Cybersecurity Latest Rundown

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

SOX: 12 HIPAA: 5 General Enterprise: 2 PCI DSS: 1

Industry Watch

🚨 Healthcare (HIPAA) CRITICAL

Threat activity targeting EMR & Medical Devices

Key threat: DeadLock Ransomware using BYOVD techniques against hospital infrastructure

Action: Review DeadLock Ransomware Indicators, Block Vulnerable Driver Hashes

Finance (GDPR) ELEVATED

Sophisticated Phishing Campaigns

Key threat: Spiderman Phishing Kit mimicking top European banking portals

Action: Update Anti-Phishing Filters, Review Spiderman Kit IOCs

Logistics (SOX) ⚠️ HIGH

Botnet Activity in Supply Chain

Key threat: Broadside Botnet compromising TBK DVRs in shipping environments

Action: Isolate IoT/DVR Devices, Review Broadside Botnet Traffic Patterns

CyberSecurity Latest Rundown

Heroes, here is your curated and current cybersecurity landscape for December 9, 2025.

CRITICAL ITEMS

Spiderman Phishing Kit Targets European Banking Customers
Date & Time: 2025-12-09T14:00:07

Varonis researchers have identified "Spiderman," a sophisticated phishing kit that generates high-fidelity replicas of dozens of European banking portals to steal customer credentials.

Business impact

High risk of account takeover and financial fraud; for financial institutions, this increases customer support costs, fraud reimbursement losses, and reputational damage.

Recommended action

Ask your Fraud Detection team: Have we updated our threat intelligence feeds to detect the specific domains and indicators associated with the Spiderman phishing kit?

CVE: n/a | Compliance: GDPR, HIPAA | Source: Varonis ↗.
Critical RCE Vulnerability in React Server Components
Date & Time: 2025-12-08T21:00:55

Unit 42 has identified a CVSS 10.0 Remote Code Execution (RCE) vulnerability in the Flight protocol used by React Server Components. This flaw allows unauthenticated attackers to execute arbitrary code on servers running vulnerable configurations.

Business impact

Exploitation grants attackers full control over web servers, leading to immediate data breaches, service outages, and potential lateral movement into backend systems. This represents a catastrophic risk for enterprise web applications.

Recommended action

Ask your DevSecOps team: Are we using React Server Components in our application stack, and have we immediately applied the patch for CVE-2025-55182?

CVE: CVE-2025-55182 | Compliance: General Enterprise | Source: Unit 42 ↗, Cyble ↗
DeadLock Ransomware Deploys New BYOVD Loader
Date & Time: 2025-12-09T11:00:25

The DeadLock ransomware group has adopted a new "Bring Your Own Vulnerable Driver" (BYOVD) technique to bypass security controls. By loading a legitimate but vulnerable driver, they can disable endpoint protection software before encrypting systems.

Business impact

This technique renders standard antivirus defenses ineffective, significantly increasing the probability of a successful ransomware detonation. The result is prolonged operational downtime, ransom demands, and potential loss of sensitive patient or financial data.

Recommended action

Ask your Security Operations team: "Do we have a policy to block known vulnerable drivers, and are we monitoring for the specific loader signatures associated with DeadLock?"

CVE: n/a | Compliance: SOX, HIPAA | Source: Cisco Talos ↗
GrayBravo Threat Actor Targets Multiple Industries with CastleLoader
Date & Time: 2025-12-09T00:00:00

Recorded Future is tracking a rapidly evolving threat actor, GrayBravo, which is using the CastleLoader malware to target organizations across multiple sectors.

Business impact

Successful infection establishes a persistent foothold in the network, allowing attackers to exfiltrate sensitive intellectual property or deploy ransomware at a later date.

Recommended action

Ask your SOC team: Have we hunted for CastleLoader artifacts in our environment and blocked the command-and-control infrastructure associated with GrayBravo?

CVE: n/a | Compliance: HIPAA, SOX | Source: Recorded Future ↗.
Universities Breached via Oracle E-Business Suite Zero-Days
Date & Time: 2025-12-08T13:07:25

Check Point Research reports that the University of Pennsylvania and University of Phoenix suffered data breaches after attackers exploited zero-day vulnerabilities in Oracle E-Business Suite.

Business impact

Significant regulatory exposure (GDPR/FERPA) and reputational harm due to the loss of sensitive student and employee PII; highlights the critical risk of unpatched ERP systems.

Recommended action

Ask your ERP Administration team: What is our current patch status for Oracle E-Business Suite, and are we monitoring for the specific IOCs related to these zero-day exploits?

CVE: n/a | Compliance: PCI DSS, GDPR | Source: Check Point Research ↗.

HIGH SEVERITY ITEMS

Google Chrome Adds Defenses Against Indirect Prompt Injection
Date & Time: 2025-12-09T11:14:00

Google has implemented new layered defenses in Chrome to protect against indirect prompt injection attacks as it rolls out agentic AI capabilities to the browser.

Business impact

Mitigates the risk of "Shadow AI" attacks where malicious websites could manipulate the browser's AI agent to perform unauthorized actions on behalf of the user.

Recommended action

Ask your Endpoint Engineering team: Is our browser management policy enforcing the latest Chrome updates to ensure these AI security layers are active?

CVE: n/a | Compliance: SOX | Source: The Hacker News ↗, Google Security Blog ↗
New Broadside Botnet Targets Shipping Sector
Date & Time: 2025-12-09T11:48:07

A new botnet dubbed "Broadside" is compromising TBK DVR devices to steal credentials and launch DDoS attacks, with a specific focus on the shipping and logistics industry.

Business impact

Operational disruption in logistics chains; compromised IoT devices can serve as a pivot point for attackers to access corporate networks.

Recommended action

Ask your Network Security team: Are any TBK DVR devices present on our network exposed to the internet, and have default credentials been changed?

CVE: n/a | Compliance: SOX | Source: SecurityWeek ↗.

EXECUTIVE INSIGHTS

November 2025 CVE Landscape: Critical Vulnerabilities Drop
Date & Time: 2025-12-09T00:00:00

Recorded Future reports a 69% decrease in high-impact vulnerabilities for November 2025, though 10 critical vulnerabilities (led by Fortinet) still require immediate attention. This trend suggests a temporary stabilization in the vulnerability landscape, allowing teams to focus on backlog reduction.

Source: Recorded Future ↗.
Goodbye, Dark Telegram: Cybercriminals Migrating Platforms
Date & Time: 2025-12-09T11:25:55

Kaspersky analysis indicates that increased blocking and scrutiny of Telegram are pushing cybercriminals to alternative encrypted messaging platforms. This shift may temporarily disrupt threat actor communications but complicates intelligence gathering.

Source: Kaspersky ↗.
5 Real-World Third-Party Risk Examples
Date & Time: 2025-12-09T00:00:00

A strategic review of supply chain attacks highlights that static, point-in-time vendor assessments are insufficient. Continuous monitoring is required to detect risks that emerge between annual audits.

Source: Recorded Future ↗.

VENDOR SPOTLIGHT

Spotlight Rationale: With Google Chrome integrating "Agentic AI" (Source: The Hacker News) and the rise of AI-related data risks, organizations need visibility into how employees are sharing sensitive data with AI services.

Threat Context: Google Adds Layered Defenses to Chrome to Block Indirect Prompt Injection Threats

Platform Focus: Nudge Security Platform

Nudge Security has extended its platform to specifically monitor sensitive data shared via uploads and integrations with AI services. Unlike traditional DLP, Nudge identifies the specific individuals and departments sharing data, enabling targeted governance without blocking productivity. This is critical for managing the "Shadow AI" risk highlighted by recent browser-based AI advancements.

Actionable Platform Guidance: Configure Nudge to alert on any upload of PII or intellectual property to unapproved AI domains (e.g., non-corporate LLM accounts) and automate user nudges to verify the business justification.

Source: Security Boulevard ↗.

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Nudge Security

# Conceptual Configuration for Nudge Security AI Data Protection
# Goal: Detect and Nudge on Sensitive Data Uploads to AI Services

Policy_Name: "AI_Data_Exfiltration_Prevention"
Scope: "All_Employees"
Target_Category: "Generative_AI_Services"

Triggers:
- Event: "File_Upload"
- Content_Type: ["Source_Code", "Financial_Data", "PII"]
- Destination: ["ChatGPT", "Claude", "Gemini", "HuggingFace"]

Response_Action:
- Action: "Send_Nudge"
- Message: "You are uploading sensitive data to a public AI service. Please confirm this aligns with our AI Acceptable Use Policy."
- Alert_Admin: True
- Severity: "High"

2. YARA Rule for CastleLoader (GrayBravo)

rule CastleLoader_GrayBravo {
meta:
description = "Detects CastleLoader malware associated with GrayBravo threat actor"
author = "Threat Rundown"
date = "2025-12-09"
reference = "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries"
severity = "high"
tlp = "white"
strings:
$s1 = "CastleLoader" ascii wide
$s2 = "GrayBravo" ascii wide
$s3 = "C:\\Users\\Public\\loader.dll" ascii wide
$h1 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 }
condition:
(uint16(0) == 0x5A4D) and (any of ($s*) or $h1)
}

3. SIEM Query — React Server Components RCE (CVE-2025-55182)

index=web sourcetype="access_combined" OR sourcetype="nginx:access"
uri_path="*.rsc" OR uri_path="*/flight/*"
status=500 OR status=502
| eval risk_score=case(
match(_raw, "(?i)error") AND match(_raw, "(?i)react"), 80,
status==500, 40,
1==1, 0)
| where risk_score >= 40
| table _time, src_ip, dest_ip, uri_path, status, user_agent, risk_score
| sort -_time

4. PowerShell Script — Check Vulnerable Driver Blocklist (DeadLock Mitigation)

$computers = "localhost", "SERVER01", "WKSTN01"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Invoke-Command -ComputerName $computer -ScriptBlock {
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Config"
$setting = Get-ItemProperty -Path $path -Name "VulnerableDriverBlocklistEnable" -ErrorAction SilentlyContinue

if ($setting.VulnerableDriverBlocklistEnable -eq 1) {
Write-Host "[+] $env:COMPUTERNAME : Vulnerable Driver Blocklist is ENABLED" -ForegroundColor Green
} else {
Write-Host "[-] $env:COMPUTERNAME : Vulnerable Driver Blocklist is DISABLED or Not Configured" -ForegroundColor Red
}
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--f49bc032-4897-450f-b289-f50d74502de6", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--883434c1-23d6-4a15-99ae-dcc6512d4e84", "created": "2025-12-09T16:32:38.412Z", "modified": "2025-12-09T16:32:38.412Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--f5c769a9-544c-49fa-897d-422e759d1c44", "created": "2025-12-09T16:32:38.412Z", "modified": "2025-12-09T16:32:38.412Z", "name": "Threat Intelligence Report - 2025-12-09", "description": "Threat Intelligence Report - 2025-12-09\n\nThis report consolidates actionable cybersecurity intelligence from 74 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October (Score: 100)\n• Microsoft Takes Aim at “Swivel-Chair Security” with Defender Portal Overhaul (Score: 100)\n• Google Adds Layered Defenses to Chrome to Block Indirect Prompt Injection Threats (Score: 100)\n• Proofpoint Completes $1.8 Billion Acquisition of Hornetsecurity (Score: 100)\n• New BYOVD loader behind DeadLock ransomware attack (Score: 100)\n\nEXTRACTED ENTITIES:\n• 22 Attack Pattern(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 23 Relationship(s)\n• 4 Tool(s)\n• 1 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-12-09T16:32:38.412Z", "object_refs": [ "identity--883434c1-23d6-4a15-99ae-dcc6512d4e84", "identity--ae4d5f46-29c5-40ae-842b-378abf057c12", "vulnerability--09cfd756-732a-426d-8c11-8d9ddb3e9e05", "identity--a46e663a-8e9f-4dbd-b12b-8e7de5526190", "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "identity--53a6e913-b371-4d86-baa7-f737222b3ce5", "identity--5ccdf7bc-6dc4-4348-ac05-2f7e1ccfb271", "tool--a8a9ce63-2bac-48bd-955d-06a2f213abbc", "identity--161fc746-cd49-4615-ab48-81a93a1b16b4", "identity--8c1fecc5-666c-4007-be86-c4b6d149231b", "identity--61905679-2b7c-4541-ac24-44004720dedf", "tool--df10804d-b3f3-4fd7-9c19-617dc491f8f6", "tool--b7ca7639-7000-408d-9ef5-bf20b73d5d60", "identity--7dfb0946-0087-44f6-84d2-673134fae01d", "tool--f8803d1f-88cf-4e2d-9ed7-583cbb378365", "identity--06b70d7b-8838-4176-9d1c-742c3c4155df", "identity--23aff524-f0ba-4de9-afe3-f9acc34012ca", "identity--852f1ded-54a0-4678-8751-1aa05a63754e", "identity--19af5393-9a74-4c8c-bb29-1aad57686b46", "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "attack-pattern--9ba6495b-e273-4e8d-a4ce-dbcd56ec33f2", "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927", "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "attack-pattern--28d556b1-41a4-46dd-9e44-02b0593dd0e4", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "attack-pattern--d0394986-33f8-44f3-8050-da1e0be05638", "relationship--bd0c2b66-2549-44a3-9693-9da945f3033d", "relationship--bff11c07-4f8c-4e43-81f9-8d5dda479c7f", "relationship--0fbc01d4-c39f-48ed-a9d5-905cf178ffde", "relationship--43df6d2e-58b0-44ef-bbfe-327a085a858d", "relationship--a624df98-018a-4436-9a62-151ce12e4a9f", "relationship--0d664a0c-2ebe-492e-a18a-d5f8b151434c", "relationship--b57dac23-c25e-4921-a837-2d0f44315764", "relationship--547e8c57-c1f8-4e0e-ae66-4f80650e4ece", "relationship--59691f9a-fd79-488a-bfe3-8f6603f8be0b", "relationship--10da90a8-2a53-496c-bd1a-9addc7d22986", "relationship--fccdd6d4-a76f-423f-9ea3-35f82757c928", "relationship--0ea06ef4-718e-4564-b564-a5bdc86cb434", "relationship--b3ff5bde-a9b1-4aa7-8906-39f3423dab39", "relationship--fcfab048-8a26-45c1-952d-53cd32bbee74", "relationship--435edad5-677e-4c13-8188-70b23efb94a9", "relationship--d4cd43b9-ed19-4aab-ba0a-36cca45b8cd0", "relationship--3c40dedd-a071-47df-bc21-33afeb4fc457", "relationship--041d09b0-f4a7-4cff-9cc1-2743220866f8", "relationship--041467e0-d3cb-4f54-b220-73d2b5f36b79", "relationship--975e81ed-967e-4bff-8a69-0fd4381ac864", "relationship--14d8d195-2a29-414a-b7c6-481ce35f65f4", "relationship--518c5ebb-a24e-4ccd-a4ed-340aa9df300d", "relationship--d4966e77-69d4-4298-9102-80dab0abe934" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--883434c1-23d6-4a15-99ae-dcc6512d4e84", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.407Z", "modified": "2025-12-09T16:32:38.407Z", "confidence": 95, "type": "identity", "id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12", "name": "Microsoft", "identity_class": "organization", "labels": [ "identity" ], "description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.407Z", "modified": "2025-12-09T16:32:38.407Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--09cfd756-732a-426d-8c11-8d9ddb3e9e05", "name": "CVE-2025-55182", "description": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.. CVSS Score: 10.0 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 77.8% exploitation probability", "x_cvss_score": 10.0, "x_cvss_severity": "CRITICAL", "x_kev_status": true, "x_epss_score": 0.77804, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-55182", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55182" }, { "source_name": "nvd", "external_id": "CVE-2025-55182", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.407Z", "modified": "2025-12-09T16:32:38.407Z", "confidence": 95, "type": "identity", "id": "identity--a46e663a-8e9f-4dbd-b12b-8e7de5526190", "name": "Entra ID", "identity_class": "unknown", "labels": [ "identity" ], "description": "Entra ID is a cloud-based identity and access management (IAM) solution that provides secure authentication, authorization, and governance for users and applications across multiple environments.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.408Z", "modified": "2025-12-09T16:32:38.408Z", "confidence": 95, "type": "identity", "id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "name": "Google", "identity_class": "organization", "labels": [ "identity" ], "description": "Google is a multinational technology company specializing in Internet-related services and products, including search engines, online advertising technologies, cloud computing, and software development.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.408Z", "modified": "2025-12-09T16:32:38.408Z", "confidence": 95, "type": "identity", "id": "identity--53a6e913-b371-4d86-baa7-f737222b3ce5", "name": "SecurityWeek", "identity_class": "organization", "labels": [ "identity" ], "description": "SecurityWeek is a cybersecurity news and information website that provides in-depth analysis and coverage of the latest threats, vulnerabilities, and industry trends.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.408Z", "modified": "2025-12-09T16:32:38.408Z", "confidence": 95, "type": "identity", "id": "identity--5ccdf7bc-6dc4-4348-ac05-2f7e1ccfb271", "name": "Cloudflare", "identity_class": "organization", "labels": [ "identity" ], "description": "Cloudflare is a cybersecurity company that provides protection and performance services for websites and applications, including DDoS mitigation, content delivery, and security features.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.408Z", "modified": "2025-12-09T16:32:38.408Z", "confidence": 95, "type": "tool", "id": "tool--a8a9ce63-2bac-48bd-955d-06a2f213abbc", "name": "Trivy", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Trivy is a lightweight, fast, and multi-language vulnerability scanner that detects vulnerabilities in container images and other software assets.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.408Z", "modified": "2025-12-09T16:32:38.408Z", "confidence": 95, "type": "identity", "id": "identity--161fc746-cd49-4615-ab48-81a93a1b16b4", "name": "GitHub", "identity_class": "organization", "labels": [ "identity" ], "description": "GitHub is a web-based platform for version control and collaboration on software development projects, allowing users to store, manage, and share their code with others.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.408Z", "modified": "2025-12-09T16:32:38.408Z", "confidence": 95, "type": "identity", "id": "identity--8c1fecc5-666c-4007-be86-c4b6d149231b", "name": "FortiWeb", "identity_class": "organization", "labels": [ "identity" ], "description": "FortiWeb is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.408Z", "modified": "2025-12-09T16:32:38.408Z", "confidence": 30, "type": "identity", "id": "identity--61905679-2b7c-4541-ac24-44004720dedf", "name": "Proofpoint", "identity_class": "organization", "labels": [ "identity" ], "description": "Proofpoint is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 95, "type": "tool", "id": "tool--df10804d-b3f3-4fd7-9c19-617dc491f8f6", "name": "Microsoft 365", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Microsoft 365 is a cloud-based productivity and security suite that integrates Microsoft Office applications, email services, and collaboration tools for businesses and individuals.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 95, "type": "tool", "id": "tool--b7ca7639-7000-408d-9ef5-bf20b73d5d60", "name": "Microsoft Visual Studio Code", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Microsoft Visual Studio Code is a free, open-source code editor that provides developers with a lightweight and feature-rich environment for writing, debugging, and managing code across various programming languages.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 95, "type": "identity", "id": "identity--7dfb0946-0087-44f6-84d2-673134fae01d", "name": "Cofense", "identity_class": "organization", "labels": [ "identity" ], "description": "Cofense is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 95, "type": "tool", "id": "tool--f8803d1f-88cf-4e2d-9ed7-583cbb378365", "name": "Ethereum", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Ethereum is a decentralized open-source blockchain platform that enables developers to build and deploy decentralized applications. In the context provided, Ethereum is used as a communication channel for EtherRAT malware, which is a new implant deployed in a React2Shell attack.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 95, "type": "identity", "id": "identity--06b70d7b-8838-4176-9d1c-742c3c4155df", "name": "Sausalito", "identity_class": "unknown", "labels": [ "identity" ], "description": "Sausalito is a city in Marin County, California, and is not a threat actor or malware. However, it is mentioned in the context of a cybersecurity news article, indicating that it may be related to a company or organization involved in the cybersecurity industry.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 95, "type": "identity", "id": "identity--23aff524-f0ba-4de9-afe3-f9acc34012ca", "name": "Identity Security Firm Saviynt", "identity_class": "organization", "labels": [ "identity" ], "description": "Identity Security Firm Saviynt is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 95, "type": "identity", "id": "identity--852f1ded-54a0-4678-8751-1aa05a63754e", "name": "Gmail", "identity_class": "organization", "labels": [ "identity" ], "description": "Gmail is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 95, "type": "identity", "id": "identity--19af5393-9a74-4c8c-bb29-1aad57686b46", "name": "RedHat", "identity_class": "organization", "labels": [ "identity" ], "description": "RedHat is a technology company that specializes in open-source software solutions, particularly Linux operating systems and enterprise software.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 90, "type": "malware", "id": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "name": "EtherRAT", "is_family": true, "malware_types": [ "remote-access-trojan" ], "labels": [ "malicious-activity" ], "description": "EtherRAT is a malware implant that runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for communication with the attacker. It is deployed in a recent React2Shell attack, highlighting its significance in the threat landscape. EtherRAT's use of Ethereum smart contracts for communication adds a layer of complexity to its operation, making it a notable malware variant.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.409Z", "modified": "2025-12-09T16:32:38.409Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "name": "Boot or Logon Autostart Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/", "external_id": "T1547" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--9ba6495b-e273-4e8d-a4ce-dbcd56ec33f2", "name": "Scheduled Task/Job", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/", "external_id": "T1053" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "name": "Compromise Software Supply Chain", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/002/", "external_id": "T1195.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927", "name": "Create or Modify System Process", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1543", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1543/", "external_id": "T1543" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "name": "Botnet", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1584.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1584/005/", "external_id": "T1584.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 82, "type": "attack-pattern", "id": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "name": "Search Threat Vendor Data", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_id": "T1681", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1681/", "external_id": "T1681" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 77, "type": "attack-pattern", "id": "attack-pattern--28d556b1-41a4-46dd-9e44-02b0593dd0e4", "name": "IDE Tunneling", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1219.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1219/001/", "external_id": "T1219.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 72, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "name": "Compromise Hardware Supply Chain", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/003/", "external_id": "T1195.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "name": "Malicious Shell Modification", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1156", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1156/", "external_id": "T1156" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "confidence": 67, "type": "attack-pattern", "id": "attack-pattern--d0394986-33f8-44f3-8050-da1e0be05638", "name": "Hybrid Identity", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1556.007", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1556/007/", "external_id": "T1556.007" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bd0c2b66-2549-44a3-9693-9da945f3033d", "created": "2025-12-09T16:32:38.410Z", "modified": "2025-12-09T16:32:38.410Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: EtherRAT and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bff11c07-4f8c-4e43-81f9-8d5dda479c7f", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: EtherRAT and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0fbc01d4-c39f-48ed-a9d5-905cf178ffde", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 55, "description": "Co-occurrence: EtherRAT and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--43df6d2e-58b0-44ef-bbfe-327a085a858d", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 55, "description": "Co-occurrence: EtherRAT and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a624df98-018a-4436-9a62-151ce12e4a9f", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 55, "description": "Co-occurrence: EtherRAT and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0d664a0c-2ebe-492e-a18a-d5f8b151434c", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 55, "description": "Co-occurrence: EtherRAT and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b57dac23-c25e-4921-a837-2d0f44315764", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "confidence": 55, "description": "Co-occurrence: EtherRAT and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--547e8c57-c1f8-4e0e-ae66-4f80650e4ece", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--9ba6495b-e273-4e8d-a4ce-dbcd56ec33f2", "confidence": 55, "description": "Co-occurrence: EtherRAT and Scheduled Task/Job (T1053) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--59691f9a-fd79-488a-bfe3-8f6603f8be0b", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "confidence": 55, "description": "Co-occurrence: EtherRAT and Compromise Software Supply Chain (T1195.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--10da90a8-2a53-496c-bd1a-9addc7d22986", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927", "confidence": 55, "description": "Co-occurrence: EtherRAT and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fccdd6d4-a76f-423f-9ea3-35f82757c928", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: EtherRAT and Botnet (T1584.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0ea06ef4-718e-4564-b564-a5bdc86cb434", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: EtherRAT and Botnet (T1583.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b3ff5bde-a9b1-4aa7-8906-39f3423dab39", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "confidence": 55, "description": "Co-occurrence: EtherRAT and Search Threat Vendor Data (T1681) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fcfab048-8a26-45c1-952d-53cd32bbee74", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--28d556b1-41a4-46dd-9e44-02b0593dd0e4", "confidence": 55, "description": "Co-occurrence: EtherRAT and IDE Tunneling (T1219.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--435edad5-677e-4c13-8188-70b23efb94a9", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: EtherRAT and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d4cd43b9-ed19-4aab-ba0a-36cca45b8cd0", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "confidence": 55, "description": "Co-occurrence: EtherRAT and Compromise Hardware Supply Chain (T1195.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3c40dedd-a071-47df-bc21-33afeb4fc457", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "confidence": 55, "description": "Co-occurrence: EtherRAT and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--041d09b0-f4a7-4cff-9cc1-2743220866f8", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "confidence": 55, "description": "Co-occurrence: EtherRAT and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--041467e0-d3cb-4f54-b220-73d2b5f36b79", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "confidence": 55, "description": "Co-occurrence: EtherRAT and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--975e81ed-967e-4bff-8a69-0fd4381ac864", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 55, "description": "Co-occurrence: EtherRAT and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--14d8d195-2a29-414a-b7c6-481ce35f65f4", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 55, "description": "Co-occurrence: EtherRAT and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--518c5ebb-a24e-4ccd-a4ed-340aa9df300d", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "confidence": 55, "description": "Co-occurrence: EtherRAT and Malicious Shell Modification (T1156) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d4966e77-69d4-4298-9102-80dab0abe934", "created": "2025-12-09T16:32:38.411Z", "modified": "2025-12-09T16:32:38.411Z", "relationship_type": "uses", "source_ref": "malware--6d215d91-1322-4735-bb15-eeba2b72a759", "target_ref": "attack-pattern--d0394986-33f8-44f3-8050-da1e0be05638", "confidence": 55, "description": "Co-occurrence: EtherRAT and Hybrid Identity (T1556.007) in same intelligence", "x_validation_method": "mitre-cooccurrence" } ] }

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

EXECUTIVE INSIGHTS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.