc3a4-d954-4df4-bbc1-004992ee12e0", "domain-name--5d26d887-6b13-4eea-a140-5382d6674f39", "domain-name--7074a8e8-a1ce-4573-bf4a-edb527f144db", "domain-name--51b6d435-903f-4702-bd9c-6ea799964f44", "indicator--829daa52-f6e5-4feb-8de9-e123e7993ec3", "relationship--57531c47-8afa-48e5-bf94-149afacf9b67", "indicator--886c4d76-eab9-4997-8fdc-f73f170dadcd", "relationship--72d2e142-864b-43e5-9465-d03cb4ceb577", "indicator--29a60abb-6d61-4c86-92cb-8a5aa545e913", "relationship--2a596254-abf9-4a58-8999-b30f5d248c7f", "indicator--e0acdfb4-878b-4dfe-b5c3-ed8f55fa280e", "relationship--6e5b95ba-09e9-463d-8e2f-07b27807a370", "indicator--363a7882-56a6-4711-bc79-12a456019010", "relationship--27777665-a498-4ab5-b740-87193b0767cd", "indicator--48fcc10b-1a02-4e11-8b42-9c942a859f0a", "relationship--7f365d32-e4db-4cec-97ef-4e0007dacb88", "indicator--66398e39-bacc-4bdb-816e-995bc656aa3a", "relationship--97f7b3d9-2c9b-453c-9e40-896f19e23e6c", "indicator--87763ae4-a28c-4b0e-bc8f-5cf478cc0a78", "relationship--c2413f80-1f77-4563-a6ea-d33708f2fbe7" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--d8f66a41-a73b-48d0-92bf-3559d88d17a4", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.107Z", "modified": "2025-12-01T13:33:12.107Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--c749cbed-b4ca-499a-ba6d-b652e9f6977b", "name": "CVE-2021-26829", "description": "OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.. CVSS Score: 5.4 (MEDIUM). CISA KEV: Active exploitation confirmed. EPSS: 48.3% exploitation probability", "x_cvss_score": 5.4, "x_cvss_severity": "MEDIUM", "x_kev_status": true, "x_epss_score": 0.48271, "external_references": [ { "source_name": "cve", "external_id": "CVE-2021-26829", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26829" }, { "source_name": "nvd", "external_id": "CVE-2021-26829", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26829" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.108Z", "modified": "2025-12-01T13:33:12.108Z", "confidence": 95, "type": "malware", "id": "malware--80a624ef-749e-4989-8aec-e572082cd049", "name": "Albiriox", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "Albiriox is a type of Android malware that is sold as a service on Russian-speaking cybercrime forums, enabling on-device fraud and real-time control. It is a relatively new malware family that has been observed in recent attacks, and its capabilities and behavior are still being tracked and analyzed by security researchers.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.108Z", "modified": "2025-12-01T13:33:12.108Z", "confidence": 95, "type": "identity", "id": "identity--f6a99f72-a94f-4e68-a5ba-aafcaac79603", "name": "VirusTotal", "identity_class": "organization", "labels": [ "identity" ], "description": "VirusTotal is a cybersecurity platform that provides malware analysis and threat intelligence services by scanning files and URLs with multiple antivirus engines.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.108Z", "modified": "2025-12-01T13:33:12.108Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--2602bc7a-afdf-4d1b-b016-14b0b2cc89d1", "name": "CVE-2025-59287", "description": "Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.. CVSS Score: 9.8 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 64.0% exploitation probability", "x_cvss_score": 9.8, "x_cvss_severity": "CRITICAL", "x_kev_status": true, "x_epss_score": 0.64042, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-59287", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59287" }, { "source_name": "nvd", "external_id": "CVE-2025-59287", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59287" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.108Z", "modified": "2025-12-01T13:33:12.108Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.108Z", "modified": "2025-12-01T13:33:12.108Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e", "name": "Application Layer Protocol", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1071", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1071/", "external_id": "T1071" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9", "name": "Non-Application Layer Protocol", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1095", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1095/", "external_id": "T1095" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "name": "Evil Twin", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557.004", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/004/", "external_id": "T1557.004" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "name": "Wi-Fi Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1016.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1016/002/", "external_id": "T1016.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "name": "Wi-Fi Networks", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1669", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1669/", "external_id": "T1669" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 73, "type": "attack-pattern", "id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "name": "Artificial Intelligence", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.007", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/007/", "external_id": "T1588.007" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 73, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--51e9a79d-30d6-4b7e-9a84-d9cd40b77d0f", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: Albiriox and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--87f46bca-d43a-4cd0-9b38-91a4485a2850", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: Albiriox and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--406be34a-b841-4111-b9b6-e0312d034b5d", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 55, "description": "Co-occurrence: Albiriox and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b670f42c-bc7f-465a-8f40-73d737a2fc7c", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 55, "description": "Co-occurrence: Albiriox and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1a251af0-7c99-4374-8a34-32304b03781d", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e", "confidence": 55, "description": "Co-occurrence: Albiriox and Application Layer Protocol (T1071) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fa31f2c3-943e-4e8b-8a36-c64899385580", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9", "confidence": 55, "description": "Co-occurrence: Albiriox and Non-Application Layer Protocol (T1095) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a9de6f1d-d6bb-41d3-8038-5aa64c06d6ca", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "confidence": 55, "description": "Co-occurrence: Albiriox and Evil Twin (T1557.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b7dc3781-7bf0-4961-9c8e-7daf557f3397", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "confidence": 55, "description": "Co-occurrence: Albiriox and Wi-Fi Discovery (T1016.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d92a687-4f42-4570-9bed-47f66c13413e", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "confidence": 55, "description": "Co-occurrence: Albiriox and Wi-Fi Networks (T1669) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5e5e2a6d-6b78-48a8-9bde-41017a4734dc", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "confidence": 55, "description": "Co-occurrence: Albiriox and Artificial Intelligence (T1588.007) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f8d625d4-3a9d-4f2b-b5d3-fba402ae53f0", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: Albiriox and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4502cedf-a080-4c10-af87-77e5fe05f690", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "confidence": 55, "description": "Co-occurrence: Albiriox and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8ce621d0-548e-4b84-972f-4374cfc12f62", "created": "2025-12-01T13:33:12.109Z", "modified": "2025-12-01T13:33:12.109Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "confidence": 55, "description": "Co-occurrence: Albiriox and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "ipv4-addr", "value": "194.32.79.94", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "ipv4-addr--aaab1471-4f87-482f-8cf7-dffb10c2820b" }, { "type": "domain-name", "value": "google-aplication.download", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--dcf5ed31-05fc-47d2-bdc9-92aa14800579" }, { "type": "domain-name", "value": "google-app-download.download", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--ef98ca14-ff66-4304-9d03-aa123768b3af" }, { "type": "domain-name", "value": "google-app-get.com", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--60162788-6efb-4272-b6de-1c5477349625" }, { "type": "domain-name", "value": "google-app-install.com", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--d4abc3a4-d954-4df4-bbc1-004992ee12e0" }, { "type": "domain-name", "value": "google-get-app.com", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--5d26d887-6b13-4eea-a140-5382d6674f39" }, { "type": "domain-name", "value": "google-get.download", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--7074a8e8-a1ce-4573-bf4a-edb527f144db" }, { "type": "domain-name", "value": "play.google-get.store", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--51b6d435-903f-4702-bd9c-6ea799964f44" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--829daa52-f6e5-4feb-8de9-e123e7993ec3", "created": "2025-12-01T13:33:08.396Z", "modified": "2025-12-01T13:33:08.396Z", "name": "Malicious ipv4-addr indicator", "description": "Malicious ipv4-addr identified in threat intelligence", "pattern": "[ipv4-addr:value = '194.32.79.94']", "pattern_type": "stix", "valid_from": "2025-12-01T13:33:08.396Z", "labels": [ "malicious-activity" ], "confidence": 65 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--57531c47-8afa-48e5-bf94-149afacf9b67", "created": "2025-12-01T13:33:08.396Z", "modified": "2025-12-01T13:33:08.396Z", "relationship_type": "based-on", "source_ref": "indicator--829daa52-f6e5-4feb-8de9-e123e7993ec3", "target_ref": "ipv4-addr--aaab1471-4f87-482f-8cf7-dffb10c2820b" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--886c4d76-eab9-4997-8fdc-f73f170dadcd", "created": "2025-12-01T13:33:08.432Z", "modified": "2025-12-01T13:33:08.433Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-aplication.download']", "pattern_type": "stix", "valid_from": "2025-12-01T13:33:08.433Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--72d2e142-864b-43e5-9465-d03cb4ceb577", "created": "2025-12-01T13:33:08.433Z", "modified": "2025-12-01T13:33:08.433Z", "relationship_type": "based-on", "source_ref": "indicator--886c4d76-eab9-4997-8fdc-f73f170dadcd", "target_ref": "domain-name--dcf5ed31-05fc-47d2-bdc9-92aa14800579" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--29a60abb-6d61-4c86-92cb-8a5aa545e913", "created": "2025-12-01T13:33:08.448Z", "modified": "2025-12-01T13:33:08.448Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-app-download.download']", "pattern_type": "stix", "valid_from": "2025-12-01T13:33:08.448Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2a596254-abf9-4a58-8999-b30f5d248c7f", "created": "2025-12-01T13:33:08.448Z", "modified": "2025-12-01T13:33:08.448Z", "relationship_type": "based-on", "source_ref": "indicator--29a60abb-6d61-4c86-92cb-8a5aa545e913", "target_ref": "domain-name--ef98ca14-ff66-4304-9d03-aa123768b3af" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e0acdfb4-878b-4dfe-b5c3-ed8f55fa280e", "created": "2025-12-01T13:33:08.513Z", "modified": "2025-12-01T13:33:08.514Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-app-get.com']", "pattern_type": "stix", "valid_from": "2025-12-01T13:33:08.514Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6e5b95ba-09e9-463d-8e2f-07b27807a370", "created": "2025-12-01T13:33:08.514Z", "modified": "2025-12-01T13:33:08.514Z", "relationship_type": "based-on", "source_ref": "indicator--e0acdfb4-878b-4dfe-b5c3-ed8f55fa280e", "target_ref": "domain-name--60162788-6efb-4272-b6de-1c5477349625" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--363a7882-56a6-4711-bc79-12a456019010", "created": "2025-12-01T13:33:08.602Z", "modified": "2025-12-01T13:33:08.602Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-app-install.com']", "pattern_type": "stix", "valid_from": "2025-12-01T13:33:08.602Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--27777665-a498-4ab5-b740-87193b0767cd", "created": "2025-12-01T13:33:08.602Z", "modified": "2025-12-01T13:33:08.602Z", "relationship_type": "based-on", "source_ref": "indicator--363a7882-56a6-4711-bc79-12a456019010", "target_ref": "domain-name--d4abc3a4-d954-4df4-bbc1-004992ee12e0" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--48fcc10b-1a02-4e11-8b42-9c942a859f0a", "created": "2025-12-01T13:33:08.629Z", "modified": "2025-12-01T13:33:08.629Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-get-app.com']", "pattern_type": "stix", "valid_from": "2025-12-01T13:33:08.629Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7f365d32-e4db-4cec-97ef-4e0007dacb88", "created": "2025-12-01T13:33:08.629Z", "modified": "2025-12-01T13:33:08.629Z", "relationship_type": "based-on", "source_ref": "indicator--48fcc10b-1a02-4e11-8b42-9c942a859f0a", "target_ref": "domain-name--5d26d887-6b13-4eea-a140-5382d6674f39" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--66398e39-bacc-4bdb-816e-995bc656aa3a", "created": "2025-12-01T13:33:08.646Z", "modified": "2025-12-01T13:33:08.646Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-get.download']", "pattern_type": "stix", "valid_from": "2025-12-01T13:33:08.646Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--97f7b3d9-2c9b-453c-9e40-896f19e23e6c", "created": "2025-12-01T13:33:08.646Z", "modified": "2025-12-01T13:33:08.646Z", "relationship_type": "based-on", "source_ref": "indicator--66398e39-bacc-4bdb-816e-995bc656aa3a", "target_ref": "domain-name--7074a8e8-a1ce-4573-bf4a-edb527f144db" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--87763ae4-a28c-4b0e-bc8f-5cf478cc0a78", "created": "2025-12-01T13:33:08.659Z", "modified": "2025-12-01T13:33:08.659Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'play.google-get.store']", "pattern_type": "stix", "valid_from": "2025-12-01T13:33:08.659Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c2413f80-1f77-4563-a6ea-d33708f2fbe7", "created": "2025-12-01T13:33:08.659Z", "modified": "2025-12-01T13:33:08.659Z", "relationship_type": "based-on", "source_ref": "indicator--87763ae4-a28c-4b0e-bc8f-5cf478cc0a78", "target_ref": "domain-name--51b6d435-903f-4702-bd9c-6ea799964f44" } ] }