Cybersecurity Latest Rundown

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

SOX: 15 HIPAA: 2 FISMA: 2 General Enterprise: 1 SOC 2: 1

Industry Watch

Financial Services (Payment Processing) (PCI DSS) ELEVATED

Active banking malware detected

Key threat: Albiriox Android Banking Malware targeting financial apps

Action: Review Albiriox Android Banking Malware, ShadyPanda Browser Extensions

EU Critical Infrastructure (NIS2) ⚠️ GUARDED

Mobile fleet vulnerabilities

Key threat: Active exploitation of Android OS vulnerabilities

Action: Review Google’s latest Android security update fixes two actively exploited flaws

🚨 Technology Service Providers (SOC 2) CRITICAL

Supply chain/DevOps risks

Key threat: RCE in OpenAI Codex CLI tool used by developers

Action: Review Vulnerability in OpenAI Coding Agent Could Facilitate Attacks on Developers

General Enterprise (General Enterprise) ELEVATED

Browser-based threats

Key threat: Widespread malicious browser extensions (ShadyPanda)

Action: Review ShadyPanda Turns Popular Browser Extensions Into Spyware

U.S. Federal Agencies (FISMA) ⚠️ GUARDED

Policy and budget shifts

Key threat: Reduced modernization funding impacting defense depth

Action: Review US Federal Modernization Funds Slashed in Senate Bill

CyberSecurity Latest Rundown

Heroes, a look at the current cybersecurity landscape for December 2, 2025.

CRITICAL ITEMS

Microsoft Silently Patched CVE-2025-9491 - We Think Our Patch Provides More Security
Date & Time: 2025-12-02T10:10:00

Microsoft released a silent fix for a Windows shortcut vulnerability that allows attackers to mask malicious commands, but researchers argue the official patch is incomplete. This "MotW" bypass technique is a common vector for initial access in ransomware campaigns.

Business impact

If exploited, employees could unknowingly execute malware disguised as harmless files, leading to network compromise and potential ransomware deployment despite existing controls.

Recommended action

Ask your IT team: "Have we verified if the Microsoft patch for CVE-2025-9491 is sufficient for our environment, or do we need third-party micropatching to fully mitigate the risk?"

CVE: CVE-2025-9491 | Compliance: SOX | Source: blog.0patch.com ↗
Vulnerability in OpenAI Coding Agent Could Facilitate Attacks on Developers
Date & Time: 2025-12-02T12:02:32

A critical Remote Code Execution (RCE) vulnerability has been discovered in the OpenAI Codex CLI tool, a popular utility used by developers for AI-assisted coding. This flaw allows attackers to execute arbitrary commands on developer workstations.

Business impact

Compromise of developer workstations represents a severe supply chain risk; attackers could inject malicious code into your proprietary software or steal intellectual property and API keys.

Recommended action

Ask your DevOps lead: "Have we identified all instances of the OpenAI Codex CLI in our environment and updated them to the patched version immediately?"

CVE: CVE-2025-61260 | Compliance: SOX | Source: securityweek.com ↗
Google’s latest Android security update fixes two actively exploited flaws
Date & Time: 2025-12-02T10:23:07

Google has released an emergency update addressing 107 vulnerabilities, including two zero-days currently being exploited in the wild. These flaws affect the system and kernel components of Android devices.

Business impact

Corporate mobile devices and BYOD phones are at immediate risk of compromise, potentially allowing attackers to access corporate email, MFA tokens, and sensitive data stored on the device.

Recommended action

Ask your MDM administrator: "What is our compliance status for the December Android security patch, and can we force an expedited update for high-risk users?"

CVE: n/a | Compliance: SOX, SOC 2 | Source: securityaffairs.com ↗

HIGH SEVERITY ITEMS

Albiriox: The New Android Banking Malware Threatening Your Financial Security
Date & Time: 2025-12-02T07:33:40

A sophisticated new Android banking malware family, Albiriox, has emerged with advanced remote control capabilities. It specifically targets the global financial sector using a "malware-as-a-service" model.

Business impact

High risk of fraud and financial theft for customers using mobile banking apps; potential liability and reputational damage for financial institutions if their apps are successfully targeted.

Recommended action

Ask your Fraud team: "Are our mobile application fraud detection systems updated to recognize the behavioral signatures of the Albiriox malware family?"

CVE: n/a | Compliance: SOX, HIPAA | Source: reddit.com ↗
ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware
Date & Time: 2025-12-01T17:29:00

A threat actor dubbed "ShadyPanda" has acquired legitimate browser extensions with over 4.3 million users and weaponized them to harvest data. This supply chain attack turns trusted tools into spyware without user action.

Business impact

Widespread data leakage of internal web application data, browsing history, and potentially session cookies, bypassing traditional network perimeter defenses.

Recommended action

Ask your IT Security team: "Do we have visibility into browser extensions installed on corporate endpoints, and have we blocked the specific extensions identified in the ShadyPanda campaign?"

CVE: n/a | Compliance: SOX | Source: thehackernews.com ↗
India Orders Phone Makers to Pre-Install Sanchar Saathi App
Date & Time: 2025-12-01T17:55:00

The Indian government has mandated that mobile manufacturers pre-install the "Sanchar Saathi" security app on all new phones, with no option to delete it. This introduces a mandatory government software component into the mobile supply chain.

Business impact

For global organizations with employees in India, this introduces potential privacy risks and a new, unmanaged software vector on corporate devices that cannot be removed.

Recommended action

Ask your Legal and Compliance teams: "How does the mandatory installation of the Sanchar Saathi app affect our privacy compliance (GDPR) and data security posture for operations in India?"

CVE: n/a | Compliance: GDPR, SOX | Source: thehackernews.com ↗

MEDIUM SEVERITY ITEMS

Guest Diary Hunting for SharePoint In-Memory ToolShell Payloads
Date & Time: 2025-12-01T23:27:08

SANS ISC has published a technical guide on hunting for in-memory webshell payloads in SharePoint environments. This technique is increasingly used by advanced attackers to maintain persistence without leaving disk artifacts.

CVE: n/a | Compliance: SOX | Source: isc.sans.edu ↗
1st December – Threat Intelligence Report
Date & Time: 2025-12-01T09:03:20

Check Point's latest report highlights a data breach at OpenAI caused by a compromise at third-party provider Mixpanel. This underscores the critical risk of third-party vendor dependencies.

CVE: n/a | Compliance: SOX, FISMA | Source: research.checkpoint.com ↗

OTHER NOTEWORTHY ITEMS

Australian man jailed for 7+ years over airport and in-flight Wi-Fi attacks
Date & Time: 2025-12-01T20:21:34

A cybercriminal has been sentenced to prison for setting up "evil twin" Wi-Fi hotspots at airports to steal traveler data. This serves as a reminder of the risks of using public Wi-Fi for corporate business.

Source: securityaffairs.com ↗
Security Disaster – 500M Microsoft Users Say No to Windows 11
Date & Time: 2025-12-02T08:18:33

Reports indicate massive resistance to Windows 11 adoption, leaving 500 million users on older, potentially less secure operating systems as support windows narrow.

Source: Forbes ↗

EXECUTIVE INSIGHTS

The Dual Role of AI in Cybersecurity: Shield or Weapon?
Date & Time: 2025-12-01T20:54:47

Analysis of how AI is simultaneously accelerating vulnerability discovery for attackers while providing defenders with automated response capabilities. A strategic read for leaders balancing AI adoption with risk.

Source: securityboulevard.com ↗
US Federal Modernization Funds Slashed in Senate Bill
Date & Time: 2025-12-01T19:34:07

Proposed budget cuts to the Technology Modernization Fund may stall federal cybersecurity improvements. This signals a potential retreat from centralized oversight, increasing risk for federal agencies and their contractors.

Source: healthcareinfosecurity.com ↗
Akamai Study Shows Microsegmentation Boosts Security
Date & Time: 2025-12-01T13:28:50

New data confirms that 90% of organizations are adopting segmentation to lower cyber insurance premiums and limit blast radius. Validates investment in Zero Trust architecture.

Source: healthcareinfosecurity.com ↗

VENDOR SPOTLIGHT

Spotlight Rationale: Selected due to the critical intelligence regarding CVE-2025-9491, where Microsoft's official patch was deemed insufficient by security researchers, requiring a more agile patching approach.

Threat Context: Microsoft Silently Patched CVE-2025-9491

Platform Focus: **0patch (Micropatching Platform)

0patch provides "micropatches"—tiny code fixes applied in-memory to running processes without requiring a system reboot. In the context of CVE-2025-9491, 0patch released a fix that addresses the root cause of the Windows shortcut vulnerability more comprehensively than the vendor's own update, ensuring that malicious "Mark of the Web" bypasses are effectively blocked.

Actionable Platform Guidance: Deploy the 0patch Agent to critical workstations to immediately apply the micropatch for CVE-2025-9491. Configure the agent to "Block" mode for this specific CVE to prevent the execution of malicious shortcuts.

Source: blog.0patch.com ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - 0patch

# PowerShell script to verify 0patch agent status and applied patches
# Requires 0patch Console or Agent installed

$AgentStatus = Get-Service -Name "0patchService" -ErrorAction SilentlyContinue
if ($AgentStatus.Status -eq 'Running') {
Write-Host "[+] 0patch Service is Running."
# Command to list applied patches (Conceptual - refer to vendor CLI docs)
# & "C:\Program Files\0patch\Agent\0patchConsole.exe" --list-patches
Write-Host "[+] Verify CVE-2025-9491 patch status in 0patch Console."
} else {
Write-Host "[!] 0patch Service is NOT running. Immediate action required."
Start-Service -Name "0patchService"
}

2. YARA Rule for SharePoint In-Memory ToolShell

rule SharePoint_InMemory_ToolShell {
meta:
description = "Detects potential in-memory webshell payloads in SharePoint processes"
author = "Threat Rundown"
date = "2025-12-02"
reference = "https://isc.sans.edu/diary/rss/32524"
severity = "high"
tlp = "white"
strings:
$s1 = "System.Reflection.Assembly.Load" ascii wide
$s2 = "Microsoft.SharePoint.Administration" ascii wide
$s3 = "eval(" ascii wide
$s4 = "cmd.exe /c" ascii wide
$h1 = { 4D 5A 90 00 03 00 00 00 }
condition:
($s1 and $s2) and ($s3 or $s4)
}

3. SIEM Query — Fast-Flux .XYZ Domain Detection

index=security sourcetype="stream:dns"
query_type="A" domain="*.xyz"
| bucket _time span=1h
| stats count by src_ip, domain
| eventstats avg(count) as avg_req by src_ip
| eval risk_score=case(
count > 50, 100,
count > 20, 50,
1==1, 0)
| where risk_score >= 50
| table _time, src_ip, domain, count, risk_score
| sort -risk_score

4. PowerShell Script — Check for OpenAI Codex CLI Version

$computers = "localhost", "WKSTN01", "DEV-LAPTOP-04"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Invoke-Command -ComputerName $computer -ScriptBlock {
$cli = Get-Command "codex-cli" -ErrorAction SilentlyContinue
if ($cli) {
$version = & $cli.Source --version
Write-Host "Found Codex CLI on $env:COMPUTERNAME : Version $version"
# Add logic here to alert if version < PatchedVersion
}
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--fc034bbb-66fd-4648-b369-e2538845372e", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--79aab1ba-13e4-4aa3-a218-a40c2d21c6da", "created": "2025-12-02T13:06:02.099Z", "modified": "2025-12-02T13:06:02.099Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--1666020d-70e9-49a1-9ba6-f5a73ae15999", "created": "2025-12-02T13:06:02.099Z", "modified": "2025-12-02T13:06:02.099Z", "name": "Threat Intelligence Report - 2025-12-02", "description": "Threat Intelligence Report - 2025-12-02\n\nThis report consolidates actionable cybersecurity intelligence from 50 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Microsoft Silently Patched CVE-2025-9491 - We Think Our Patch Provides More Security (Score: 100)\n• Google’s latest Android security update fixes two actively exploited flaws (Score: 100)\n• Kaspersky Security Bulletin 2025. Statistics (Score: 100)\n• Android’s December 2025 Updates Patch Two Zero-Days (Score: 100)\n• Google Patches 107 Android Flaws, Including Two Framework Bugs Exploited in the Wild (Score: 100)\n\nEXTRACTED ENTITIES:\n• 22 Attack Pattern(s)\n• 11 Domain Name(s)\n• 8 File:Hashes.Md5(s)\n• 3 File:Hashes.Sha 1(s)\n• 6 File:Hashes.Sha 256(s)\n• 15 Indicator(s)\n• 1 Ipv4 Addr(s)\n• 3 Malware(s)\n• 1 Marking Definition(s)\n• 103 Relationship(s)\n• 2 Threat Actor(s)\n• 1 Tool(s)\n• 3 Url(s)\n• 3 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-12-02T13:06:02.099Z", "object_refs": [ "identity--79aab1ba-13e4-4aa3-a218-a40c2d21c6da", "malware--80a624ef-749e-4989-8aec-e572082cd049", "identity--d48d0179-a8bc-4c9e-89ef-4347fcbce1fa", "identity--ae4d5f46-29c5-40ae-842b-378abf057c12", "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "identity--b297639a-5ada-4e55-801d-789bd310d4d7", "identity--19a47e75-bfa8-4832-b1dd-4959d7d4a190", "malware--6f646094-517f-45d1-b0f6-26286f9a5e1a", "vulnerability--6f32454a-ddb9-4b87-98bf-ebee833c8559", "tool--42473651-581a-4ecc-979b-2d59101555ea", "identity--a4e59e2d-b078-4a28-8d7b-c257534cf291", "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "identity--37dc1158-1022-431f-8013-9b80ea54da43", "identity--5a84b94b-2a59-4751-b3a0-ab433bbeb1f9", "vulnerability--c14c749a-2b70-4d91-8e1d-26ec90a2efb2", "identity--9cdea25f-1e87-4a1e-a12b-7eb87bb37d6a", "identity--06fed243-5d01-4daa-8c82-77363abbcfca", "identity--a46e663a-8e9f-4dbd-b12b-8e7de5526190", "identity--5de82384-6f20-42e6-af03-cf8ea7a92a4c", "identity--3a3c0bca-dfaf-4a64-b34f-394c109c6302", "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "vulnerability--84b54ab3-85ed-44d8-997a-3e036f851771", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "attack-pattern--72db7478-d5a9-49e4-90ad-880735fc5b3f", "attack-pattern--da82a474-3eb8-46ae-af12-cd8d8a29ed4d", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "relationship--85272939-5b7c-47b7-81bc-0cf1272b1eff", "relationship--7375f8b6-901f-4db2-92ec-aa442e16fe1d", "relationship--077d2898-e7d9-4bec-a55f-ff9b9487bb4a", "relationship--d83d31bf-6453-418e-bee3-b25c9b729ba4", "relationship--7f954b3b-ebd3-4a8a-8503-662536e45a5b", "relationship--1c52f172-b73e-4770-89c8-cb87b62888ea", "relationship--a45fb41e-e71b-469a-8ed2-d0594f6b0784", "relationship--9c6d473f-f493-4c9b-90eb-dc764f30bb91", "relationship--b2be1c83-9c5f-4ba5-88a1-e99b99fbfd34", "relationship--878ae0bb-b34a-4b10-a29e-87682d037590", "relationship--055a5313-571b-4442-a1f8-f9ae065b5aaa", "relationship--81005d9b-9b1f-4db3-a2e3-ee2925806776", "relationship--7ae70229-93b1-4f5f-9af4-811c5e92ab30", "relationship--49cae409-8621-411c-b1b5-b2faaeaa3c97", "relationship--ad625dd7-f82f-4b1c-a4a4-be822c626e4e", "relationship--f316af36-63a3-4dc3-b8e4-45a1d40f8028", "relationship--83130822-2b95-4d87-8025-4fb7138d8352", "relationship--98f6ce4f-89f0-4538-9185-727d3d01d287", "relationship--4f7f7ac9-403a-44af-be4b-a673c088dabe", "relationship--9c357ced-f047-4b14-aa33-b491fdcd8344", "relationship--d1cee0d2-5e3f-4214-b74b-a9582aa2d341", "relationship--e10113bc-5c07-4dc7-a936-ab1ca888e452", "relationship--f76db101-a78d-41cc-bafb-9d29c220b156", "relationship--accafb09-f653-481b-8cda-8281f79f049d", "relationship--9b686e08-558a-4d20-b113-424d2bd9caea", "relationship--937bc6e3-be67-4bea-b194-b558f2cd4d9d", "relationship--29085a0a-65db-48fa-8bc7-518d6acaf2dc", "relationship--b0343def-cd6c-437d-a8c5-48e672cc8fcc", "relationship--50a5b687-b402-4907-8b31-87ccebaf18b5", "relationship--e2ef0bbc-4164-4354-a209-9b19e512ed9c", "relationship--e4bfe0c1-8630-4397-951d-d88f70c6ecc5", "relationship--edbedf59-b949-465d-90e2-243c2884eba1", "relationship--e9f5916d-0e05-4b5b-957b-173c950e8bd5", "relationship--e394276f-9c0b-476a-bf71-7fdb67b1d189", "relationship--fd175bee-d575-4689-a751-6cafc72fff67", "relationship--e11f3644-9deb-48ec-af20-6fbc3d509e62", "relationship--2e21a7b4-08c7-4d68-b4c9-9c2ada320191", "relationship--87852f8c-f6c8-4caf-83c5-f0c2d49c4c08", "relationship--ed2ad478-2836-4b9e-8c5a-3b1051af158d", "relationship--f6bc6ed6-dad6-47fc-8d6f-171d7c88a70b", "relationship--4b2f2876-a0d5-4608-b939-6c74a76d1399", "relationship--80fd0673-071c-4503-aadc-42e7e6b121b9", "relationship--e85d5da3-ccdd-4297-90a1-fc71897c39a2", "relationship--92db459b-aa88-450a-b8f6-d3d43cf2e2df", "relationship--ef08b4af-a798-426f-87f5-d59a086654f1", "relationship--4a8b7721-b750-4cd3-8b80-4c0524f86a89", "relationship--9e47242e-d3de-4bcd-8455-6753b15a455f", "relationship--661b9022-6f13-4346-8b95-0d6b6382c034", "relationship--8b4d7cf5-a8cd-46f5-b81a-d55d71f3cd2c", "relationship--0667bbc6-816e-4940-b5cd-2e4eac6b64ea", "relationship--e5edc2b6-6670-4d8b-a9e3-96e4590563e0", "relationship--e4df6bb6-2593-4b02-953c-ae81e42055b8", "relationship--b831de79-7ef6-4519-9432-ca4dea84a8a1", "relationship--8a06c5b9-fe73-4b44-b616-c096c3b4888b", "relationship--38f00df6-fec9-4280-af04-f7b3d9b24efb", "relationship--9889338d-eb84-47cd-894b-46f7011c7ce0", "relationship--9b42b176-6417-43ed-bdf3-f5179e1320af", "relationship--85327a54-8485-4c04-b65c-d42a917143fe", "relationship--e8c2bd3c-c171-4aab-9ea7-2e0510ebd309", "relationship--d5d8bdc9-fcca-4142-9e49-92f2283c7ddb", "relationship--09daa1f5-215e-47c5-9e7e-6e5c2ad5e889", "relationship--1268bc37-fce3-403d-bd65-367001ca688b", "relationship--0b00a0ce-d854-450f-86ce-eb29a441dbd9", "relationship--112fbe36-62d0-4562-b1c2-39979933dcfc", "relationship--cbbc0316-8bf7-4c6d-a51c-a51cb012fab4", "relationship--2d51c1c4-4c74-436d-856d-62c9fe8e1539", "relationship--9034507b-beea-4529-94b2-498a3c45a2e2", "relationship--05b2f4af-6d15-4d5d-8164-d29e50e0073a", "relationship--82e36528-8dbd-43d6-91dd-c84eeebabfb3", "relationship--4d7af2e3-cae4-4f31-94ea-a91ddcd01677", "relationship--0a9f6b62-c064-46c3-aaa6-26c5b770bc1d", "relationship--6f80b27d-57e4-42c2-915d-411d5b899a11", "relationship--a6b78375-e7db-4e92-b8dd-45e347d40141", "relationship--76722b55-9a47-4008-baae-e47b50c3ac42", "relationship--0428cec9-0753-4b7e-bf91-801376c20818", "relationship--7d7cddeb-9da9-42a8-bf34-47e93610577f", "relationship--9f033e71-5878-431e-81dd-7b443704c5ff", "relationship--7c0854a5-1dd8-45ec-b26f-70a71e41b542", "relationship--4dfa64f4-a9ca-4a96-ac94-a6c9e99e1b05", "relationship--95dbf701-4f82-49fb-bf87-1e7572498796", "relationship--10aacd63-b7b7-4bbe-88ac-8a836edfdfcd", "relationship--d077be24-5acc-45e5-a27f-8a5be15f05c7", "relationship--e4405b74-8242-4b91-9d2e-a9c08cd4b2e2", "relationship--a8f0aa90-5070-4113-ae05-7bc0eaa42850", "relationship--5ab87bec-da86-4118-80c8-0bf02c901c79", "relationship--d3c88f3f-3f70-4f14-9b81-b9d06d2859c2", "relationship--178b218f-7af2-438b-9016-327b9611017d", "relationship--61a25e8d-2afc-4954-99d8-535219d514d3", "ipv4-addr--d51e1821-13e6-4763-8d14-dfa6a1f9472b", "domain-name--5a1ee7ce-cdd8-4483-b692-24f9fcec8d23", "domain-name--f26807ac-b880-4e92-9ebb-ec8072491bc8", "domain-name--125c0c9f-8761-4f2e-94b0-3e384370a0ed", "domain-name--6ce2522c-5604-4411-a748-6c3be18a9722", "domain-name--cee623e0-cf0e-48be-8489-50e55a319d1d", "domain-name--eabfa81a-57d8-4de5-95e3-0ed2f5eddbab", "domain-name--64b2598a-862d-480e-be02-697505eea1d0", "file:hashes.MD5--3cb6c385-4cbc-40bf-95ca-3144139f7037", "file:hashes.MD5--4cfeba59-d0ed-4575-8aa4-5d300c45a3c4", "file:hashes.MD5--6606c5a7-10a4-4153-b3b0-336337b84233", "file:hashes.MD5--a0ec0449-4e55-416b-aa8c-db6f96482dec", "url--d3fd6017-2a62-4e82-bd91-8a88def1648b", "domain-name--9f3587e3-aa0c-44db-9d3e-fc535c34ea05", "file:hashes.SHA-256--d176ed9c-a515-4f58-8836-a4bccec4f5a7", "file:hashes.SHA-256--79728c25-f338-4b5d-8f3c-5fb8d212ab05", "file:hashes.SHA-256--32c0fb77-026c-41fb-b3d9-9972bed501a6", "file:hashes.SHA-256--05a8cf96-0f08-415f-8ad6-03c1a9130073", "domain-name--4b7351b7-1bd4-4a1d-80b6-74589c678492", "domain-name--4418cfbc-8819-46f5-a9fc-74a22cf83152", "domain-name--b043bd4b-82df-477e-99b0-41885bdc648f", "url--4616ad19-faf8-46c3-83b7-3a709133985f", "url--f28f4d6a-763e-4455-82a0-3a919ac59bbe", "file:hashes.MD5--e1985ae2-935c-409b-8fbc-6b9ae36b708e", "file:hashes.MD5--a26387bf-7fc0-4be4-9a57-b682468ca3be", "file:hashes.MD5--b8317721-67a1-4fd4-a6fe-ff8642096158", "file:hashes.MD5--d8441f2b-671b-4d24-87d3-490cb178ac69", "file:hashes.SHA-1--af583e20-6fc9-4a3c-ba72-f83471f9ffa0", "file:hashes.SHA-1--6d9f6477-24fd-470c-b845-f18f7720787a", "file:hashes.SHA-1--1fd3d63f-c885-49f0-b957-a192fdb492cd", "file:hashes.SHA-256--e8e6245c-56f1-4bb5-bfda-17722f43a7d9", "file:hashes.SHA-256--3fbae7d5-7d34-4c81-9270-5ae5824110fb", "indicator--905e2cd5-264f-4f92-8642-797256bec8c2", "relationship--ea16190a-ac4c-413f-851d-4fdc7fb671ae", "indicator--fa0e2653-44aa-49f3-a29d-5977e4dda767", "relationship--e6e79903-5520-4520-97cf-28fb09dd61c4", "indicator--ed2d33c7-540e-4d0c-af4a-c8dca1da4a02", "relationship--c7851073-5884-45ff-8dcc-5ac76dad9e3e", "indicator--a57dd56a-eeaa-430b-94a6-941fc9008c95", "relationship--6645ccff-17b0-49c6-9aef-9c55a4f7fe6b", "indicator--90c8b1b8-1ee8-4726-a0ec-09d7f99c82cd", "relationship--ca756e9d-1b93-40ec-8dbc-4fa8d101ef1d", "indicator--d7db115e-f03b-49cb-96c0-157be693fd03", "relationship--45d89fb4-089b-4d6c-8ae7-bfbe06f39b05", "indicator--45895c4c-cbe1-4088-9620-4bd880c31723", "relationship--296699e9-5a8e-4733-a2b1-8375b7605190", "indicator--bce0937e-9aa2-4b5a-8c7e-22e0dce66d47", "relationship--f4cf02a0-df28-4915-9e2d-4bb256f35855", "indicator--f3368251-8743-4b4d-8acf-73a68e726cea", "relationship--82957367-a7af-42af-8def-f67d20b75070", "indicator--3cb20465-f712-4ee3-a956-bbfb24b734b2", "relationship--195a9e2c-35e4-40b2-82f7-beae54c47411", "indicator--7dc291c4-d72e-44ca-9da9-5e88eee7c2e2", "relationship--816f403f-2e07-4406-b53f-5b7ab3a50511", "indicator--b0294f8f-0d43-4e7b-8e30-550de0c20df1", "relationship--8055c062-2a1a-4508-9ca8-f76836021bde", "indicator--ab65e1f5-aaa6-44f3-8a28-deadb7137aac", "relationship--84ec66f6-9739-4777-aef3-39587beaefa9", "indicator--77a03a51-c8a9-4106-87e7-4aea237aaf22", "relationship--35b7833e-ac4e-48cb-940c-fa4e23245baa", "indicator--bb33c6a1-2a98-4fb6-820c-6f6e3bd322f5", "relationship--10b4b1c4-3e62-4858-88c2-36a5b3cffb9a" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--79aab1ba-13e4-4aa3-a218-a40c2d21c6da", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.089Z", "modified": "2025-12-02T13:06:02.089Z", "confidence": 95, "type": "malware", "id": "malware--80a624ef-749e-4989-8aec-e572082cd049", "name": "Albiriox", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "Albiriox is a type of Android malware that is sold as a service on Russian-speaking cybercrime forums, enabling on-device fraud and real-time control. It is a relatively new malware family that has been observed in recent attacks, and its capabilities and behavior are still being tracked and analyzed by security researchers.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.090Z", "modified": "2025-12-02T13:06:02.090Z", "confidence": 95, "type": "identity", "id": "identity--d48d0179-a8bc-4c9e-89ef-4347fcbce1fa", "name": "Barracuda", "identity_class": "organization", "labels": [ "identity" ], "description": "Barracuda is a cybersecurity company that provides innovative solutions and AI-powered platforms to protect against cyber threats.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.090Z", "modified": "2025-12-02T13:06:02.090Z", "confidence": 95, "type": "identity", "id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12", "name": "Microsoft", "identity_class": "organization", "labels": [ "identity" ], "description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.090Z", "modified": "2025-12-02T13:06:02.090Z", "confidence": 95, "type": "identity", "id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "name": "Google", "identity_class": "organization", "labels": [ "identity" ], "description": "Google is a multinational technology company specializing in Internet-related services and products, including search engines, online advertising technologies, cloud computing, and software development.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.090Z", "modified": "2025-12-02T13:06:02.090Z", "confidence": 95, "type": "identity", "id": "identity--b297639a-5ada-4e55-801d-789bd310d4d7", "name": "Kaspersky Security Network", "identity_class": "organization", "labels": [ "identity" ], "description": "Kaspersky Security Network is a global cloud service that collects and analyzes voluntary data from Kaspersky security solutions to provide threat intelligence and improve protection for users.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.090Z", "modified": "2025-12-02T13:06:02.090Z", "confidence": 95, "type": "identity", "id": "identity--19a47e75-bfa8-4832-b1dd-4959d7d4a190", "name": "Kaspersky", "identity_class": "organization", "labels": [ "identity" ], "description": "Kaspersky is a cybersecurity company that provides security solutions and services to protect users from various types of cyber threats.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.090Z", "modified": "2025-12-02T13:06:02.090Z", "confidence": 95, "type": "malware", "id": "malware--6f646094-517f-45d1-b0f6-26286f9a5e1a", "name": "Tencent TFace", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "Tencent TFace is a remote access trojan (RAT) used for malicious activities such as data theft and espionage.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.091Z", "modified": "2025-12-02T13:06:02.091Z", "confidence": 75, "type": "vulnerability", "id": "vulnerability--6f32454a-ddb9-4b87-98bf-ebee833c8559", "name": "CVE-2025-48633", "description": "The zero-days — CVE-2025-48633 and CVE-2025-48572 — are both high-severity defects affecting the Android framework, w...", "x_cvss_severity": "Unknown", "x_kev_status": false, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-48633", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48633" }, { "source_name": "nvd", "external_id": "CVE-2025-48633", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48633" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.091Z", "modified": "2025-12-02T13:06:02.091Z", "confidence": 95, "type": "tool", "id": "tool--42473651-581a-4ecc-979b-2d59101555ea", "name": "Tencent NeuralNLP-NeuralClassifier", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Tencent NeuralNLP-NeuralClassifier is a natural language processing (NLP) tool used for text classification and sentiment analysis.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.091Z", "modified": "2025-12-02T13:06:02.091Z", "confidence": 95, "type": "identity", "id": "identity--a4e59e2d-b078-4a28-8d7b-c257534cf291", "name": "Reuters", "identity_class": "organization", "labels": [ "identity" ], "description": "Reuters is a global news agency providing news, financial data, and media services to various industries and the general public.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.091Z", "modified": "2025-12-02T13:06:02.091Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "name": "ShadyPanda", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "ShadyPanda is a threat actor known for a seven-year-long browser extension campaign that has amassed over 4.3 million installations. They utilize malicious browser extensions to compromise user data and conduct various malicious activities.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.091Z", "modified": "2025-12-02T13:06:02.091Z", "confidence": 95, "type": "identity", "id": "identity--37dc1158-1022-431f-8013-9b80ea54da43", "name": "Coupang", "identity_class": "unknown", "labels": [ "identity" ], "description": "Coupang is a South Korean e-commerce company, founded in 2010. It operates the largest e-commerce platform in South Korea and offers services such as online shopping, logistics, and payments. In the context provided, it was reported that 33.7 million personal records were stolen from Coupang.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.091Z", "modified": "2025-12-02T13:06:02.091Z", "confidence": 95, "type": "identity", "id": "identity--5a84b94b-2a59-4751-b3a0-ab433bbeb1f9", "name": "the Federal Trade Commission", "identity_class": "organization", "labels": [ "organization" ], "description": "The Federal Trade Commission (FTC) is an independent U.S. government agency responsible for consumer protection and promoting competition. In the context provided, the FTC is involved in a data security agreement with Illinois-based Illuminate Education following a 2021 network breach.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 75, "type": "vulnerability", "id": "vulnerability--c14c749a-2b70-4d91-8e1d-26ec90a2efb2", "name": "CVE-2025-61260", "description": "The Codex CLI vulnerability tracked as CVE-2025-61260 can be exploited for command execution.", "x_cvss_severity": "Unknown", "x_kev_status": false, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-61260", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61260" }, { "source_name": "nvd", "external_id": "CVE-2025-61260", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61260" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 95, "type": "identity", "id": "identity--9cdea25f-1e87-4a1e-a12b-7eb87bb37d6a", "name": "knowbe4", "identity_class": "organization", "labels": [ "identity" ], "description": "Knowbe4 is a cybersecurity awareness training and simulated phishing platform that helps organizations educate employees on cybersecurity best practices and prevent phishing attacks.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 95, "type": "identity", "id": "identity--06fed243-5d01-4daa-8c82-77363abbcfca", "name": "ninjio", "identity_class": "organization", "labels": [ "identity" ], "description": "Ninjio is a cybersecurity awareness training platform that provides interactive and engaging content to educate employees on various security threats and best practices.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 95, "type": "identity", "id": "identity--a46e663a-8e9f-4dbd-b12b-8e7de5526190", "name": "Entra ID", "identity_class": "organization", "labels": [ "identity" ], "description": "Entra ID is a cloud-based identity and access management (IAM) solution that provides secure authentication, authorization, and governance for users and applications across multiple environments.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 95, "type": "identity", "id": "identity--5de82384-6f20-42e6-af03-cf8ea7a92a4c", "name": "Takeaways Barracuda Email Protection", "identity_class": "organization", "labels": [ "identity" ], "description": "Barracuda Email Protection is a comprehensive email security solution that provides advanced threat protection, detection, and response capabilities to safeguard against email-based attacks and data breaches.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 95, "type": "identity", "id": "identity--3a3c0bca-dfaf-4a64-b34f-394c109c6302", "name": "Europol", "identity_class": "organization", "labels": [ "organization" ], "description": "Europol is an international law enforcement agency based in The Hague, Netherlands. Europol supports and coordinates law enforcement efforts of its member states to ensure a safer Europe. It is primarily focused on preventing and combating transnational crime.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "name": "APT36", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "APT36 is a cyberespionage group known for its sophisticated attacks on government institutions. They have been observed using Python-based ELF malware to target Linux-based BOSS operating environments, showcasing their advanced capabilities and adaptability in the cyber threat landscape.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 95, "type": "malware", "id": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "name": "ELF malware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "ELF malware is a type of malware that targets Linux-based systems, specifically the BOSS operating environment. It is used by APT36, a cyberespionage group, to escalate their campaigns against government institutions. The malware is written in Python and is designed to exploit vulnerabilities in the target system.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.092Z", "confidence": 75, "type": "vulnerability", "id": "vulnerability--84b54ab3-85ed-44d8-997a-3e036f851771", "name": "CVE-2025-48572", "description": "The zero-days — CVE-2025-48633 and CVE-2025-48572 — are both high-severity defects affecting the Android framework, w...", "x_cvss_severity": "Unknown", "x_kev_status": false, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-48572", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48572" }, { "source_name": "nvd", "external_id": "CVE-2025-48572", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48572" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.092Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "name": "Masquerading", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1036", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1036/", "external_id": "T1036" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "name": "Evil Twin", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557.004", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/004/", "external_id": "T1557.004" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "name": "Wi-Fi Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1016.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1016/002/", "external_id": "T1016.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "name": "Wi-Fi Networks", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1669", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1669/", "external_id": "T1669" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "name": "Browser Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1176.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1176/001/", "external_id": "T1176.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 82, "type": "attack-pattern", "id": "attack-pattern--72db7478-d5a9-49e4-90ad-880735fc5b3f", "name": "Video Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1125", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1125/", "external_id": "T1125" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.093Z", "modified": "2025-12-02T13:06:02.093Z", "confidence": 72, "type": "attack-pattern", "id": "attack-pattern--da82a474-3eb8-46ae-af12-cd8d8a29ed4d", "name": "Email Accounts", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1586.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1586/002/", "external_id": "T1586.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "name": "Malicious Shell Modification", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1156", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1156/", "external_id": "T1156" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "confidence": 69, "type": "attack-pattern", "id": "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "name": "Outlook Home Page", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1137.004", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1137/004/", "external_id": "T1137.004" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "confidence": 67, "type": "attack-pattern", "id": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "name": "Search Threat Vendor Data", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_id": "T1681", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1681/", "external_id": "T1681" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--85272939-5b7c-47b7-81bc-0cf1272b1eff", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7375f8b6-901f-4db2-92ec-aa442e16fe1d", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--077d2898-e7d9-4bec-a55f-ff9b9487bb4a", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d83d31bf-6453-418e-bee3-b25c9b729ba4", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7f954b3b-ebd3-4a8a-8503-662536e45a5b", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1c52f172-b73e-4770-89c8-cb87b62888ea", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a45fb41e-e71b-469a-8ed2-d0594f6b0784", "created": "2025-12-02T13:06:02.094Z", "modified": "2025-12-02T13:06:02.094Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Masquerading (T1036) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9c6d473f-f493-4c9b-90eb-dc764f30bb91", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b2be1c83-9c5f-4ba5-88a1-e99b99fbfd34", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Evil Twin (T1557.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--878ae0bb-b34a-4b10-a29e-87682d037590", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Wi-Fi Discovery (T1016.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--055a5313-571b-4442-a1f8-f9ae065b5aaa", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Wi-Fi Networks (T1669) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--81005d9b-9b1f-4db3-a2e3-ee2925806776", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7ae70229-93b1-4f5f-9af4-811c5e92ab30", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--72db7478-d5a9-49e4-90ad-880735fc5b3f", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Video Capture (T1125) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--49cae409-8621-411c-b1b5-b2faaeaa3c97", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--da82a474-3eb8-46ae-af12-cd8d8a29ed4d", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Email Accounts (T1586.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ad625dd7-f82f-4b1c-a4a4-be822c626e4e", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f316af36-63a3-4dc3-b8e4-45a1d40f8028", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--83130822-2b95-4d87-8025-4fb7138d8352", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--98f6ce4f-89f0-4538-9185-727d3d01d287", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4f7f7ac9-403a-44af-be4b-a673c088dabe", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9c357ced-f047-4b14-aa33-b491fdcd8344", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Malicious Shell Modification (T1156) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d1cee0d2-5e3f-4214-b74b-a9582aa2d341", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Outlook Home Page (T1137.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e10113bc-5c07-4dc7-a936-ab1ca888e452", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Search Threat Vendor Data (T1681) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f76db101-a78d-41cc-bafb-9d29c220b156", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 60, "description": "Co-occurrence: APT36 and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--accafb09-f653-481b-8cda-8281f79f049d", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 60, "description": "Co-occurrence: APT36 and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9b686e08-558a-4d20-b113-424d2bd9caea", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 60, "description": "Co-occurrence: APT36 and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--937bc6e3-be67-4bea-b194-b558f2cd4d9d", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 60, "description": "Co-occurrence: APT36 and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--29085a0a-65db-48fa-8bc7-518d6acaf2dc", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 60, "description": "Co-occurrence: APT36 and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b0343def-cd6c-437d-a8c5-48e672cc8fcc", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 60, "description": "Co-occurrence: APT36 and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--50a5b687-b402-4907-8b31-87ccebaf18b5", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "confidence": 60, "description": "Co-occurrence: APT36 and Masquerading (T1036) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e2ef0bbc-4164-4354-a209-9b19e512ed9c", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 60, "description": "Co-occurrence: APT36 and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e4bfe0c1-8630-4397-951d-d88f70c6ecc5", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "confidence": 60, "description": "Co-occurrence: APT36 and Evil Twin (T1557.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--edbedf59-b949-465d-90e2-243c2884eba1", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "confidence": 60, "description": "Co-occurrence: APT36 and Wi-Fi Discovery (T1016.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e9f5916d-0e05-4b5b-957b-173c950e8bd5", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "confidence": 60, "description": "Co-occurrence: APT36 and Wi-Fi Networks (T1669) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e394276f-9c0b-476a-bf71-7fdb67b1d189", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 60, "description": "Co-occurrence: APT36 and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fd175bee-d575-4689-a751-6cafc72fff67", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--72db7478-d5a9-49e4-90ad-880735fc5b3f", "confidence": 60, "description": "Co-occurrence: APT36 and Video Capture (T1125) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e11f3644-9deb-48ec-af20-6fbc3d509e62", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--da82a474-3eb8-46ae-af12-cd8d8a29ed4d", "confidence": 60, "description": "Co-occurrence: APT36 and Email Accounts (T1586.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2e21a7b4-08c7-4d68-b4c9-9c2ada320191", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "confidence": 60, "description": "Co-occurrence: APT36 and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--87852f8c-f6c8-4caf-83c5-f0c2d49c4c08", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "confidence": 60, "description": "Co-occurrence: APT36 and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ed2ad478-2836-4b9e-8c5a-3b1051af158d", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "confidence": 60, "description": "Co-occurrence: APT36 and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f6bc6ed6-dad6-47fc-8d6f-171d7c88a70b", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 60, "description": "Co-occurrence: APT36 and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4b2f2876-a0d5-4608-b939-6c74a76d1399", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 60, "description": "Co-occurrence: APT36 and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--80fd0673-071c-4503-aadc-42e7e6b121b9", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "confidence": 60, "description": "Co-occurrence: APT36 and Malicious Shell Modification (T1156) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e85d5da3-ccdd-4297-90a1-fc71897c39a2", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "confidence": 60, "description": "Co-occurrence: APT36 and Outlook Home Page (T1137.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--92db459b-aa88-450a-b8f6-d3d43cf2e2df", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "threat-actor--728797a2-0e03-43c4-91ad-f4ad229e9499", "target_ref": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "confidence": 60, "description": "Co-occurrence: APT36 and Search Threat Vendor Data (T1681) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ef08b4af-a798-426f-87f5-d59a086654f1", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: Albiriox and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4a8b7721-b750-4cd3-8b80-4c0524f86a89", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: Albiriox and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9e47242e-d3de-4bcd-8455-6753b15a455f", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 55, "description": "Co-occurrence: Albiriox and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--661b9022-6f13-4346-8b95-0d6b6382c034", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 55, "description": "Co-occurrence: Albiriox and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8b4d7cf5-a8cd-46f5-b81a-d55d71f3cd2c", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 55, "description": "Co-occurrence: Albiriox and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0667bbc6-816e-4940-b5cd-2e4eac6b64ea", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 55, "description": "Co-occurrence: Albiriox and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e5edc2b6-6670-4d8b-a9e3-96e4590563e0", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "confidence": 55, "description": "Co-occurrence: Albiriox and Masquerading (T1036) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e4df6bb6-2593-4b02-953c-ae81e42055b8", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: Albiriox and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b831de79-7ef6-4519-9432-ca4dea84a8a1", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "confidence": 55, "description": "Co-occurrence: Albiriox and Evil Twin (T1557.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8a06c5b9-fe73-4b44-b616-c096c3b4888b", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "confidence": 55, "description": "Co-occurrence: Albiriox and Wi-Fi Discovery (T1016.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--38f00df6-fec9-4280-af04-f7b3d9b24efb", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "confidence": 55, "description": "Co-occurrence: Albiriox and Wi-Fi Networks (T1669) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9889338d-eb84-47cd-894b-46f7011c7ce0", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 55, "description": "Co-occurrence: Albiriox and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9b42b176-6417-43ed-bdf3-f5179e1320af", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--72db7478-d5a9-49e4-90ad-880735fc5b3f", "confidence": 55, "description": "Co-occurrence: Albiriox and Video Capture (T1125) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--85327a54-8485-4c04-b65c-d42a917143fe", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--da82a474-3eb8-46ae-af12-cd8d8a29ed4d", "confidence": 55, "description": "Co-occurrence: Albiriox and Email Accounts (T1586.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e8c2bd3c-c171-4aab-9ea7-2e0510ebd309", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "confidence": 55, "description": "Co-occurrence: Albiriox and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d5d8bdc9-fcca-4142-9e49-92f2283c7ddb", "created": "2025-12-02T13:06:02.095Z", "modified": "2025-12-02T13:06:02.095Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "confidence": 55, "description": "Co-occurrence: Albiriox and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--09daa1f5-215e-47c5-9e7e-6e5c2ad5e889", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "confidence": 55, "description": "Co-occurrence: Albiriox and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1268bc37-fce3-403d-bd65-367001ca688b", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 55, "description": "Co-occurrence: Albiriox and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0b00a0ce-d854-450f-86ce-eb29a441dbd9", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 55, "description": "Co-occurrence: Albiriox and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--112fbe36-62d0-4562-b1c2-39979933dcfc", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "confidence": 55, "description": "Co-occurrence: Albiriox and Malicious Shell Modification (T1156) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cbbc0316-8bf7-4c6d-a51c-a51cb012fab4", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "confidence": 55, "description": "Co-occurrence: Albiriox and Outlook Home Page (T1137.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2d51c1c4-4c74-436d-856d-62c9fe8e1539", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--80a624ef-749e-4989-8aec-e572082cd049", "target_ref": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "confidence": 55, "description": "Co-occurrence: Albiriox and Search Threat Vendor Data (T1681) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9034507b-beea-4529-94b2-498a3c45a2e2", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: ELF malware and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--05b2f4af-6d15-4d5d-8164-d29e50e0073a", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: ELF malware and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--82e36528-8dbd-43d6-91dd-c84eeebabfb3", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 55, "description": "Co-occurrence: ELF malware and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d7af2e3-cae4-4f31-94ea-a91ddcd01677", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 55, "description": "Co-occurrence: ELF malware and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0a9f6b62-c064-46c3-aaa6-26c5b770bc1d", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 55, "description": "Co-occurrence: ELF malware and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6f80b27d-57e4-42c2-915d-411d5b899a11", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 55, "description": "Co-occurrence: ELF malware and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a6b78375-e7db-4e92-b8dd-45e347d40141", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "confidence": 55, "description": "Co-occurrence: ELF malware and Masquerading (T1036) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--76722b55-9a47-4008-baae-e47b50c3ac42", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: ELF malware and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0428cec9-0753-4b7e-bf91-801376c20818", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--21d89a99-5a37-4e50-86cf-7a292fac5a60", "confidence": 55, "description": "Co-occurrence: ELF malware and Evil Twin (T1557.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7d7cddeb-9da9-42a8-bf34-47e93610577f", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--80699ba5-409d-4de2-be13-f6bb5ce88584", "confidence": 55, "description": "Co-occurrence: ELF malware and Wi-Fi Discovery (T1016.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9f033e71-5878-431e-81dd-7b443704c5ff", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--58a606c1-b0f9-4046-a51e-db21f3a8b719", "confidence": 55, "description": "Co-occurrence: ELF malware and Wi-Fi Networks (T1669) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7c0854a5-1dd8-45ec-b26f-70a71e41b542", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 55, "description": "Co-occurrence: ELF malware and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4dfa64f4-a9ca-4a96-ac94-a6c9e99e1b05", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--72db7478-d5a9-49e4-90ad-880735fc5b3f", "confidence": 55, "description": "Co-occurrence: ELF malware and Video Capture (T1125) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--95dbf701-4f82-49fb-bf87-1e7572498796", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--da82a474-3eb8-46ae-af12-cd8d8a29ed4d", "confidence": 55, "description": "Co-occurrence: ELF malware and Email Accounts (T1586.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--10aacd63-b7b7-4bbe-88ac-8a836edfdfcd", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "confidence": 55, "description": "Co-occurrence: ELF malware and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d077be24-5acc-45e5-a27f-8a5be15f05c7", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "confidence": 55, "description": "Co-occurrence: ELF malware and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e4405b74-8242-4b91-9d2e-a9c08cd4b2e2", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "confidence": 55, "description": "Co-occurrence: ELF malware and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a8f0aa90-5070-4113-ae05-7bc0eaa42850", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 55, "description": "Co-occurrence: ELF malware and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5ab87bec-da86-4118-80c8-0bf02c901c79", "created": "2025-12-02T13:06:02.096Z", "modified": "2025-12-02T13:06:02.096Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 55, "description": "Co-occurrence: ELF malware and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d3c88f3f-3f70-4f14-9b81-b9d06d2859c2", "created": "2025-12-02T13:06:02.097Z", "modified": "2025-12-02T13:06:02.097Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "confidence": 55, "description": "Co-occurrence: ELF malware and Malicious Shell Modification (T1156) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--178b218f-7af2-438b-9016-327b9611017d", "created": "2025-12-02T13:06:02.097Z", "modified": "2025-12-02T13:06:02.097Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "confidence": 55, "description": "Co-occurrence: ELF malware and Outlook Home Page (T1137.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--61a25e8d-2afc-4954-99d8-535219d514d3", "created": "2025-12-02T13:06:02.097Z", "modified": "2025-12-02T13:06:02.097Z", "relationship_type": "uses", "source_ref": "malware--d097cd3f-9b9a-42d6-94da-62ec1a17e6dd", "target_ref": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "confidence": 55, "description": "Co-occurrence: ELF malware and Search Threat Vendor Data (T1681) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "ipv4-addr", "value": "194.32.79.94", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "ipv4-addr--d51e1821-13e6-4763-8d14-dfa6a1f9472b" }, { "type": "domain-name", "value": "google-aplication.download", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--5a1ee7ce-cdd8-4483-b692-24f9fcec8d23" }, { "type": "domain-name", "value": "google-app-download.download", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--f26807ac-b880-4e92-9ebb-ec8072491bc8" }, { "type": "domain-name", "value": "google-app-get.com", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--125c0c9f-8761-4f2e-94b0-3e384370a0ed" }, { "type": "domain-name", "value": "google-app-install.com", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--6ce2522c-5604-4411-a748-6c3be18a9722" }, { "type": "domain-name", "value": "google-get-app.com", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--cee623e0-cf0e-48be-8489-50e55a319d1d" }, { "type": "domain-name", "value": "google-get.download", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--eabfa81a-57d8-4de5-95e3-0ed2f5eddbab" }, { "type": "domain-name", "value": "play.google-get.store", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Malware Targets Android Users for Full Device Takeover", "id": "domain-name--64b2598a-862d-480e-be02-697505eea1d0" }, { "type": "file:hashes.MD5", "value": "61b59eb41c0ae7fc94f800812860b22a", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "id": "file:hashes.MD5--3cb6c385-4cbc-40bf-95ca-3144139f7037" }, { "type": "file:hashes.MD5", "value": "b6bae028ce6b0eff784de1c5e766ee33", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "id": "file:hashes.MD5--4cfeba59-d0ed-4575-8aa4-5d300c45a3c4" }, { "type": "file:hashes.MD5", "value": "f09b82182a5935a27566cdb570ce668f", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "id": "file:hashes.MD5--6606c5a7-10a4-4153-b3b0-336337b84233" }, { "type": "file:hashes.MD5", "value": "f5b501e3d766f3024eb532893acc8c6c", "source": "OTX", "malware_family": "Albiriox", "pulse_name": "Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets", "id": "file:hashes.MD5--a0ec0449-4e55-416b-aa8c-db6f96482dec" }, { "type": "url", "value": "http://121.12.173.173:9521", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "New ELF malware on Shellshock: the ChinaZ", "id": "url--d3fd6017-2a62-4e82-bd91-8a88def1648b" }, { "type": "domain-name", "value": "aa.gm352.com", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "New ELF malware on Shellshock: the ChinaZ", "id": "domain-name--9f3587e3-aa0c-44db-9d3e-fc535c34ea05" }, { "type": "file:hashes.SHA-256", "value": "b337162fbaab9bb910fd9d03cafafafba91525b22a3658baed6bf15e58271b7e", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "New ELF malware on Shellshock: the ChinaZ", "id": "file:hashes.SHA-256--d176ed9c-a515-4f58-8836-a4bccec4f5a7" }, { "type": "file:hashes.SHA-256", "value": "069fe64f235d46a1f89b26f273f509af98ee4a59d60ee358c66b1ea60666aecb", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.SHA-256--79728c25-f338-4b5d-8f3c-5fb8d212ab05" }, { "type": "file:hashes.SHA-256", "value": "26285f4d32235ea966824e662d694de41bdebe5d28d5041df902848380f8ce8b", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.SHA-256--32c0fb77-026c-41fb-b3d9-9972bed501a6" }, { "type": "file:hashes.SHA-256", "value": "cbd7570974525a833589b29463a694bdaa9be8a7563ce828f2c8072354dcd731", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.SHA-256--05a8cf96-0f08-415f-8ad6-03c1a9130073" }, { "type": "domain-name", "value": "mastertodayversion.eu", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "domain-name--4b7351b7-1bd4-4a1d-80b6-74589c678492" }, { "type": "domain-name", "value": "kashbox.ru", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "domain-name--4418cfbc-8819-46f5-a9fc-74a22cf83152" }, { "type": "domain-name", "value": "updatemarketltd.in", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "domain-name--b043bd4b-82df-477e-99b0-41885bdc648f" }, { "type": "url", "value": "http://kashbox.ru/wat/wat.exe", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "url--4616ad19-faf8-46c3-83b7-3a709133985f" }, { "type": "url", "value": "http://181.112.55.130/wat/wat.exe", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "url--f28f4d6a-763e-4455-82a0-3a919ac59bbe" }, { "type": "file:hashes.MD5", "value": "924b94b8432296662b708bcea9f377ad", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.MD5--e1985ae2-935c-409b-8fbc-6b9ae36b708e" }, { "type": "file:hashes.MD5", "value": "548621bc51c9415ebaba30e0a9c1d8bb", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.MD5--a26387bf-7fc0-4be4-9a57-b682468ca3be" }, { "type": "file:hashes.MD5", "value": "502360b810b84aa06c1c6dda35aa8be0", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.MD5--b8317721-67a1-4fd4-a6fe-ff8642096158" }, { "type": "file:hashes.MD5", "value": "9f3ab8fb7d2fa7a468fdfd950471c251", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.MD5--d8441f2b-671b-4d24-87d3-490cb178ac69" }, { "type": "file:hashes.SHA-1", "value": "d84e62cccb831b6c90186034262f9794e4be0e8f", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.SHA-1--af583e20-6fc9-4a3c-ba72-f83471f9ffa0" }, { "type": "file:hashes.SHA-1", "value": "96a5e3f30b983847cce5452c12ab07d8efb46f12", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.SHA-1--6d9f6477-24fd-470c-b845-f18f7720787a" }, { "type": "file:hashes.SHA-1", "value": "6c9449f90ec155581dd18b238c7ffeb96279f187", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Trapwot Scareware Activity Spikes in April", "id": "file:hashes.SHA-1--1fd3d63f-c885-49f0-b957-a192fdb492cd" }, { "type": "file:hashes.SHA-256", "value": "710960677066beba4db33a62e59d069676ffce4a01e63dc968ad7446158f55d6", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Grabit and the RATs", "id": "file:hashes.SHA-256--e8e6245c-56f1-4bb5-bfda-17722f43a7d9" }, { "type": "file:hashes.SHA-256", "value": "9b48a2e82d8a82c1717f135fa750ba774403e972b6edb2a522f9870bed57e72a", "source": "OTX", "malware_family": "ELF malware", "pulse_name": "Grabit and the RATs", "id": "file:hashes.SHA-256--3fbae7d5-7d34-4c81-9270-5ae5824110fb" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--905e2cd5-264f-4f92-8642-797256bec8c2", "created": "2025-12-02T13:05:38.635Z", "modified": "2025-12-02T13:05:38.635Z", "name": "Malicious ipv4-addr indicator", "description": "Malicious ipv4-addr identified in threat intelligence", "pattern": "[ipv4-addr:value = '194.32.79.94']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.635Z", "labels": [ "malicious-activity" ], "confidence": 65 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ea16190a-ac4c-413f-851d-4fdc7fb671ae", "created": "2025-12-02T13:05:38.635Z", "modified": "2025-12-02T13:05:38.635Z", "relationship_type": "based-on", "source_ref": "indicator--905e2cd5-264f-4f92-8642-797256bec8c2", "target_ref": "ipv4-addr--d51e1821-13e6-4763-8d14-dfa6a1f9472b" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa0e2653-44aa-49f3-a29d-5977e4dda767", "created": "2025-12-02T13:05:38.705Z", "modified": "2025-12-02T13:05:38.705Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-aplication.download']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.705Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e6e79903-5520-4520-97cf-28fb09dd61c4", "created": "2025-12-02T13:05:38.705Z", "modified": "2025-12-02T13:05:38.705Z", "relationship_type": "based-on", "source_ref": "indicator--fa0e2653-44aa-49f3-a29d-5977e4dda767", "target_ref": "domain-name--5a1ee7ce-cdd8-4483-b692-24f9fcec8d23" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ed2d33c7-540e-4d0c-af4a-c8dca1da4a02", "created": "2025-12-02T13:05:38.714Z", "modified": "2025-12-02T13:05:38.714Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-app-download.download']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.714Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c7851073-5884-45ff-8dcc-5ac76dad9e3e", "created": "2025-12-02T13:05:38.714Z", "modified": "2025-12-02T13:05:38.714Z", "relationship_type": "based-on", "source_ref": "indicator--ed2d33c7-540e-4d0c-af4a-c8dca1da4a02", "target_ref": "domain-name--f26807ac-b880-4e92-9ebb-ec8072491bc8" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a57dd56a-eeaa-430b-94a6-941fc9008c95", "created": "2025-12-02T13:05:38.722Z", "modified": "2025-12-02T13:05:38.722Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-app-get.com']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.722Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6645ccff-17b0-49c6-9aef-9c55a4f7fe6b", "created": "2025-12-02T13:05:38.722Z", "modified": "2025-12-02T13:05:38.722Z", "relationship_type": "based-on", "source_ref": "indicator--a57dd56a-eeaa-430b-94a6-941fc9008c95", "target_ref": "domain-name--125c0c9f-8761-4f2e-94b0-3e384370a0ed" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--90c8b1b8-1ee8-4726-a0ec-09d7f99c82cd", "created": "2025-12-02T13:05:38.731Z", "modified": "2025-12-02T13:05:38.731Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-app-install.com']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.731Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ca756e9d-1b93-40ec-8dbc-4fa8d101ef1d", "created": "2025-12-02T13:05:38.731Z", "modified": "2025-12-02T13:05:38.731Z", "relationship_type": "based-on", "source_ref": "indicator--90c8b1b8-1ee8-4726-a0ec-09d7f99c82cd", "target_ref": "domain-name--6ce2522c-5604-4411-a748-6c3be18a9722" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d7db115e-f03b-49cb-96c0-157be693fd03", "created": "2025-12-02T13:05:38.739Z", "modified": "2025-12-02T13:05:38.739Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-get-app.com']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.739Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--45d89fb4-089b-4d6c-8ae7-bfbe06f39b05", "created": "2025-12-02T13:05:38.739Z", "modified": "2025-12-02T13:05:38.739Z", "relationship_type": "based-on", "source_ref": "indicator--d7db115e-f03b-49cb-96c0-157be693fd03", "target_ref": "domain-name--cee623e0-cf0e-48be-8489-50e55a319d1d" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--45895c4c-cbe1-4088-9620-4bd880c31723", "created": "2025-12-02T13:05:38.747Z", "modified": "2025-12-02T13:05:38.747Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'google-get.download']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.747Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--296699e9-5a8e-4733-a2b1-8375b7605190", "created": "2025-12-02T13:05:38.747Z", "modified": "2025-12-02T13:05:38.747Z", "relationship_type": "based-on", "source_ref": "indicator--45895c4c-cbe1-4088-9620-4bd880c31723", "target_ref": "domain-name--eabfa81a-57d8-4de5-95e3-0ed2f5eddbab" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bce0937e-9aa2-4b5a-8c7e-22e0dce66d47", "created": "2025-12-02T13:05:38.756Z", "modified": "2025-12-02T13:05:38.756Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'play.google-get.store']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.756Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f4cf02a0-df28-4915-9e2d-4bb256f35855", "created": "2025-12-02T13:05:38.756Z", "modified": "2025-12-02T13:05:38.756Z", "relationship_type": "based-on", "source_ref": "indicator--bce0937e-9aa2-4b5a-8c7e-22e0dce66d47", "target_ref": "domain-name--64b2598a-862d-480e-be02-697505eea1d0" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f3368251-8743-4b4d-8acf-73a68e726cea", "created": "2025-12-02T13:05:38.763Z", "modified": "2025-12-02T13:05:38.763Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'http://121.12.173.173:9521']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.763Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--82957367-a7af-42af-8def-f67d20b75070", "created": "2025-12-02T13:05:38.763Z", "modified": "2025-12-02T13:05:38.763Z", "relationship_type": "based-on", "source_ref": "indicator--f3368251-8743-4b4d-8acf-73a68e726cea", "target_ref": "url--d3fd6017-2a62-4e82-bd91-8a88def1648b" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3cb20465-f712-4ee3-a956-bbfb24b734b2", "created": "2025-12-02T13:05:38.772Z", "modified": "2025-12-02T13:05:38.772Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'aa.gm352.com']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.772Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--195a9e2c-35e4-40b2-82f7-beae54c47411", "created": "2025-12-02T13:05:38.772Z", "modified": "2025-12-02T13:05:38.772Z", "relationship_type": "based-on", "source_ref": "indicator--3cb20465-f712-4ee3-a956-bbfb24b734b2", "target_ref": "domain-name--9f3587e3-aa0c-44db-9d3e-fc535c34ea05" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7dc291c4-d72e-44ca-9da9-5e88eee7c2e2", "created": "2025-12-02T13:05:38.780Z", "modified": "2025-12-02T13:05:38.780Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'mastertodayversion.eu']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.780Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--816f403f-2e07-4406-b53f-5b7ab3a50511", "created": "2025-12-02T13:05:38.780Z", "modified": "2025-12-02T13:05:38.780Z", "relationship_type": "based-on", "source_ref": "indicator--7dc291c4-d72e-44ca-9da9-5e88eee7c2e2", "target_ref": "domain-name--4b7351b7-1bd4-4a1d-80b6-74589c678492" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b0294f8f-0d43-4e7b-8e30-550de0c20df1", "created": "2025-12-02T13:05:38.787Z", "modified": "2025-12-02T13:05:38.787Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'kashbox.ru']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.787Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8055c062-2a1a-4508-9ca8-f76836021bde", "created": "2025-12-02T13:05:38.787Z", "modified": "2025-12-02T13:05:38.787Z", "relationship_type": "based-on", "source_ref": "indicator--b0294f8f-0d43-4e7b-8e30-550de0c20df1", "target_ref": "domain-name--4418cfbc-8819-46f5-a9fc-74a22cf83152" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ab65e1f5-aaa6-44f3-8a28-deadb7137aac", "created": "2025-12-02T13:05:38.794Z", "modified": "2025-12-02T13:05:38.794Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'updatemarketltd.in']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.794Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--84ec66f6-9739-4777-aef3-39587beaefa9", "created": "2025-12-02T13:05:38.794Z", "modified": "2025-12-02T13:05:38.794Z", "relationship_type": "based-on", "source_ref": "indicator--ab65e1f5-aaa6-44f3-8a28-deadb7137aac", "target_ref": "domain-name--b043bd4b-82df-477e-99b0-41885bdc648f" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--77a03a51-c8a9-4106-87e7-4aea237aaf22", "created": "2025-12-02T13:05:38.801Z", "modified": "2025-12-02T13:05:38.801Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'http://kashbox.ru/wat/wat.exe']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.801Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--35b7833e-ac4e-48cb-940c-fa4e23245baa", "created": "2025-12-02T13:05:38.801Z", "modified": "2025-12-02T13:05:38.801Z", "relationship_type": "based-on", "source_ref": "indicator--77a03a51-c8a9-4106-87e7-4aea237aaf22", "target_ref": "url--4616ad19-faf8-46c3-83b7-3a709133985f" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bb33c6a1-2a98-4fb6-820c-6f6e3bd322f5", "created": "2025-12-02T13:05:38.809Z", "modified": "2025-12-02T13:05:38.809Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'http://181.112.55.130/wat/wat.exe']", "pattern_type": "stix", "valid_from": "2025-12-02T13:05:38.809Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--10b4b1c4-3e62-4858-88c2-36a5b3cffb9a", "created": "2025-12-02T13:05:38.809Z", "modified": "2025-12-02T13:05:38.809Z", "relationship_type": "based-on", "source_ref": "indicator--bb33c6a1-2a98-4fb6-820c-6f6e3bd322f5", "target_ref": "url--f28f4d6a-763e-4455-82a0-3a919ac59bbe" } ] }