Cybersecurity Latest Rundown

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

SOX: 18 HIPAA: 5 PCI DSS: 2 FISMA: 1 SOC 2: 1

Industry Watch

Financial Services (Payment Processing) (PCI DSS) QUIET

Below average activity (0.5x baseline)

EU Critical Infrastructure (NIS2) QUIET

Below average activity (0.3x baseline)

General Enterprise (General Enterprise) QUIET

Below average activity (0.4x baseline)

Technology Service Providers (SOC 2) QUIET

Below average activity (0.3x baseline)

U.S. Federal Agencies (FISMA) QUIET

Below average activity (0.4x baseline)

CyberSecurity Latest Rundown

Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for December 3, 2025.

CRITICAL ITEMS

University of Pennsylvania and Phoenix Hit by Oracle EBS Ransomware Campaign
Date & Time: 2025-12-02T18:41:07

The Clop ransomware group is actively exploiting vulnerabilities in Oracle E-Business Suite, with the University of Pennsylvania and University of Phoenix confirming they have fallen victim to this widespread data theft and extortion campaign. This marks a significant escalation in attacks targeting ERP systems holding sensitive institutional data.

Business impact

Exploitation of core ERP systems like Oracle EBS typically results in massive data exfiltration of employee and financial records, leading to severe GDPR/PCI fines, class-action lawsuits, and significant operational disruption during recovery.

Recommended action

Ask your IT team: "Have we verified our Oracle E-Business Suite patch levels against the latest critical security updates, and are we monitoring for data exfiltration from these specific servers?"

CVE: n/a | Compliance: PCI DSS, GDPR | Source: CyberScoop ↗, SecurityWeek ↗
Microsoft Silently Mitigates Exploited LNK Vulnerability
Date & Time: 2025-12-03T10:50:31

Microsoft has introduced a silent mitigation for Windows LNK files, where the operating system now inspects the properties tab of shortcuts to display critical information that could reveal malicious code. This change addresses a vector frequently used by attackers to disguise malware execution commands within seemingly harmless shortcut files.

Business impact

If unpatched, employees remain vulnerable to "drive-by" execution attacks where clicking a desktop shortcut silently installs ransomware or infostealers, bypassing traditional email filters.

Recommended action

Ask your IT team: "Have we deployed the latest Windows updates that enable the new LNK property inspection features to assist our users in identifying malicious shortcuts?"

CVE: n/a | Compliance: SOX | Source: SecurityWeek ↗.
Picklescan Flaws Allow Malicious PyTorch Models to Execute Code
Date & Time: 2025-12-03T09:30:00

Three critical security flaws have been discovered in Picklescan, a tool used to scan AI models for malware, which allow attackers to bypass protections and execute arbitrary code via untrusted PyTorch models. This effectively renders the safety scanner useless against sophisticated supply chain attacks targeting AI infrastructure.

Business impact

Organizations ingesting open-source AI models could suffer a complete compromise of their data science environments, leading to IP theft and the poisoning of proprietary AI models.

Recommended action

Ask your AI/ML team: "Are we relying on Picklescan to validate external PyTorch models, and if so, have we applied the patches for these bypass vulnerabilities?"

CVE: n/a | Compliance: SOX, GDPR | Source: The Hacker News ↗.

HIGH SEVERITY ITEMS

Undetected Firefox WebAssembly Flaw Put 180 Million Users at Risk
Date & Time: 2025-12-02T18:30:35

A dangerous coding error in Firefox's WebAssembly implementation went undetected for six months, exposing 180 million users to potential exploitation despite existing regression testing capabilities. This highlights a significant gap in browser security assurance processes.

Business impact

Browser-based vulnerabilities can allow attackers to compromise endpoints simply by having a user visit a malicious website, leading to data loss and potential lateral movement within the corporate network.

Recommended action

Ask your IT team: "Is our browser fleet management enforcing the latest Firefox updates to mitigate this WebAssembly vulnerability?"

CVE: n/a | Compliance: SOX | Source: Security Boulevard ↗.
Barracuda SOC Threat Radar: Rise in ScreenConnect and M365 Attacks
Date & Time: 2025-12-02T10:55:00

Barracuda's Managed XDR team reports a notable rise in attackers attempting to use ScreenConnect for unauthorized remote access, alongside a spike in Microsoft 365 login attempts from unfamiliar countries. This indicates a targeted effort to bypass perimeter defenses using legitimate remote management tools.

Business impact

Unauthorized remote access via tools like ScreenConnect often leads to rapid ransomware deployment, while M365 compromises result in business email compromise (BEC) and wire fraud.

Recommended action

Ask your SOC team: "Do we have alerts configured for unexpected ScreenConnect installations and impossible travel logins for Microsoft 365 accounts?"

CVE: n/a | Compliance: HIPAA, SOX | Source: Barracuda ↗.
Kaspersky Q3 2025 Report: WinRAR Exploits Persist
Date & Time: 2025-12-03T10:00:59

In the third quarter of 2025, attackers continued to heavily exploit security flaws in WinRAR, contributing to a growth in total registered vulnerabilities. This reinforces the need to manage third-party utility software as strictly as core operating systems.

Business impact

Neglected utilities like WinRAR are common entry points for attackers; exploitation can lead to local privilege escalation and full system compromise.

Recommended action

Ask your IT team: "Have we audited our environment for outdated versions of WinRAR and other compression utilities?"

CVE: n/a | Compliance: SOX | Source: Kaspersky ↗.

EXECUTIVE INSIGHTS

Microsoft: The Democratization of Advanced Cyberattack Capabilities
Date & Time: 2025-12-02T17:00:00

Microsoft warns that AI has democratized advanced cyberattack capabilities, allowing low-skilled actors to deploy sophisticated social engineering and polymorphic malware that previously required nation-state resources. This shift necessitates a move toward AI-driven defense strategies.

Source: Microsoft ↗.
Flashpoint’s Top 5 Predictions for the 2026 Threat Landscape
Date & Time: 2025-12-02T16:40:21

Flashpoint provides strategic foresight for 2026, predicting a convergence of AI, identity, and physical security threats. Executives should prepare for a landscape where digital threats increasingly have kinetic, physical world consequences.

Source: Flashpoint ↗.
Legislation Introduced to Sanction Critical Cyber Threat Actors
Date & Time: 2025-12-02T18:30:06

New House legislation aims to designate and sanction "critical cyber threat actors," signaling a shift in U.S. policy toward more aggressive deterrence and punishment of malicious hackers. This could impact compliance requirements regarding ransomware payments and attribution.

Source: CyberScoop ↗.

VENDOR SPOTLIGHT

Spotlight Rationale: Barracuda is highlighted due to their direct intelligence on the current surge in ScreenConnect abuse and Microsoft 365 identity attacks reported in their December 2025 SOC Threat Radar.

Threat Context: SOC Threat Radar — December 2025

Platform Focus: Barracuda Managed XDR

Barracuda's Managed XDR platform integrates signal detection across email, endpoint, and cloud environments, which is critical for correlating the specific threats seen this week: credential theft via phishing (M365) and subsequent remote access abuse (ScreenConnect). Their ability to detect "unfamiliar country" logins combined with endpoint behavioral anomalies offers a defense against the specific hybrid attacks currently trending.

Actionable Platform Guidance: Customers should immediately enable "Impossible Travel" policies in the XDR dashboard and configure specific alerts for the execution of `ScreenConnect.ClientService.exe` on endpoints that do not belong to IT administrators.

Source: Barracuda ↗.

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Barracuda Managed XDR

# Actionable Guidance for ScreenConnect & M365 Detection

1. Login to Barracuda XDR Dashboard.
2. Navigate to "Detection Rules" > "Cloud Identity".
3. Enable Policy: "Microsoft 365 - Impossible Travel" and set severity to HIGH.
4. Navigate to "Endpoint Policies" > "Application Control".
5. Create Block Rule:
- Process Name: ScreenConnect.ClientService.exe
- Scope: All Workstations (Exclude IT_Admin_Group)
- Action: Alert and Block
6. Verify: Trigger a test alert by attempting a login from a VPN endpoint in a different geo-location.

2. YARA Rule for Suspicious LNK Properties

rule Suspicious_LNK_Properties {
meta:
description = "Detects LNK files with suspicious command line arguments often used in exploits"
author = "Threat Rundown"
date = "2025-12-03"
reference = "https://www.securityweek.com/?p=44493"
severity = "medium"
tlp = "white"
strings:
$header = { 4C 00 00 00 01 14 02 00 }
$s1 = "powershell" ascii wide nocase
$s2 = "cmd.exe" ascii wide nocase
$s3 = "-NoProfile" ascii wide nocase
$s4 = "-EncodedCommand" ascii wide nocase
$s5 = "http" ascii wide nocase
condition:
$header and ($s1 or $s2) and any of ($s3, $s4, $s5)
}

3. SIEM Query — Citrix Phishing Subject Lines

index=email_logs sourcetype="mail_gateway"
(subject="*Payment_ID*" OR subject="*Citrix Document Signature*" OR subject="*secure document service*")
| eval risk_score=case(
match(subject, "Payment_ID#\\d+"), 100,
match(sender, "citrix"), 50,
1==1, 25)
| where risk_score >= 50
| table _time, sender, recipient, subject, risk_score
| sort -_time

4. PowerShell Script — Scan for PyTorch Models in Unexpected Locations

$computers = "localhost", "WKSTN01", "WKSTN02"
$targetExtensions = @(".pth", ".pt", ".pkl")
$suspiciousPaths = @("C:\Users\Public", "C:\Temp", "C:\ProgramData")

foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Scanning $computer for PyTorch model files..."
Invoke-Command -ComputerName $computer -ScriptBlock {
param($exts, $paths)
foreach ($path in $paths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Include $exts -Recurse -ErrorAction SilentlyContinue |
Select-Object FullName, CreationTime, Length
}
}
} -ArgumentList $targetExtensions, $suspiciousPaths
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--37535e2e-c27e-4b67-be28-fc136d07ed4c", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--4c23bca4-5023-47ac-9972-527971f91f72", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--b4e3b029-793f-46de-99bd-30dee30a33a3", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "name": "Threat Intelligence Report - 2025-12-03", "description": "Threat Intelligence Report - 2025-12-03\n\nThis report consolidates actionable cybersecurity intelligence from 71 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Microsoft Silently Mitigated Exploited LNK Vulnerability (Score: 100)\n• Penn and Phoenix Universities Disclose Data Breach After Oracle Hack (Score: 100)\n• Exploits and vulnerabilities in Q3 2025 (Score: 100)\n• University of Pennsylvania joins growing pool of Oracle customers impacted by Clop attacks (Score: 100)\n• How to build forward-thinking cybersecurity teams for tomorrow (Score: 100)\n\nEXTRACTED ENTITIES:\n• 20 Attack Pattern(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 20 Relationship(s)\n• 6 Tool(s)\n• 1 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-12-03T13:21:27.485Z", "object_refs": [ "identity--4c23bca4-5023-47ac-9972-527971f91f72", "identity--d48d0179-a8bc-4c9e-89ef-4347fcbce1fa", "identity--ae4d5f46-29c5-40ae-842b-378abf057c12", "identity--5a84b94b-2a59-4751-b3a0-ab433bbeb1f9", "vulnerability--f07f31e9-eacf-49ae-b29f-62203a83a727", "tool--d26f1136-5a4f-4c9a-a816-418197a66ed2", "tool--95bd9e19-9c60-4704-8b8d-38e554044644", "identity--a7f97d8c-5ed5-4835-826b-235c22db6118", "identity--51113571-ec83-4013-b495-7e2153c26552", "identity--beae82dc-13c6-4539-99b4-c1819dec64c6", "identity--4e2d55e2-d63b-4b2f-88fe-14c583eeb4d6", "identity--f11ab080-a3c1-4cc4-9464-b4b95698a1ea", "tool--6333a031-65f8-459e-bc6c-477b0baac4b6", "identity--4b7fe0eb-2a21-4582-b904-359c8b023bda", "tool--fd368e1e-5ddb-4355-8645-02012f1fb7d1", "tool--94bb3721-4ef2-45d6-9d23-ab6dd85cfcb3", "identity--3e5eaf0a-42ab-4555-801b-e588368e21a2", "identity--ef2b7947-9704-4ef1-aa2c-f851ec298519", "identity--adfceb40-2010-42f5-87c1-8e9e1562aca6", "tool--1bb4826f-b66b-44c4-9e58-d6a6c2b5b070", "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c", "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "attack-pattern--03af66ef-0665-46da-b414-10cb1940febf", "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--17c0c8f5-f1db-4094-9e70-b9d1f9c67a8d", "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "relationship--4697a496-8155-4793-8ae2-3d6e4bc4eda8", "relationship--684f793b-90c9-47e1-bfc9-71ab87d1acbe", "relationship--e8b616cb-63d7-4155-9a8b-41de74dfb155", "relationship--54f7f516-28a1-4f30-ad30-5c97ffa8719e", "relationship--b8116fbc-a547-4345-ae58-a85cd62e3ab2", "relationship--124bdc1d-f173-498b-8ebc-a770f66bcda1", "relationship--66538992-8efe-49f1-9c9f-8b48637ae867", "relationship--ecfb7905-05b7-4801-988a-b0ba0b6f9a82", "relationship--b98bb6d7-6066-4a62-9ee4-a810c400098c", "relationship--b8d5c119-87f7-49f3-a7ea-cd1a0699b0ec", "relationship--e1420d98-7aec-4e38-9191-edf6123f0fab", "relationship--df0c9ec8-7711-4c2f-b95f-db8155cab205", "relationship--cf13e306-2b28-4502-bf20-f07d76a48b4c", "relationship--b2c646fc-c88c-499b-bb7e-09e94378db49", "relationship--a11c052d-724f-4f90-a476-2e728e67d08d", "relationship--4fcae818-54e4-479d-a9f4-fb0de2c67175", "relationship--6807a491-396a-46ee-9d98-b2c430c272f1", "relationship--34fe2790-38f0-48f5-b0fd-007db0923a30", "relationship--177b56de-4781-4acf-a538-5cc8b32ce8ea", "relationship--e7ccf5e1-5031-4588-a361-1a5746b23a81" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--4c23bca4-5023-47ac-9972-527971f91f72", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.481Z", "modified": "2025-12-03T13:21:27.481Z", "confidence": 95, "type": "identity", "id": "identity--d48d0179-a8bc-4c9e-89ef-4347fcbce1fa", "name": "Barracuda", "identity_class": "organization", "labels": [ "identity" ], "description": "Barracuda is a cybersecurity company that provides innovative solutions and AI-powered platforms to protect against cyber threats.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.481Z", "modified": "2025-12-03T13:21:27.482Z", "confidence": 95, "type": "identity", "id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12", "name": "Microsoft", "identity_class": "organization", "labels": [ "identity" ], "description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.482Z", "modified": "2025-12-03T13:21:27.482Z", "confidence": 95, "type": "identity", "id": "identity--5a84b94b-2a59-4751-b3a0-ab433bbeb1f9", "name": "the Federal Trade Commission", "identity_class": "organization", "labels": [ "organization" ], "description": "The Federal Trade Commission (FTC) is an independent U.S. government agency responsible for consumer protection and promoting competition. In the context provided, the FTC is involved in a data security agreement with Illinois-based Illuminate Education following a 2021 network breach.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.482Z", "modified": "2025-12-03T13:21:27.482Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--f07f31e9-eacf-49ae-b29f-62203a83a727", "name": "Microsoft Silently Mitigated Exploited LNK Vulnerability", "description": "Microsoft Silently Mitigated Exploited LNK Vulnerability is a security patch that silently mitigates an exploited vulnerability in the Windows operating system related to the LNK file format.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.482Z", "modified": "2025-12-03T13:21:27.482Z", "confidence": 95, "type": "tool", "id": "tool--d26f1136-5a4f-4c9a-a816-418197a66ed2", "name": "WinRAR", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "WinRAR is a file archiver and compression utility that allows users to create and extract RAR and ZIP files.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.482Z", "modified": "2025-12-03T13:21:27.482Z", "confidence": 95, "type": "tool", "id": "tool--95bd9e19-9c60-4704-8b8d-38e554044644", "name": "Oracle E-Business Suite", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Oracle E-Business Suite is a comprehensive enterprise resource planning (ERP) software suite that manages business functions such as financials, human resources, and supply chain management for large organizations.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.482Z", "modified": "2025-12-03T13:21:27.482Z", "confidence": 95, "type": "identity", "id": "identity--a7f97d8c-5ed5-4835-826b-235c22db6118", "name": "DocuSign / AdobeSign", "identity_class": "organization", "labels": [ "identity" ], "description": "DocuSign / AdobeSign is an electronic signature and document management platform that enables users to securely sign, send, and manage digital documents.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.482Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "identity", "id": "identity--51113571-ec83-4013-b495-7e2153c26552", "name": "Asahi Group Holdings", "identity_class": "organization", "labels": [ "organization" ], "description": "Asahi Group Holdings is a Japanese global beer, soft drinks, and food business, which was targeted by a ransomware attack that resulted in a significant data breach affecting over 1.5 million customers and 275,000 current and former employees.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "identity", "id": "identity--beae82dc-13c6-4539-99b4-c1819dec64c6", "name": "ServiceNow Inc.", "identity_class": "organization", "labels": [ "identity" ], "description": "ServiceNow Inc. is a cloud-based software company that provides digital workflow solutions for IT, security, customer service, and more.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "identity", "id": "identity--4e2d55e2-d63b-4b2f-88fe-14c583eeb4d6", "name": "Veza’s", "identity_class": "organization", "labels": [ "identity" ], "description": "Veza’s is a technology provider that helps organizations monitor and control access to critical data.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "identity", "id": "identity--f11ab080-a3c1-4cc4-9464-b4b95698a1ea", "name": "ServiceNow’s Security and Risk", "identity_class": "organization", "labels": [ "identity" ], "description": "ServiceNow’s Security and Risk is a portfolio that helps organizations monitor and control access to critical data, providing a unified platform for security and risk management.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "tool", "id": "tool--6333a031-65f8-459e-bc6c-477b0baac4b6", "name": "ScreenConnect", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "ScreenConnect is a remote access and support software that allows users to securely access and control remote computers.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "identity", "id": "identity--4b7fe0eb-2a21-4582-b904-359c8b023bda", "name": "Mozilla", "identity_class": "organization", "labels": [ "identity" ], "description": "Mozilla is a non-profit organization that develops the Firefox web browser and promotes internet standards, security, and user privacy.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "tool", "id": "tool--fd368e1e-5ddb-4355-8645-02012f1fb7d1", "name": "Windows", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Windows is an operating system developed by Microsoft for personal computers.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "tool", "id": "tool--94bb3721-4ef2-45d6-9d23-ab6dd85cfcb3", "name": "Ethereum Virtual Machine", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Ethereum Virtual Machine (EVM) is not typically considered malware, but in this context, it refers to a malicious Rust package masquerading as an EVM unit helper tool, allowing it to execute on developer machines stealthily. This highlights the potential for malicious actors to exploit legitimate technologies for nefarious purposes.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "identity", "id": "identity--3e5eaf0a-42ab-4555-801b-e588368e21a2", "name": "ServiceNow", "identity_class": "organization", "labels": [ "identity" ], "description": "ServiceNow is a cloud-based software company that provides digital workflows for enterprise organizations to manage and automate various business processes, including IT, customer service, and security operations.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "identity", "id": "identity--ef2b7947-9704-4ef1-aa2c-f851ec298519", "name": "Varonis", "identity_class": "organization", "labels": [ "identity" ], "description": "Varonis is a data security company that helps protect sensitive data by monitoring and controlling access to it, and providing visibility into data usage and security threats.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.483Z", "confidence": 95, "type": "identity", "id": "identity--adfceb40-2010-42f5-87c1-8e9e1562aca6", "name": "PDD Holdings", "identity_class": "unknown", "labels": [ "identity" ], "description": "PDD Holdings is a holding company based in Arizona, United States. It is the parent company of Temu, an online retail platform that has been accused of stealing customers' data.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.483Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 95, "type": "tool", "id": "tool--1bb4826f-b66b-44c4-9e58-d6a6c2b5b070", "name": "QRadar", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "QRadar is a security information and event management (SIEM) system that collects, monitors, and analyzes security-related data from various sources to identify potential threats and provide real-time incident response.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 95, "type": "malware", "id": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "name": "polymorphic malware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "Polymorphic malware is a type of malware that can change its form or code to evade detection by traditional security software. This type of malware can be particularly challenging to detect and remove, as it can mutate and adapt to avoid signature-based detection methods. In the context provided, polymorphic malware is mentioned as a tool used by threat actors that once required nation-state resources but is now more accessible.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "name": "Remote Services", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1021", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1021/", "external_id": "T1021" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c", "name": "Valid Accounts", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1078", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1078/", "external_id": "T1078" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "name": "Masquerading", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1036", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1036/", "external_id": "T1036" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 77, "type": "attack-pattern", "id": "attack-pattern--03af66ef-0665-46da-b414-10cb1940febf", "name": "LNK Icon Smuggling", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1027.012", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1027/012/", "external_id": "T1027.012" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 73, "type": "attack-pattern", "id": "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "name": "Safe Mode Boot", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1562.009", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1562/009/", "external_id": "T1562.009" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.484Z", "modified": "2025-12-03T13:21:27.484Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "name": "Malicious Shell Modification", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1156", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1156/", "external_id": "T1156" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "confidence": 69, "type": "attack-pattern", "id": "attack-pattern--17c0c8f5-f1db-4094-9e70-b9d1f9c67a8d", "name": "Unused/Unsupported Cloud Regions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1535", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1535/", "external_id": "T1535" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "confidence": 67, "type": "attack-pattern", "id": "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba", "name": "Browser Session Hijacking", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1185", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1185/", "external_id": "T1185" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "confidence": 65, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4697a496-8155-4793-8ae2-3d6e4bc4eda8", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--684f793b-90c9-47e1-bfc9-71ab87d1acbe", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e8b616cb-63d7-4155-9a8b-41de74dfb155", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--54f7f516-28a1-4f30-ad30-5c97ffa8719e", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b8116fbc-a547-4345-ae58-a85cd62e3ab2", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--124bdc1d-f173-498b-8ebc-a770f66bcda1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--66538992-8efe-49f1-9c9f-8b48637ae867", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ecfb7905-05b7-4801-988a-b0ba0b6f9a82", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--b0e5285c-e953-4745-a8d6-56e03a076a5c", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Valid Accounts (T1078) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b98bb6d7-6066-4a62-9ee4-a810c400098c", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--b374db85-3cb3-4563-9bae-4cc47462a31c", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Masquerading (T1036) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b8d5c119-87f7-49f3-a7ea-cd1a0699b0ec", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--03af66ef-0665-46da-b414-10cb1940febf", "confidence": 55, "description": "Co-occurrence: polymorphic malware and LNK Icon Smuggling (T1027.012) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e1420d98-7aec-4e38-9191-edf6123f0fab", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--df0c9ec8-7711-4c2f-b95f-db8155cab205", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cf13e306-2b28-4502-bf20-f07d76a48b4c", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b2c646fc-c88c-499b-bb7e-09e94378db49", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Malicious Shell Modification (T1156) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a11c052d-724f-4f90-a476-2e728e67d08d", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4fcae818-54e4-479d-a9f4-fb0de2c67175", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6807a491-396a-46ee-9d98-b2c430c272f1", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--34fe2790-38f0-48f5-b0fd-007db0923a30", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--17c0c8f5-f1db-4094-9e70-b9d1f9c67a8d", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Unused/Unsupported Cloud Regions (T1535) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--177b56de-4781-4acf-a538-5cc8b32ce8ea", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--775a5581-fd79-4cfc-a505-6d409b3bbfba", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Browser Session Hijacking (T1185) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e7ccf5e1-5031-4588-a361-1a5746b23a81", "created": "2025-12-03T13:21:27.485Z", "modified": "2025-12-03T13:21:27.485Z", "relationship_type": "uses", "source_ref": "malware--d945c6ad-b0e2-418d-90fe-16ca69a851a6", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: polymorphic malware and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" } ] }

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

EXECUTIVE INSIGHTS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.