Cybersecurity Latest Rundown

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

SOX: 18 HIPAA: 5 General Enterprise: 2

Industry Watch

🚨 Healthcare (HIPAA) CRITICAL

Active exploitation of perimeter security devices

Key threat: Active Exploitation of Fortinet CVE-2025-59718 & CVE-2025-59719

Action: Review Active Exploitation of Critical Fortinet Flaws, JumpCloud Remote Assist Vulnerability

Finance (SOX) ELEVATED

Supply chain attacks and ERP data breaches

Key threat: Oracle EBS Breach (LKQ) & Malicious NuGet Packages

Action: Review Auto Parts Giant LKQ Confirms Oracle EBS Breach, Malicious NuGet Package Impersonates Tracer.Fody

CyberSecurity Latest Rundown

Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for December 17, 2025.

CRITICAL ITEMS

Active Exploitation of Critical Fortinet Flaws and SAML SSO Bypass
Date & Time: 2025-12-16T15:40:34

Threat actors are actively exploiting two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in Fortinet products, alongside a separate campaign involving malicious SAML SSO logins observed by Arctic Wolf. These attacks are occurring days after patch release, indicating a race between defenders and attackers to secure perimeter devices.

Business impact

Successful exploitation allows attackers to bypass authentication and gain unauthorized access to the corporate network, leading to potential data theft, ransomware deployment, and significant regulatory fines under SOX and HIPAA.

Recommended action

Ask your IT team: "Have we applied the December patches for all Fortinet appliances, and have we audited our SSO logs for the specific malicious login patterns identified on December 12?"

CVE: CVE-2025-59718 CVE-2025-59719 | Compliance: SOX, HIPAA | Source: Security Affairs ↗, The Hacker News ↗
JumpCloud Remote Assist Vulnerability Grants SYSTEM Privileges
Date & Time: 2025-12-16T13:42:07

A critical vulnerability in the JumpCloud Remote Assist agent for Windows allows local users to escalate privileges to SYSTEM level, effectively giving them total control over the endpoint. This flaw affects versions prior to 0.317.0 and is being tracked as CVE-2025-34352.

Business impact

If exploited, a malicious insider or an attacker with low-level access could disable security software, steal credentials, and deploy malware across the fleet, causing widespread operational disruption.

Recommended action

Verify with your endpoint management team: "Are all Windows endpoints running JumpCloud Remote Assist version 0.317.0 or later?"

CVE: CVE-2025-34352 | Compliance: General Enterprise | Source: Hackread ↗
React2Shell Vulnerability Exploited to Deploy Linux Backdoors
Date & Time: 2025-12-16T08:21:00

The React2Shell vulnerability is being actively exploited to deploy stealthy Linux malware families known as KSwapDoor and ZnDoor. These professionally engineered tools are designed for persistence and remote access, targeting Linux-based infrastructure.

Business impact

Compromise of Linux servers often leads to the theft of intellectual property, backend database access, and long-term espionage, severely impacting SOX compliance and business continuity.

Recommended action

Ask your security operations center: "Are we scanning our Linux environments for the specific indicators of KSwapDoor and ZnDoor malware?"

CVE: CVE-2025-55182 | Compliance: SOX | Source: The Hacker News ↗
Russia’s Sandworm Shifts Tactics to Target Energy Sector
Date & Time: 2025-12-16T15:54:13

Amazon Threat Intelligence reports that the Russian GRU-linked Sandworm group has simplified its tactics to target Western critical infrastructure, specifically the energy sector. This ongoing campaign, dating back to 2021, represents a persistent nation-state threat.

Business impact

Attacks on critical infrastructure can lead to physical operational disruption, massive financial losses, and national security implications, far exceeding standard data breach costs.

Recommended action

For energy sector entities, ask the CISO: "Have we reviewed our threat models against the latest Sandworm TTPs provided in the Amazon report?"

CVE: n/a | Compliance: SOX, GDPR | Source: CyberScoop ↗

HIGH SEVERITY ITEMS

Auto Parts Giant LKQ Confirms Oracle EBS Breach
Date & Time: 2025-12-17T09:11:03

LKQ Corporation has confirmed a breach involving their Oracle E-Business Suite (EBS), resulting in the compromise of personal information for thousands of individuals. This incident highlights the risks associated with exposing ERP systems to the internet.

Business impact

The breach will likely result in regulatory scrutiny, mandatory breach notifications, potential class-action lawsuits, and reputational damage.

Recommended action

Ask IT leadership: "Is our Oracle EBS environment accessible from the public internet, and do we require MFA for all access?"

CVE: n/a | Compliance: SOX | Source: SecurityWeek ↗
Cellik Android Malware-as-a-Service Targets Google Play
Date & Time: 2025-12-17T07:30:07

A new Malware-as-a-Service named Cellik is enabling cybercriminals to embed malicious code into legitimate apps found on the Google Play Store. This allows attackers to create convincing clones of popular applications to steal user data.

Business impact

Employees installing these malicious apps on BYOD or corporate devices could expose corporate credentials and sensitive mobile data to theft.

Recommended action

Ask your mobile security team: "Do our MDM policies block the installation of unverified apps and detect known malware signatures like Cellik?"

CVE: n/a | Compliance: General Enterprise | Source: Lifeboat ↗
Malicious NuGet Package Impersonates Tracer.Fody
Date & Time: 2025-12-16T15:39:00

A malicious NuGet package named `Tracer.Fody.NLog` sat in the repository for six years, impersonating a popular .NET library to steal cryptocurrency wallet data. This highlights the persistent risk of typosquatting in software supply chains.

Business impact

Developers using this package have introduced a backdoor into their environments, potentially leading to code theft or compromise of production build pipelines.

Recommended action

Ask your development leads: "Have we scanned our project dependencies for `Tracer.Fody.NLog` and do we have controls to prevent using unverified packages?"

CVE: n/a | Compliance: SOX | Source: The Hacker News ↗

EXECUTIVE INSIGHTS

Qualys: Evolving Exposure Management in a Post-Kenna World
Date & Time: 2025-12-17T00:15:46

With Cisco announcing the end of support for its vulnerability management product (formerly Kenna Security) by June 2028, the industry is shifting from Risk-Based Vulnerability Management (RBVM) to broader Exposure Management. This transition emphasizes assessing risks across all organizational surfaces, not just software vulnerabilities.

Source: Qualys Blog ↗
Illusory Systems Settles with FTC Over Crypto Hack
Date & Time: 2025-12-16T23:46:30

The FTC has ordered Illusory Systems to return funds and implement security reforms following a 2022 hack where a software flaw led to the theft of hundreds of millions in cryptocurrency. This sets a precedent for regulatory enforcement against companies that fail to secure their platforms despite public security claims.

Source: CyberScoop ↗

VENDOR SPOTLIGHT

Spotlight Rationale: With Cisco ending support for Kenna Security (RBVM) and active critical threats like Fortinet (CVE-2025-59718) requiring immediate prioritization, organizations need a robust Exposure Management platform to replace legacy tools and prioritize remediation.

Threat Context: Active Exploitation of Critical Fortinet Flaws

Platform Focus: Qualys TruRisk / VMDR (Vulnerability Management, Detection and Response)

Qualys VMDR addresses the shift from simple vulnerability scanning to holistic Exposure Management. By correlating vulnerability data with threat intelligence (such as the active exploitation of Fortinet devices), it allows organizations to prioritize the few flaws that are actually being weaponized, ensuring that critical patches like CVE-2025-59718 are applied before attackers can exploit them.

Actionable Platform Guidance: Use Qualys VMDR to create a dynamic dashboard specifically for "CISA KEV" and "Fortinet" assets. Configure an alert rule to trigger whenever a severity 5 vulnerability is detected on an external-facing asset.

Source: Qualys Blog ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Qualys VMDR

# Step 1: Create a Dynamic Search List for Critical Fortinet CVEs
1. Navigate to VMDR > Knowledgebase > Search Lists > New > Dynamic.
2. Title: "Critical Fortinet Exploits Dec 2025".
3. Criteria:
- CVE ID: CVE-2025-59718, CVE-2025-59719
- Vendor: Fortinet

# Step 2: Launch Targeted Scan
1. Go to Scans > New > Scan.
2. Select Option Profile: "Complete Vulnerability Detection".
3. Target: All External IPs / Perimeter Asset Group.
4. Search List: Select "Critical Fortinet Exploits Dec 2025".
5. Launch.

2. YARA Rule for Cellik Android Malware

rule Android_Malware_Cellik {
meta:
description = "Detects Cellik and HyperRat Android Malware artifacts"
author = "Threat Rundown"
date = "2025-12-17"
reference = "https://lifeboat.com/blog/2025/12/cellik-android-malware-builds-malicious-versions-from-google-play-apps"
severity = "high"
tlp = "white"
strings:
$s1 = "Cellik" ascii wide
$s2 = "HyperRat" ascii wide
$s3 = "Tracer.Fody.NLog" ascii wide
condition:
any of ($s*)
}

3. SIEM Query — Fortinet Exploitation Attempts

index=security sourcetype="fortinet:firewall"
(cve="CVE-2025-59718" OR cve="CVE-2025-59719" OR app="saml_sso")
| eval risk_score=case(
action=="blocked", 50,
action=="allowed", 100,
1==1, 25)
| where risk_score >= 50
| table _time, src_ip, dest_ip, action, risk_score, msg
| sort -_time

4. PowerShell Script — JumpCloud Version Audit

$computers = "localhost", "SERVER01", "WKSTN01"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Invoke-Command -ComputerName $computer -ScriptBlock {
$app = Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object { $_.DisplayName -like "*JumpCloud Remote Assist*" }
if ($app) {
[version]$ver = $app.DisplayVersion
if ($ver -lt [version]"0.317.0") {
Write-Host "VULNERABLE: $($env:COMPUTERNAME) running version $($app.DisplayVersion)" -ForegroundColor Red
} else {
Write-Host "SECURE: $($env:COMPUTERNAME) running version $($app.DisplayVersion)" -ForegroundColor Green
}
}
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--d99eb1da-b63c-4526-9f6f-dbb1b67bc374", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--b2df601b-910a-4a30-ba82-da78454e7a72", "created": "2025-12-17T11:35:41.071Z", "modified": "2025-12-17T11:35:41.071Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--8854a75f-573b-4c65-af32-03c379cea1f8", "created": "2025-12-17T11:35:41.081Z", "modified": "2025-12-17T11:35:41.081Z", "name": "Threat Intelligence Report - 2025-12-17", "description": "Threat Intelligence Report - 2025-12-17\n\nThis report consolidates actionable cybersecurity intelligence from 81 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Auto Parts Giant LKQ Confirms Oracle EBS Breach (Score: 100)\n• Cellik Android malware builds malicious versions from Google Play apps (Score: 100)\n• Navigating Change: Evolving Your Exposure Management Strategy in a Post-Kenna World with Qualys (Score: 100)\n• Cisco Duo Unveils First Production Deployment of Foundation AI (Score: 100)\n• Hackers are exploiting critical Fortinet flaws days after patch release (Score: 100)\n\nEXTRACTED ENTITIES:\n• 17 Attack Pattern(s)\n• 20 Domain Name(s)\n• 19 Indicator(s)\n• 4 Malware(s)\n• 1 Marking Definition(s)\n• 121 Relationship(s)\n• 2 Threat Actor(s)\n• 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-12-17T11:35:41.081Z", "object_refs": [ "identity--b2df601b-910a-4a30-ba82-da78454e7a72", "identity--5b77c9a5-95cd-429a-8b15-1a0556c12ce9", "identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3", "identity--8cc3b00e-323b-4227-a201-8a8443f641dc", "vulnerability--d95868d7-4f07-4d84-b742-07ee4cf4adbf", "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "identity--242711f4-1a3e-45a9-8f87-d07ec61a67bd", "identity--9dbbb140-e4d0-44e7-85ee-e240516662d5", "identity--f8370542-ed55-4451-801a-72aa9a666120", "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "identity--abd65ae5-389f-433c-9a24-495c5d53dd18", "identity--6caeff76-d2f3-49df-b41f-bac074ae2bb2", "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "identity--afa6201d-632f-4962-82f2-2adee9cd523e", "identity--c810aa92-b1fc-40e2-8f37-6921e0223878", "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "identity--eb939e15-5962-43c8-a79f-ec4e54b5f638", "identity--3e5eaf0a-42ab-4555-801b-e588368e21a2", "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "identity--e5be0d04-5c47-487d-9781-fdb0a0acbf05", "identity--1044ef7c-7d96-43dd-b3cb-5725d5a7e299", "identity--11db6c79-163a-489b-a324-8958d76b9065", "identity--b3d44fd4-9394-4358-9586-e1d79a32fc4a", "identity--48d22b7e-3df8-422d-8e5d-d82e5976087e", "identity--ddbddbb6-3406-45e6-a1ea-580381f8ad96", "vulnerability--6ef726f3-1bf6-4e7d-8e7a-ca98d09871dd", "identity--d6fbbbd5-d4a2-4517-87ee-699f986f5720", "identity--2ef19bd7-a5a0-42da-be03-5a4bc0ae3fd0", "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "attack-pattern--f3417ce4-850c-4b35-a8f0-944ebd1397de", "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "attack-pattern--9fb30bf5-5715-4a43-9021-382c6578ac8f", "attack-pattern--6df8dc0c-ab98-4f19-a0a0-034b7aecc5b8", "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "attack-pattern--2cc0422c-1d73-485c-a80e-7b9de90079fa", "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "relationship--a47e792c-62ef-4310-84fc-fed36249169c", "relationship--3f79650e-7a96-4240-8162-cceb31496502", "relationship--714b3296-45b5-42aa-b02e-7e702f05dbe4", "relationship--9409b64a-6b96-4199-9bbd-f802288df864", "relationship--8eff30ac-dea5-49de-86b8-43abafa39c14", "relationship--1fc29fd7-c899-4b1f-82e2-19b61138410c", "relationship--3fb134e6-3639-4f8f-a3f0-f8fcd4aad47a", "relationship--1bfbd3bb-586f-4684-8708-5cadcadb8ab1", "relationship--d21c3046-a5df-4bf0-8216-19f4f977165e", "relationship--b856d45f-e4ed-41da-bbdd-42da92d1339b", "relationship--df337d4a-6cc6-4807-8ede-741dcfa0870a", "relationship--ca9395a0-3309-482a-ab3e-9cd0b8d985cb", "relationship--4d09c53f-eee2-438f-b15e-b608244b4e0a", "relationship--70441730-8b17-4c38-91a3-5daf94382d05", "relationship--9e26d590-2aa1-4d93-93a8-30eee7f093d8", "relationship--68b80bc4-bdc9-4999-810f-a667cd63f62f", "relationship--a423eb09-2eb4-44ef-93bd-a21b378bec88", "relationship--9f93a3d3-6284-48a3-9768-485879596c78", "relationship--fa7403d7-3c15-491a-bb8d-654053a11f43", "relationship--28a2f603-951c-438f-9f37-f6e8d7ac0b27", "relationship--6f727ffb-13c5-4266-951c-89c7597a242d", "relationship--561df86f-bebf-4278-b772-6d83bd395e65", "relationship--cd8bc7a5-f2fa-40b7-92d3-2e426e292b44", "relationship--365d9d8b-6ed9-4105-aadb-c8bc9d15f8f9", "relationship--2912176e-c395-4665-861f-7f2c77ab5339", "relationship--3a419043-6fd8-43eb-99da-da6fa6588745", "relationship--87a774f8-b329-474d-aaa9-f0ab8ac1bc81", "relationship--3d808d80-87e9-438f-9dcf-fbfdec4c8398", "relationship--82592079-b8be-4283-848e-0e9102e56502", "relationship--791f6116-20ea-4f55-b45e-e9781e9e51c6", "relationship--203975c6-a24f-4fdf-b4d7-42878336a917", "relationship--00329375-1f2a-43ed-91d5-40164bef93d9", "relationship--c052fa70-61b6-4420-a969-568371fc802e", "relationship--662aacc0-d4ac-4cca-8005-7f60b83a9913", "relationship--884c6466-791a-4a80-80c1-dbdafad21c5c", "relationship--76795a75-8e2b-4aee-bb0e-9249640c75dd", "relationship--3fc67a00-72ef-4e57-a11b-4b5bc4b372e5", "relationship--14da8629-fc90-4bae-af92-d6e2368e3092", "relationship--ef75a841-4082-4d44-b323-b8190d786b14", "relationship--6bb7e587-da1c-4c80-b6ce-b322a12a0bc3", "relationship--24527c6a-0468-46a9-8b13-61ec17bf8aee", "relationship--fcc67c8f-407e-4463-bb1b-74720e228062", "relationship--5235b556-022b-4402-bcbd-05a37b3c34a6", "relationship--d20e210c-3de0-4fae-a8f2-132ac8eb8333", "relationship--80274b8f-688a-4cd0-aba0-9617120a9311", "relationship--9affc0d8-91eb-4f94-8c94-bdee709c45de", "relationship--c6628999-3684-435b-bf42-30c77f1fcbb4", "relationship--254199c6-1f7c-4b85-8d68-200ebbe35222", "relationship--f9e9ecde-f587-45b8-b0e7-a25569dbd1f7", "relationship--508ec592-9830-4857-9697-4915e1ade63a", "relationship--7dbb21b8-4015-4314-8e7a-356a4306f47a", "relationship--76cf7f9f-3af6-4cf4-9ca8-a7d2e4d504f5", "relationship--1afc5eba-6d93-497b-af0e-554cd3ad170f", "relationship--e47cd894-baf2-4fb6-b839-b79a213a5891", "relationship--a80296f8-82e9-431f-afad-ff5b83d5d340", "relationship--0a2d4439-9050-4d0d-a57f-e6a24a5f3c04", "relationship--d47f0da4-c3a0-48e9-8e33-9f3018dee46d", "relationship--7931d3ff-ca8b-4ea8-bbec-e32a649c6f18", "relationship--e9e82f3e-4b13-4ec9-a9c2-4cb5f2ac73a8", "relationship--0db9102f-fcbb-427e-8b8a-4657bcb69f6d", "relationship--cad5c9b5-1bd6-4ab3-b492-aa4f91ecf455", "relationship--b4180585-66f9-4627-b2c0-9ff3d43fec30", "relationship--4e7d5a71-0c73-47bc-a48a-4891ef866905", "relationship--548a38c1-3a5c-4ddb-adc4-73286a328a43", "relationship--8d190350-3c71-4465-9307-41aa603b4efc", "relationship--cf51ca78-9892-4e39-bb57-0b6696fd2aaf", "relationship--fc3b57cb-b5c6-4258-89c2-f3d7e6493bc9", "relationship--bb1c7da4-b145-4fd1-bd94-eadf7eac9ba9", "relationship--68d3ca42-75a8-4c83-8269-f646a130390a", "relationship--ce891384-79af-4f25-b026-5fdbe334fc55", "relationship--41b5b48d-0622-423d-98dc-4daad5a81b49", "relationship--ccd2a8f5-9e14-4cd8-95c8-16a856926e5c", "relationship--f28180e1-977a-43b4-aa41-88dc022359bd", "relationship--ed88e60f-9efe-4f57-9d92-39283fd7fac8", "relationship--81eb47f1-9daa-41c4-af15-6619c92ced15", "relationship--58628c7c-2d08-4891-9634-d7f00021c20d", "relationship--3bebb63b-37c6-47da-a710-4adb0de36e11", "relationship--010e05f9-a957-48c4-a092-d06b56cc0157", "relationship--d1281c75-743d-4def-96a1-8d67eaeb52bb", "relationship--099c1112-6a13-49d0-a41e-0c2f285d133f", "relationship--3f17bd3c-e1fb-48f8-a569-6b67079e3612", "relationship--c2464b49-2128-4dc6-b68f-260e16d08ad7", "relationship--d2847cc2-709f-4cf9-8c85-cc2b1394da76", "relationship--26729005-221e-4b0c-93a6-dcb60bea1948", "relationship--ca7a00af-b62d-42ce-89e3-75ede2f654c6", "relationship--4b43ed24-8064-4876-bd07-109bf3a595fa", "relationship--9327dbab-49bc-4d1f-a304-ed4d478abbf3", "relationship--7e1514ac-4602-4fe9-bd24-a46c76c0ca1e", "relationship--e8437675-d5c7-47a6-bdb2-9621538e69f6", "relationship--ed904dcb-7c95-40a4-9080-5f08c8ec0e81", "relationship--18bff308-8fda-40b5-9094-0c91b7b13778", "relationship--742b4dfa-b3da-4695-9c22-922d1e72842b", "relationship--3511e775-9b71-4737-a031-b4a00095a639", "relationship--09f6a5e8-e3f4-4e81-83f6-7a814ceec8c2", "relationship--0fea2447-055a-4fb8-88d1-18a22c701ccb", "relationship--6f6d5fca-ea4d-4e69-9300-ae163f5cf3f7", "relationship--1f51da67-c37e-45d4-9d2d-fd22f046990a", "relationship--98927a2b-88a3-4b4d-88f7-64ea3f731c19", "relationship--bc3336ff-5ea0-499b-8f0b-43321eabf2bf", "relationship--9ebb0688-3072-484e-ad58-f1b2f82f90f1", "relationship--d823b022-d429-45e6-acd0-1b426cc2c212", "relationship--812e35ac-7247-4b09-bd70-b6619eb3f1c0", "domain-name--f6f1fbb8-72ff-4812-9b23-5b557639cf7a", "domain-name--2c50d19d-1759-418c-8e82-802d637e6457", "domain-name--f415c03f-d605-4b5f-a8c9-772db4f3a82b", "domain-name--675f4712-c1c9-4764-be3b-024b420feb99", "domain-name--8df2e64d-1547-4957-8158-5d97d7607c24", "domain-name--423deac9-5ab5-4211-b99f-fc86dbfe47d8", "domain-name--c601ee96-bff8-445b-a20f-f88376b36626", "domain-name--930a9070-f0b3-43ba-bb97-1dd402ae55b5", "domain-name--202dc1f2-b10f-4857-b739-2fe4c66195cc", "domain-name--89e97eef-bb39-4199-af66-1c3057d87eb0", "domain-name--0615cea4-cdb2-4719-85f6-dff7f8186c63", "domain-name--fdc64f7b-3a3e-4be4-a7da-b62dd263e1f5", "domain-name--41d10ccf-cbe7-41d5-9aa7-4db20b1494d4", "domain-name--e0366677-0043-4297-8d17-b4209e4342dd", "domain-name--db1e7f7f-cf32-4973-a247-5a723e3a4ab5", "domain-name--095f7b72-cba7-4f87-9277-026553d99547", "domain-name--5e133d53-8a89-49be-8a00-69b3bff9b72d", "domain-name--63bd8ef4-258f-4c06-90bd-df7a13390296", "domain-name--596e0808-e00e-4955-8704-27ccf3d0bd76", "domain-name--1451434c-2656-4f33-97b1-69f6d27147d0", "indicator--f641b12e-fe46-40a9-ab53-f5f0ae41101a", "relationship--af44a50b-0c38-4ef6-8ba5-891f31497108", "indicator--67303154-037c-458b-a91f-d7192581b0a1", "relationship--c48a247a-7389-4926-9e1e-aa4e723f7155", "indicator--fa0a8c6d-f11c-4446-bbaf-772bdf3b838b", "relationship--3761cee3-22f5-4c5b-ad7f-cabfb8e454ac", "indicator--6ce4721a-8ff1-49af-8c80-79365bea2dd4", "relationship--c9d0b85f-1012-4333-abba-7cec8fcf0ddb", "indicator--962c660c-8815-465b-b414-48b8f923b394", "relationship--519789d5-32e8-4096-b0d6-d28941c72893", "indicator--8368e97b-8842-4036-92e3-368e43d73e4a", "relationship--2cdc9505-b1b3-4606-9465-e2771cc29320", "indicator--b93b2e96-7a7d-4ee0-83c7-18ee56095caa", "relationship--8e9292f2-eebd-40b2-87c2-1d27c679c9d0", "indicator--148c7ad9-872d-4338-a1bc-4c0f7faff0a9", "relationship--04e93aa5-0d5f-4731-afbb-ee6270d43cce", "indicator--95b0c8eb-d27f-49fc-9800-15c699f73054", "relationship--3ff5c2a9-0f99-40af-9fc0-a37fd3db7afb", "indicator--15e5fb44-adb1-437a-8619-9150d282c8c4", "relationship--b0945d77-1fdd-4c5e-86e3-a39cd236d986", "indicator--113b3d1c-f999-4fbe-a98c-87f0989d2da2", "relationship--2a0440ca-5da7-47be-8edc-a3ea3af71a45", "indicator--161e9202-ab34-4b69-9c32-6d960b2ce5e1", "relationship--519229cc-3042-47ea-8012-b3059cb6c474", "indicator--1ca52b38-9127-4514-9848-c0ac2fd6f6ab", "relationship--c3424185-3f87-4258-ab22-74a314371705", "indicator--5c5cc27b-6917-4add-abd8-36065abbfdfc", "relationship--0d97edd5-ac25-4b97-b76d-99657572f10d", "indicator--84afd306-826e-4691-afa4-eb5b6c48222e", "relationship--3e28f68c-793c-4401-898c-ff0d3ac7bf51", "indicator--cee125a3-01fe-4c54-bb2f-c040beaf7e1b", "relationship--a10bedd4-e446-47c6-a3cb-5396318bc50f", "indicator--42fc0a92-0871-433d-a637-b2e0900238fa", "relationship--105860e5-9182-4aef-a1a9-c77bba5a7814", "indicator--9d65a352-9a7a-4741-974b-f34524487c1b", "relationship--a83d735a-7acc-425c-bd5d-77e85a4b11c1", "indicator--27974c2d-3036-4688-bc0d-a4a2b348f3f6", "relationship--64826449-5a2d-4155-a19d-ae2ba6722626" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--b2df601b-910a-4a30-ba82-da78454e7a72", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:13.450Z", "modified": "2025-12-17T11:35:13.648Z", "confidence": 95, "type": "identity", "id": "identity--5b77c9a5-95cd-429a-8b15-1a0556c12ce9", "name": "Cisco Identity Intelligence", "identity_class": "organization", "labels": [ "identity" ], "description": "Cisco Identity Intelligence is a product developed by Cisco that utilizes artificial intelligence to deliver customer-facing capabilities. It is notable for being the first Cisco product to be powered entirely by a Cisco-built AI model, Foundation-sec-1.1-8B-Instruct. This product is significant in the context of cybersecurity as it represents a major technology company's foray into AI-powered security solutions, which could have implications for the broader cybersecurity landscape.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:14.173Z", "modified": "2025-12-17T11:35:14.270Z", "confidence": 95, "type": "identity", "id": "identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3", "name": "Fortinet", "identity_class": "organization", "labels": [ "identity" ], "description": "Fortinet is a multinational corporation that develops and sells cybersecurity solutions, including network security, endpoint security, and cloud security products. As a prominent player in the cybersecurity industry, Fortinet's products are widely used by organizations worldwide, making it a target for threat actors seeking to exploit vulnerabilities in their software. The exploitation of critical flaws in Fortinet products, such as CVE-2025-59718 and CVE-2025-59719, highlights the importance of timely patching and vulnerability management for organizations using Fortinet solutions.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:15.093Z", "modified": "2025-12-17T11:35:15.232Z", "confidence": 95, "type": "identity", "id": "identity--8cc3b00e-323b-4227-a201-8a8443f641dc", "name": "XM Cyber", "identity_class": "organization", "labels": [ "identity" ], "description": "XM Cyber is a cybersecurity company that specializes in breach and attack simulation, incident response, and threat intelligence. They provide solutions to help organizations identify and remediate vulnerabilities, and their research team actively discovers and discloses new vulnerabilities, such as the critical CVE-2025-34352 found in the JumpCloud Remote Assist for Windows agent. As a security researcher, XM Cyber plays a crucial role in improving the overall security posture of the industry.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:16.170Z", "modified": "2025-12-17T11:35:16.198Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--d95868d7-4f07-4d84-b742-07ee4cf4adbf", "name": "React2Shell", "description": "React2Shell is a critical vulnerability (CVE-2025-55182) in React applications that allows threat actors to deploy Linux malware, run commands, and steal cloud credentials at scale. This vulnerability is being actively exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, posing a significant risk to cloud security. The React2Shell vulnerability highlights the importance of keeping software up-to-date and patching vulnerabilities promptly to prevent exploitation.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:16.302Z", "modified": "2025-12-17T11:35:16.365Z", "confidence": 95, "type": "malware", "id": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "name": "KSwapDoor and ZnDoor", "is_family": true, "malware_types": [ "ransomware" ], "labels": [ "malicious-activity" ], "description": "KSwapDoor and ZnDoor are malware families used by threat actors to exploit the React2Shell vulnerability. These malware families are likely used for malicious purposes such as data theft, ransomware attacks, or lateral movement within compromised networks. The fact that they are being used in conjunction with React2Shell suggests that they are part of a larger campaign to compromise systems and steal sensitive information.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:16.765Z", "modified": "2025-12-17T11:35:16.870Z", "confidence": 95, "type": "identity", "id": "identity--242711f4-1a3e-45a9-8f87-d07ec61a67bd", "name": "Palo Alto Networks Unit", "identity_class": "organization", "labels": [ "identity" ], "description": "Palo Alto Networks Unit 42 is the threat intelligence arm of Palo Alto Networks, a leading cybersecurity company. Unit 42 is responsible for researching and analyzing various cyber threats, including malware, vulnerabilities, and threat actors. Their findings and reports are widely recognized and respected in the cybersecurity community, providing valuable insights and intelligence to help organizations improve their defenses.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:17.109Z", "modified": "2025-12-17T11:35:17.128Z", "confidence": 95, "type": "identity", "id": "identity--9dbbb140-e4d0-44e7-85ee-e240516662d5", "name": "NTT Security", "identity_class": "organization", "labels": [ "identity" ], "description": "NTT Security is a global cybersecurity company that provides threat intelligence, security consulting, and managed security services. As a contributor to security research, NTT Security works with other organizations to identify and analyze emerging threats, such as the React2Shell vulnerability and associated malware families like KSwapDoor and ZnDoor. Their research helps inform the cybersecurity community and supports the development of effective defenses against these threats.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:17.675Z", "modified": "2025-12-17T11:35:18.218Z", "confidence": 95, "type": "identity", "id": "identity--f8370542-ed55-4451-801a-72aa9a666120", "name": "FortiGate", "identity_class": "organization", "labels": [ "identity" ], "description": "FortiGate is a specific line of network security appliances developed by Fortinet, a multinational cybersecurity solutions company. FortiGate devices are widely used by organizations to provide network security, including firewall, intrusion prevention, and virtual private network (VPN) capabilities. The exploitation of security flaws in FortiGate devices poses a significant risk to the security of organizations that rely on these appliances to protect their networks.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:18.760Z", "modified": "2025-12-17T11:35:18.807Z", "confidence": 95, "type": "malware", "id": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "name": "Tracer", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "Tracer is a malicious package that has been identified as a threat. While the context does not provide extensive details about its capabilities or targets, the fact that it is described as 'malicious' suggests that it poses a risk to systems or data. As a specific malware family, Tracer is likely to be of interest to cybersecurity professionals and researchers seeking to understand and mitigate its impact.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:19.067Z", "modified": "2025-12-17T11:35:19.360Z", "confidence": 95, "type": "identity", "id": "identity--abd65ae5-389f-433c-9a24-495c5d53dd18", "name": "Siemens Gridscale X Prepay", "identity_class": "organization", "labels": [ "identity" ], "description": "Siemens Gridscale X Prepay is a specific software platform used in the energy sector, particularly for prepayment systems. The identified vulnerabilities in this platform pose a significant risk to the security and reliability of energy infrastructure, as they can be exploited by attackers to bypass account lock functionality and enumerate usernames. As a result, it is essential to monitor and address these vulnerabilities to prevent potential disruptions to critical infrastructure.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:20.077Z", "modified": "2025-12-17T11:35:20.199Z", "confidence": 95, "type": "identity", "id": "identity--6caeff76-d2f3-49df-b41f-bac074ae2bb2", "name": "the Cannes Hospital Center", "identity_class": "organization", "labels": [ "identity" ], "description": "The Cannes Hospital Center is a hospital in France that was targeted by a LockBit ransomware attack in August 2024. As a healthcare organization, it is a critical infrastructure that provides essential medical services to the community. The ransomware attack on the hospital highlights the vulnerability of healthcare institutions to cyber threats and the need for robust cybersecurity measures to protect sensitive patient data and ensure continuity of care.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:20.818Z", "modified": "2025-12-17T11:35:20.830Z", "confidence": 95, "type": "malware", "id": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "name": "LockBit ransomware", "is_family": true, "malware_types": [ "ransomware" ], "labels": [ "malicious-activity" ], "description": "LockBit is a ransomware family that encrypts files on infected systems and demands payment for decryption. It is known for its high-profile attacks on various organizations, including hospitals and government institutions. LockBit ransomware is typically spread through phishing emails, exploited vulnerabilities, or compromised Remote Desktop Protocol (RDP) connections. Its operators often use double-extortion tactics, threatening to publish stolen data if the ransom is not paid. LockBit has been linked to several high-profile breaches, including the attack on the Cannes Hospital Center in France, highlighting its significance as a cybersecurity threat.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:20.981Z", "modified": "2025-12-17T11:35:21.114Z", "confidence": 95, "type": "identity", "id": "identity--afa6201d-632f-4962-82f2-2adee9cd523e", "name": "Main Intelligence Directorate", "identity_class": "unknown", "labels": [ "identity" ], "description": "The Main Intelligence Directorate (GRU) is a Russian military intelligence agency responsible for collecting and analyzing military intelligence, as well as conducting cyber operations. The GRU has been linked to various high-profile cyber attacks and campaigns, including those targeting critical infrastructure and Western-based organizations. As a threat actor, the GRU is known for its sophisticated tactics and techniques, making it a significant concern for cybersecurity professionals and organizations worldwide.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:22.340Z", "modified": "2025-12-17T11:35:22.430Z", "confidence": 95, "type": "identity", "id": "identity--c810aa92-b1fc-40e2-8f37-6921e0223878", "name": "Amazon Threat Intelligence", "identity_class": "organization", "labels": [ "identity" ], "description": "Amazon Threat Intelligence is a cybersecurity-focused division of Amazon, providing threat intelligence and security research to support the company's cloud security offerings and inform the broader cybersecurity community. As a prominent player in the cloud computing and cybersecurity spaces, Amazon Threat Intelligence's reports and findings are closely followed by security professionals and organizations seeking to understand and mitigate emerging threats.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:22.840Z", "modified": "2025-12-17T11:35:24.734Z", "confidence": 95, "type": "malware", "id": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "name": "GhostPoster", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "GhostPoster is a malicious campaign that leverages logo files associated with Mozilla Firefox browser add-ons to embed malicious JavaScript code. This campaign is designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. The use of legitimate add-ons as a vector for malicious activity makes GhostPoster a notable threat, as it can potentially affect a large number of users. The campaign's ability to evade detection and manipulate user interactions highlights the need for vigilance and robust security measures to prevent such attacks.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:25.077Z", "modified": "2025-12-17T11:35:25.093Z", "confidence": 95, "type": "identity", "id": "identity--eb939e15-5962-43c8-a79f-ec4e54b5f638", "name": "The Federal Trade Commission", "identity_class": "government", "labels": [ "identity" ], "description": "The Federal Trade Commission (FTC) is an independent agency of the United States government, established in 1915, responsible for protecting consumers and promoting competition. The FTC is ordering a company to return funds to victims and implement security reforms after a software flaw led to the theft of hundreds of millions of dollars in cryptocurrencies. As a regulatory body, the FTC plays a crucial role in enforcing laws related to consumer protection and data security.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:25.525Z", "modified": "2025-12-17T11:35:25.923Z", "confidence": 95, "type": "identity", "id": "identity--3e5eaf0a-42ab-4555-801b-e588368e21a2", "name": "ServiceNow", "identity_class": "organization", "labels": [ "identity" ], "description": "ServiceNow is a cloud-based software company that provides a platform for workflow and process automation. As a major player in the IT service management space, ServiceNow's platform is widely used by organizations to manage their digital workflows. The company's acquisition of other platforms and technologies has expanded its capabilities in areas such as security operations and risk management. As a result, ServiceNow has become a significant target for threat actors seeking to exploit vulnerabilities in its platform or gain access to sensitive customer data.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:26.742Z", "modified": "2025-12-17T11:35:26.905Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "name": "BlindEagle", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "BlindEagle is a threat actor group that operates in South America, primarily targeting users in Spanish-speaking countries such as Colombia. They are known to engage in spear phishing campaigns, as seen in the recent discovery by Zscaler ThreatLabz. BlindEagle's activities pose a significant threat to government agencies and organizations in their target regions, highlighting the need for robust cybersecurity measures to counter their tactics.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:28.018Z", "modified": "2025-12-17T11:35:28.275Z", "confidence": 95, "type": "identity", "id": "identity--e5be0d04-5c47-487d-9781-fdb0a0acbf05", "name": "Amazon Web Services", "identity_class": "organization", "labels": [ "identity" ], "description": "Amazon Web Services (AWS) is a comprehensive cloud computing platform provided by Amazon that offers a wide range of services for computing, storage, databases, analytics, machine learning, and more. As a leading cloud service provider, AWS is a frequent target for various types of cyber attacks, including those aimed at compromising Identity and Access Management (IAM) credentials to enable unauthorized activities such as cryptocurrency mining. The targeting of AWS customers highlights the importance of robust security measures and vigilant monitoring to protect against such threats.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:28.753Z", "modified": "2025-12-17T11:35:28.996Z", "confidence": 95, "type": "identity", "id": "identity--1044ef7c-7d96-43dd-b3cb-5725d5a7e299", "name": "GuardDuty", "identity_class": "system", "labels": [ "identity" ], "description": "Amazon GuardDuty is a managed threat detection service that monitors AWS accounts and workloads for malicious activity. It uses machine learning and anomaly detection to identify potential security threats, and provides alerts and recommendations for remediation. GuardDuty is a key component of Amazon's security offerings, and is widely used by organizations to detect and respond to security threats in their AWS environments.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:29.232Z", "modified": "2025-12-17T11:35:29.410Z", "confidence": 95, "type": "identity", "id": "identity--11db6c79-163a-489b-a324-8958d76b9065", "name": "Assura", "identity_class": "organization", "labels": [ "identity" ], "description": "Assura is a managed security service provider (MSSP) that has been recognized as one of the top 250 MSSPs globally. As a leading provider of cybersecurity services, Assura offers a range of solutions to help organizations protect themselves against various cyber threats. Their inclusion in the Top 250 MSSPs list for 2025 is a testament to their expertise and capabilities in the field of cybersecurity.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:30.307Z", "modified": "2025-12-17T11:35:30.773Z", "confidence": 95, "type": "identity", "id": "identity--b3d44fd4-9394-4358-9586-e1d79a32fc4a", "name": "House Homeland Security Committee", "identity_class": "government", "labels": [ "identity" ], "description": "The House Homeland Security Committee is a congressional committee in the United States House of Representatives, responsible for overseeing and advising on matters related to national security, including cybersecurity. As a key government agency, the committee plays a crucial role in shaping the country's cybersecurity policies and strategies, making it a relevant entity in the context of cybersecurity.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:31.392Z", "modified": "2025-12-17T11:35:31.664Z", "confidence": 95, "type": "identity", "id": "identity--48d22b7e-3df8-422d-8e5d-d82e5976087e", "name": "Mixpanel", "identity_class": "organization", "labels": [ "identity" ], "description": "Mixpanel is a product analytics company that provides tools for data analysis and customer insights. In this context, Mixpanel was the target of a data breach, where hackers tied to ShinyHunters allegedly stole sensitive user data, including search and viewing history of Premium users. This breach highlights the importance of securing sensitive user data and the potential consequences of a data breach for companies like Mixpanel.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:31.897Z", "modified": "2025-12-17T11:35:31.957Z", "confidence": 95, "type": "identity", "id": "identity--ddbddbb6-3406-45e6-a1ea-580381f8ad96", "name": "gVisor", "identity_class": "system", "labels": [ "identity" ], "description": "gVisor is a userspace kernel for Linux, providing a sandboxed environment for running untrusted code. It is used in the Dangerzone tool to sanitize untrusted documents, leveraging multiple layers of containerization for enhanced security. gVisor's sandboxing capabilities help prevent malicious code from escaping and compromising the host system, making it a valuable tool in the defense against document-based attacks.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:31.712Z", "modified": "2025-12-17T11:35:32.612Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--6ef726f3-1bf6-4e7d-8e7a-ca98d09871dd", "name": "React2", "description": "React2Shell is a security vulnerability in React applications that allows threat actors to deploy Linux malware, run commands, and steal cloud credentials at scale. This vulnerability is being actively exploited to deliver malware families like KSwapDoor and ZnDoor. React2Shell is a critical vulnerability that affects React applications and can lead to significant security breaches if left unpatched.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:33.136Z", "modified": "2025-12-17T11:35:33.326Z", "confidence": 95, "type": "identity", "id": "identity--d6fbbbd5-d4a2-4517-87ee-699f986f5720", "name": "Link11", "identity_class": "organization", "labels": [ "identity" ], "description": "Link11 is a European cybersecurity company that provides web infrastructure security solutions. They offer insights and research on key cybersecurity developments, helping organizations prepare for and respond to threats. As a provider of security solutions, Link11 plays a crucial role in the cybersecurity ecosystem, and their research and insights are valuable for organizations looking to stay ahead of emerging threats.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:34.016Z", "modified": "2025-12-17T11:35:34.084Z", "confidence": 95, "type": "identity", "id": "identity--2ef19bd7-a5a0-42da-be03-5a4bc0ae3fd0", "name": "Wifipumpkin3", "identity_class": "system", "labels": [ "identity" ], "description": "Wifipumpkin3 is a specific security tool included in Kali Linux, a popular penetration testing distribution. It is designed to facilitate Wi-Fi auditing and exploitation, allowing security professionals to test the security of wireless networks. As a tool, Wifipumpkin3 is used to identify vulnerabilities in Wi-Fi configurations and to demonstrate potential attack vectors. Its inclusion in Kali Linux highlights its relevance to the cybersecurity community and its potential impact on wireless network security.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:34.327Z", "modified": "2025-12-17T11:35:34.356Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "name": "nexus threat", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "China-nexus threat groups refer to a collection of threat actors believed to be operating in the interests of the Chinese government. These groups have been observed exploiting high-severity vulnerabilities, such as the React2Shell security flaw, to deploy various malicious payloads, including backdoors, downloaders, and tunnelers. Their activities are typically focused on espionage and intellectual property theft, targeting organizations in various sectors, including technology, finance, and healthcare.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:34.784Z", "modified": "2025-12-17T11:35:35.221Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:35.686Z", "modified": "2025-12-17T11:35:35.790Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:36.323Z", "modified": "2025-12-17T11:35:37.302Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "name": "Create or Modify System Process", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1543", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1543/", "external_id": "T1543" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:37.828Z", "modified": "2025-12-17T11:35:37.872Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "name": "Boot or Logon Autostart Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/", "external_id": "T1547" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:38.093Z", "modified": "2025-12-17T11:35:38.173Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f3417ce4-850c-4b35-a8f0-944ebd1397de", "name": "Remote Services", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1021", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1021/", "external_id": "T1021" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:38.489Z", "modified": "2025-12-17T11:35:38.696Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:38.837Z", "modified": "2025-12-17T11:35:38.968Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:39.760Z", "modified": "2025-12-17T11:35:40.457Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.916Z", "modified": "2025-12-17T11:35:40.916Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.917Z", "modified": "2025-12-17T11:35:40.917Z", "confidence": 76, "type": "attack-pattern", "id": "attack-pattern--9fb30bf5-5715-4a43-9021-382c6578ac8f", "name": "Safe Mode Boot", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1562.009", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1562/009/", "external_id": "T1562.009" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.917Z", "modified": "2025-12-17T11:35:40.917Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--6df8dc0c-ab98-4f19-a0a0-034b7aecc5b8", "name": "Social Media Accounts", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1585.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1585/001/", "external_id": "T1585.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.972Z", "modified": "2025-12-17T11:35:40.972Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.972Z", "modified": "2025-12-17T11:35:40.972Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.972Z", "modified": "2025-12-17T11:35:40.972Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.973Z", "modified": "2025-12-17T11:35:40.973Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.973Z", "modified": "2025-12-17T11:35:40.973Z", "confidence": 69, "type": "attack-pattern", "id": "attack-pattern--2cc0422c-1d73-485c-a80e-7b9de90079fa", "name": "Domains", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1583.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1583/001/", "external_id": "T1583.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-17T11:35:40.973Z", "modified": "2025-12-17T11:35:40.973Z", "confidence": 68, "type": "attack-pattern", "id": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "name": "Social Media Accounts", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1586.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1586/001/", "external_id": "T1586.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a47e792c-62ef-4310-84fc-fed36249169c", "created": "2025-12-17T11:35:40.973Z", "modified": "2025-12-17T11:35:40.973Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 60, "description": "Co-occurrence: BlindEagle and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3f79650e-7a96-4240-8162-cceb31496502", "created": "2025-12-17T11:35:40.973Z", "modified": "2025-12-17T11:35:40.973Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 60, "description": "Co-occurrence: BlindEagle and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--714b3296-45b5-42aa-b02e-7e702f05dbe4", "created": "2025-12-17T11:35:40.973Z", "modified": "2025-12-17T11:35:40.973Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 60, "description": "Co-occurrence: BlindEagle and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9409b64a-6b96-4199-9bbd-f802288df864", "created": "2025-12-17T11:35:40.973Z", "modified": "2025-12-17T11:35:40.973Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 60, "description": "Co-occurrence: BlindEagle and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8eff30ac-dea5-49de-86b8-43abafa39c14", "created": "2025-12-17T11:35:40.974Z", "modified": "2025-12-17T11:35:40.974Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--f3417ce4-850c-4b35-a8f0-944ebd1397de", "confidence": 60, "description": "Co-occurrence: BlindEagle and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1fc29fd7-c899-4b1f-82e2-19b61138410c", "created": "2025-12-17T11:35:40.974Z", "modified": "2025-12-17T11:35:40.974Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 60, "description": "Co-occurrence: BlindEagle and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3fb134e6-3639-4f8f-a3f0-f8fcd4aad47a", "created": "2025-12-17T11:35:40.974Z", "modified": "2025-12-17T11:35:40.974Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 60, "description": "Co-occurrence: BlindEagle and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1bfbd3bb-586f-4684-8708-5cadcadb8ab1", "created": "2025-12-17T11:35:40.974Z", "modified": "2025-12-17T11:35:40.974Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 60, "description": "Co-occurrence: BlindEagle and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d21c3046-a5df-4bf0-8216-19f4f977165e", "created": "2025-12-17T11:35:40.974Z", "modified": "2025-12-17T11:35:40.974Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 60, "description": "Co-occurrence: BlindEagle and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b856d45f-e4ed-41da-bbdd-42da92d1339b", "created": "2025-12-17T11:35:40.983Z", "modified": "2025-12-17T11:35:40.983Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--9fb30bf5-5715-4a43-9021-382c6578ac8f", "confidence": 60, "description": "Co-occurrence: BlindEagle and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--df337d4a-6cc6-4807-8ede-741dcfa0870a", "created": "2025-12-17T11:35:40.983Z", "modified": "2025-12-17T11:35:40.983Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 60, "description": "Co-occurrence: BlindEagle and Social Media Accounts (T1585.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ca9395a0-3309-482a-ab3e-9cd0b8d985cb", "created": "2025-12-17T11:35:40.983Z", "modified": "2025-12-17T11:35:40.983Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 60, "description": "Co-occurrence: BlindEagle and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d09c53f-eee2-438f-b15e-b608244b4e0a", "created": "2025-12-17T11:35:40.985Z", "modified": "2025-12-17T11:35:40.985Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 60, "description": "Co-occurrence: BlindEagle and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--70441730-8b17-4c38-91a3-5daf94382d05", "created": "2025-12-17T11:35:40.985Z", "modified": "2025-12-17T11:35:40.985Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 60, "description": "Co-occurrence: BlindEagle and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9e26d590-2aa1-4d93-93a8-30eee7f093d8", "created": "2025-12-17T11:35:40.985Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 60, "description": "Co-occurrence: BlindEagle and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--68b80bc4-bdc9-4999-810f-a667cd63f62f", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--2cc0422c-1d73-485c-a80e-7b9de90079fa", "confidence": 60, "description": "Co-occurrence: BlindEagle and Domains (T1583.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a423eb09-2eb4-44ef-93bd-a21b378bec88", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--528951fe-1c6c-4052-9d13-565b3d6c95ff", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 60, "description": "Co-occurrence: BlindEagle and Social Media Accounts (T1586.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9f93a3d3-6284-48a3-9768-485879596c78", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 60, "description": "Co-occurrence: nexus threat and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fa7403d7-3c15-491a-bb8d-654053a11f43", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 60, "description": "Co-occurrence: nexus threat and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--28a2f603-951c-438f-9f37-f6e8d7ac0b27", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 60, "description": "Co-occurrence: nexus threat and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6f727ffb-13c5-4266-951c-89c7597a242d", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 60, "description": "Co-occurrence: nexus threat and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--561df86f-bebf-4278-b772-6d83bd395e65", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--f3417ce4-850c-4b35-a8f0-944ebd1397de", "confidence": 60, "description": "Co-occurrence: nexus threat and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cd8bc7a5-f2fa-40b7-92d3-2e426e292b44", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 60, "description": "Co-occurrence: nexus threat and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--365d9d8b-6ed9-4105-aadb-c8bc9d15f8f9", "created": "2025-12-17T11:35:40.986Z", "modified": "2025-12-17T11:35:40.986Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 60, "description": "Co-occurrence: nexus threat and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2912176e-c395-4665-861f-7f2c77ab5339", "created": "2025-12-17T11:35:40.987Z", "modified": "2025-12-17T11:35:40.987Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 60, "description": "Co-occurrence: nexus threat and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3a419043-6fd8-43eb-99da-da6fa6588745", "created": "2025-12-17T11:35:40.987Z", "modified": "2025-12-17T11:35:40.987Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 60, "description": "Co-occurrence: nexus threat and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--87a774f8-b329-474d-aaa9-f0ab8ac1bc81", "created": "2025-12-17T11:35:40.987Z", "modified": "2025-12-17T11:35:40.987Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--9fb30bf5-5715-4a43-9021-382c6578ac8f", "confidence": 60, "description": "Co-occurrence: nexus threat and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3d808d80-87e9-438f-9dcf-fbfdec4c8398", "created": "2025-12-17T11:35:40.987Z", "modified": "2025-12-17T11:35:40.987Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 60, "description": "Co-occurrence: nexus threat and Social Media Accounts (T1585.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--82592079-b8be-4283-848e-0e9102e56502", "created": "2025-12-17T11:35:40.987Z", "modified": "2025-12-17T11:35:40.987Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 60, "description": "Co-occurrence: nexus threat and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--791f6116-20ea-4f55-b45e-e9781e9e51c6", "created": "2025-12-17T11:35:40.987Z", "modified": "2025-12-17T11:35:40.987Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 60, "description": "Co-occurrence: nexus threat and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--203975c6-a24f-4fdf-b4d7-42878336a917", "created": "2025-12-17T11:35:40.987Z", "modified": "2025-12-17T11:35:40.987Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 60, "description": "Co-occurrence: nexus threat and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--00329375-1f2a-43ed-91d5-40164bef93d9", "created": "2025-12-17T11:35:40.988Z", "modified": "2025-12-17T11:35:40.988Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 60, "description": "Co-occurrence: nexus threat and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c052fa70-61b6-4420-a969-568371fc802e", "created": "2025-12-17T11:35:40.989Z", "modified": "2025-12-17T11:35:40.991Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--2cc0422c-1d73-485c-a80e-7b9de90079fa", "confidence": 60, "description": "Co-occurrence: nexus threat and Domains (T1583.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--662aacc0-d4ac-4cca-8005-7f60b83a9913", "created": "2025-12-17T11:35:40.991Z", "modified": "2025-12-17T11:35:40.991Z", "relationship_type": "uses", "source_ref": "threat-actor--c5a3c093-361c-4b54-a35c-cd0ece282769", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 60, "description": "Co-occurrence: nexus threat and Social Media Accounts (T1586.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--884c6466-791a-4a80-80c1-dbdafad21c5c", "created": "2025-12-17T11:35:40.991Z", "modified": "2025-12-17T11:35:40.991Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--76795a75-8e2b-4aee-bb0e-9249640c75dd", "created": "2025-12-17T11:35:40.992Z", "modified": "2025-12-17T11:35:40.992Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3fc67a00-72ef-4e57-a11b-4b5bc4b372e5", "created": "2025-12-17T11:35:40.992Z", "modified": "2025-12-17T11:35:40.993Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--14da8629-fc90-4bae-af92-d6e2368e3092", "created": "2025-12-17T11:35:40.993Z", "modified": "2025-12-17T11:35:40.993Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ef75a841-4082-4d44-b323-b8190d786b14", "created": "2025-12-17T11:35:40.993Z", "modified": "2025-12-17T11:35:40.993Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--f3417ce4-850c-4b35-a8f0-944ebd1397de", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6bb7e587-da1c-4c80-b6ce-b322a12a0bc3", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--24527c6a-0468-46a9-8b13-61ec17bf8aee", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fcc67c8f-407e-4463-bb1b-74720e228062", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5235b556-022b-4402-bcbd-05a37b3c34a6", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d20e210c-3de0-4fae-a8f2-132ac8eb8333", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--9fb30bf5-5715-4a43-9021-382c6578ac8f", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--80274b8f-688a-4cd0-aba0-9617120a9311", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Social Media Accounts (T1585.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9affc0d8-91eb-4f94-8c94-bdee709c45de", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c6628999-3684-435b-bf42-30c77f1fcbb4", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--254199c6-1f7c-4b85-8d68-200ebbe35222", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f9e9ecde-f587-45b8-b0e7-a25569dbd1f7", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--508ec592-9830-4857-9697-4915e1ade63a", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--2cc0422c-1d73-485c-a80e-7b9de90079fa", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Domains (T1583.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7dbb21b8-4015-4314-8e7a-356a4306f47a", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--44ff1af9-bc29-4d8c-b9e1-1717c9b1b289", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 55, "description": "Co-occurrence: KSwapDoor and ZnDoor and Social Media Accounts (T1586.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--76cf7f9f-3af6-4cf4-9ca8-a7d2e4d504f5", "created": "2025-12-17T11:35:40.994Z", "modified": "2025-12-17T11:35:40.994Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 55, "description": "Co-occurrence: Tracer and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1afc5eba-6d93-497b-af0e-554cd3ad170f", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 55, "description": "Co-occurrence: Tracer and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e47cd894-baf2-4fb6-b839-b79a213a5891", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 55, "description": "Co-occurrence: Tracer and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a80296f8-82e9-431f-afad-ff5b83d5d340", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 55, "description": "Co-occurrence: Tracer and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0a2d4439-9050-4d0d-a57f-e6a24a5f3c04", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--f3417ce4-850c-4b35-a8f0-944ebd1397de", "confidence": 55, "description": "Co-occurrence: Tracer and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d47f0da4-c3a0-48e9-8e33-9f3018dee46d", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 55, "description": "Co-occurrence: Tracer and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7931d3ff-ca8b-4ea8-bbec-e32a649c6f18", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 55, "description": "Co-occurrence: Tracer and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e9e82f3e-4b13-4ec9-a9c2-4cb5f2ac73a8", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 55, "description": "Co-occurrence: Tracer and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0db9102f-fcbb-427e-8b8a-4657bcb69f6d", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 55, "description": "Co-occurrence: Tracer and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cad5c9b5-1bd6-4ab3-b492-aa4f91ecf455", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--9fb30bf5-5715-4a43-9021-382c6578ac8f", "confidence": 55, "description": "Co-occurrence: Tracer and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b4180585-66f9-4627-b2c0-9ff3d43fec30", "created": "2025-12-17T11:35:40.997Z", "modified": "2025-12-17T11:35:40.997Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 55, "description": "Co-occurrence: Tracer and Social Media Accounts (T1585.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4e7d5a71-0c73-47bc-a48a-4891ef866905", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 55, "description": "Co-occurrence: Tracer and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--548a38c1-3a5c-4ddb-adc4-73286a328a43", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 55, "description": "Co-occurrence: Tracer and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8d190350-3c71-4465-9307-41aa603b4efc", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 55, "description": "Co-occurrence: Tracer and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cf51ca78-9892-4e39-bb57-0b6696fd2aaf", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 55, "description": "Co-occurrence: Tracer and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fc3b57cb-b5c6-4258-89c2-f3d7e6493bc9", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--2cc0422c-1d73-485c-a80e-7b9de90079fa", "confidence": 55, "description": "Co-occurrence: Tracer and Domains (T1583.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bb1c7da4-b145-4fd1-bd94-eadf7eac9ba9", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--c0aee2d7-71e4-4f0e-bdad-972586b8b8b4", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 55, "description": "Co-occurrence: Tracer and Social Media Accounts (T1586.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--68d3ca42-75a8-4c83-8269-f646a130390a", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ce891384-79af-4f25-b026-5fdbe334fc55", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--41b5b48d-0622-423d-98dc-4daad5a81b49", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ccd2a8f5-9e14-4cd8-95c8-16a856926e5c", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f28180e1-977a-43b4-aa41-88dc022359bd", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--f3417ce4-850c-4b35-a8f0-944ebd1397de", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ed88e60f-9efe-4f57-9d92-39283fd7fac8", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--81eb47f1-9daa-41c4-af15-6619c92ced15", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--58628c7c-2d08-4891-9634-d7f00021c20d", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3bebb63b-37c6-47da-a710-4adb0de36e11", "created": "2025-12-17T11:35:41.032Z", "modified": "2025-12-17T11:35:41.032Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--010e05f9-a957-48c4-a092-d06b56cc0157", "created": "2025-12-17T11:35:41.033Z", "modified": "2025-12-17T11:35:41.033Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--9fb30bf5-5715-4a43-9021-382c6578ac8f", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d1281c75-743d-4def-96a1-8d67eaeb52bb", "created": "2025-12-17T11:35:41.033Z", "modified": "2025-12-17T11:35:41.033Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Social Media Accounts (T1585.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--099c1112-6a13-49d0-a41e-0c2f285d133f", "created": "2025-12-17T11:35:41.033Z", "modified": "2025-12-17T11:35:41.033Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3f17bd3c-e1fb-48f8-a569-6b67079e3612", "created": "2025-12-17T11:35:41.033Z", "modified": "2025-12-17T11:35:41.033Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c2464b49-2128-4dc6-b68f-260e16d08ad7", "created": "2025-12-17T11:35:41.033Z", "modified": "2025-12-17T11:35:41.033Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d2847cc2-709f-4cf9-8c85-cc2b1394da76", "created": "2025-12-17T11:35:41.037Z", "modified": "2025-12-17T11:35:41.037Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--26729005-221e-4b0c-93a6-dcb60bea1948", "created": "2025-12-17T11:35:41.037Z", "modified": "2025-12-17T11:35:41.037Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--2cc0422c-1d73-485c-a80e-7b9de90079fa", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Domains (T1583.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ca7a00af-b62d-42ce-89e3-75ede2f654c6", "created": "2025-12-17T11:35:41.037Z", "modified": "2025-12-17T11:35:41.037Z", "relationship_type": "uses", "source_ref": "malware--b7fb77f1-5a70-497b-82a1-3cd78dd4baf7", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 55, "description": "Co-occurrence: LockBit ransomware and Social Media Accounts (T1586.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4b43ed24-8064-4876-bd07-109bf3a595fa", "created": "2025-12-17T11:35:41.037Z", "modified": "2025-12-17T11:35:41.037Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 55, "description": "Co-occurrence: GhostPoster and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9327dbab-49bc-4d1f-a304-ed4d478abbf3", "created": "2025-12-17T11:35:41.038Z", "modified": "2025-12-17T11:35:41.038Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 55, "description": "Co-occurrence: GhostPoster and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7e1514ac-4602-4fe9-bd24-a46c76c0ca1e", "created": "2025-12-17T11:35:41.038Z", "modified": "2025-12-17T11:35:41.038Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 55, "description": "Co-occurrence: GhostPoster and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e8437675-d5c7-47a6-bdb2-9621538e69f6", "created": "2025-12-17T11:35:41.038Z", "modified": "2025-12-17T11:35:41.038Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 55, "description": "Co-occurrence: GhostPoster and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ed904dcb-7c95-40a4-9080-5f08c8ec0e81", "created": "2025-12-17T11:35:41.038Z", "modified": "2025-12-17T11:35:41.038Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--f3417ce4-850c-4b35-a8f0-944ebd1397de", "confidence": 55, "description": "Co-occurrence: GhostPoster and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--18bff308-8fda-40b5-9094-0c91b7b13778", "created": "2025-12-17T11:35:41.040Z", "modified": "2025-12-17T11:35:41.040Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 55, "description": "Co-occurrence: GhostPoster and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--742b4dfa-b3da-4695-9c22-922d1e72842b", "created": "2025-12-17T11:35:41.040Z", "modified": "2025-12-17T11:35:41.040Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 55, "description": "Co-occurrence: GhostPoster and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3511e775-9b71-4737-a031-b4a00095a639", "created": "2025-12-17T11:35:41.040Z", "modified": "2025-12-17T11:35:41.040Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 55, "description": "Co-occurrence: GhostPoster and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--09f6a5e8-e3f4-4e81-83f6-7a814ceec8c2", "created": "2025-12-17T11:35:41.040Z", "modified": "2025-12-17T11:35:41.040Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 55, "description": "Co-occurrence: GhostPoster and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0fea2447-055a-4fb8-88d1-18a22c701ccb", "created": "2025-12-17T11:35:41.040Z", "modified": "2025-12-17T11:35:41.040Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--9fb30bf5-5715-4a43-9021-382c6578ac8f", "confidence": 55, "description": "Co-occurrence: GhostPoster and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6f6d5fca-ea4d-4e69-9300-ae163f5cf3f7", "created": "2025-12-17T11:35:41.041Z", "modified": "2025-12-17T11:35:41.041Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 55, "description": "Co-occurrence: GhostPoster and Social Media Accounts (T1585.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1f51da67-c37e-45d4-9d2d-fd22f046990a", "created": "2025-12-17T11:35:41.041Z", "modified": "2025-12-17T11:35:41.041Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 55, "description": "Co-occurrence: GhostPoster and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--98927a2b-88a3-4b4d-88f7-64ea3f731c19", "created": "2025-12-17T11:35:41.041Z", "modified": "2025-12-17T11:35:41.041Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 55, "description": "Co-occurrence: GhostPoster and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bc3336ff-5ea0-499b-8f0b-43321eabf2bf", "created": "2025-12-17T11:35:41.041Z", "modified": "2025-12-17T11:35:41.041Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 55, "description": "Co-occurrence: GhostPoster and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9ebb0688-3072-484e-ad58-f1b2f82f90f1", "created": "2025-12-17T11:35:41.041Z", "modified": "2025-12-17T11:35:41.041Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 55, "description": "Co-occurrence: GhostPoster and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d823b022-d429-45e6-acd0-1b426cc2c212", "created": "2025-12-17T11:35:41.041Z", "modified": "2025-12-17T11:35:41.041Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--2cc0422c-1d73-485c-a80e-7b9de90079fa", "confidence": 55, "description": "Co-occurrence: GhostPoster and Domains (T1583.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--812e35ac-7247-4b09-bd70-b6619eb3f1c0", "created": "2025-12-17T11:35:41.041Z", "modified": "2025-12-17T11:35:41.041Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--9b9edc93-b265-4924-b974-3b45fd12835f", "confidence": 55, "description": "Co-occurrence: GhostPoster and Social Media Accounts (T1586.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "domain-name", "value": "0paypal.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--f6f1fbb8-72ff-4812-9b23-5b557639cf7a" }, { "type": "domain-name", "value": "account-page-recovery-process.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--2c50d19d-1759-418c-8e82-802d637e6457" }, { "type": "domain-name", "value": "accountingsure.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--f415c03f-d605-4b5f-a8c9-772db4f3a82b" }, { "type": "domain-name", "value": "alamatpaypal.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--675f4712-c1c9-4764-be3b-024b420feb99" }, { "type": "domain-name", "value": "amazon-update.xyz", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--8df2e64d-1547-4957-8158-5d97d7607c24" }, { "type": "domain-name", "value": "appleid-fmi.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--423deac9-5ab5-4211-b99f-fc86dbfe47d8" }, { "type": "domain-name", "value": "appleid-manageids.info", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--c601ee96-bff8-445b-a20f-f88376b36626" }, { "type": "domain-name", "value": "applessecure.site", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--930a9070-f0b3-43ba-bb97-1dd402ae55b5" }, { "type": "domain-name", "value": "auth-03chase.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--202dc1f2-b10f-4857-b739-2fe4c66195cc" }, { "type": "domain-name", "value": "banking-commbank.support", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--89e97eef-bb39-4199-af66-1c3057d87eb0" }, { "type": "domain-name", "value": "citi-securelogin.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--0615cea4-cdb2-4719-85f6-dff7f8186c63" }, { "type": "domain-name", "value": "claireapplewhite.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--fdc64f7b-3a3e-4be4-a7da-b62dd263e1f5" }, { "type": "domain-name", "value": "cvwwwe9851.xyz", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--41d10ccf-cbe7-41d5-9aa7-4db20b1494d4" }, { "type": "domain-name", "value": "docsaccount.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--e0366677-0043-4297-8d17-b4209e4342dd" }, { "type": "domain-name", "value": "ebankingcode.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--db1e7f7f-cf32-4973-a247-5a723e3a4ab5" }, { "type": "domain-name", "value": "hbsc-payment.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--095f7b72-cba7-4f87-9277-026553d99547" }, { "type": "domain-name", "value": "hotelesanticrisis.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--5e133d53-8a89-49be-8a00-69b3bff9b72d" }, { "type": "domain-name", "value": "https8xmao.xyz", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--63bd8ef4-258f-4c06-90bd-df7a13390296" }, { "type": "domain-name", "value": "icloudfindsimap.com", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--596e0808-e00e-4955-8704-27ccf3d0bd76" }, { "type": "domain-name", "value": "imap-support.info", "source": "OTX", "malware_families": [ "Tracer" ], "pulse_names": [ "Phishing & scam domain names" ], "id": "domain-name--1451434c-2656-4f33-97b1-69f6d27147d0" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f641b12e-fe46-40a9-ab53-f5f0ae41101a", "created": "2025-12-17T11:18:30.234Z", "modified": "2025-12-17T11:18:30.248Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = '0paypal.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:30.248Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--af44a50b-0c38-4ef6-8ba5-891f31497108", "created": "2025-12-17T11:18:30.248Z", "modified": "2025-12-17T11:18:30.248Z", "relationship_type": "based-on", "source_ref": "indicator--f641b12e-fe46-40a9-ab53-f5f0ae41101a", "target_ref": "domain-name--f6f1fbb8-72ff-4812-9b23-5b557639cf7a" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--67303154-037c-458b-a91f-d7192581b0a1", "created": "2025-12-17T11:18:32.425Z", "modified": "2025-12-17T11:18:32.431Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'account-page-recovery-process.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:32.431Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c48a247a-7389-4926-9e1e-aa4e723f7155", "created": "2025-12-17T11:18:32.435Z", "modified": "2025-12-17T11:18:32.435Z", "relationship_type": "based-on", "source_ref": "indicator--67303154-037c-458b-a91f-d7192581b0a1", "target_ref": "domain-name--2c50d19d-1759-418c-8e82-802d637e6457" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa0a8c6d-f11c-4446-bbaf-772bdf3b838b", "created": "2025-12-17T11:18:32.981Z", "modified": "2025-12-17T11:18:32.983Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'accountingsure.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:32.983Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3761cee3-22f5-4c5b-ad7f-cabfb8e454ac", "created": "2025-12-17T11:18:32.983Z", "modified": "2025-12-17T11:18:32.983Z", "relationship_type": "based-on", "source_ref": "indicator--fa0a8c6d-f11c-4446-bbaf-772bdf3b838b", "target_ref": "domain-name--f415c03f-d605-4b5f-a8c9-772db4f3a82b" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6ce4721a-8ff1-49af-8c80-79365bea2dd4", "created": "2025-12-17T11:18:33.324Z", "modified": "2025-12-17T11:18:33.325Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'alamatpaypal.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:33.325Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c9d0b85f-1012-4333-abba-7cec8fcf0ddb", "created": "2025-12-17T11:18:33.325Z", "modified": "2025-12-17T11:18:33.325Z", "relationship_type": "based-on", "source_ref": "indicator--6ce4721a-8ff1-49af-8c80-79365bea2dd4", "target_ref": "domain-name--675f4712-c1c9-4764-be3b-024b420feb99" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--962c660c-8815-465b-b414-48b8f923b394", "created": "2025-12-17T11:18:33.563Z", "modified": "2025-12-17T11:18:33.566Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'amazon-update.xyz']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:33.566Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--519789d5-32e8-4096-b0d6-d28941c72893", "created": "2025-12-17T11:18:33.566Z", "modified": "2025-12-17T11:18:33.566Z", "relationship_type": "based-on", "source_ref": "indicator--962c660c-8815-465b-b414-48b8f923b394", "target_ref": "domain-name--8df2e64d-1547-4957-8158-5d97d7607c24" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8368e97b-8842-4036-92e3-368e43d73e4a", "created": "2025-12-17T11:18:33.799Z", "modified": "2025-12-17T11:18:33.800Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'appleid-fmi.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:33.800Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2cdc9505-b1b3-4606-9465-e2771cc29320", "created": "2025-12-17T11:18:33.800Z", "modified": "2025-12-17T11:18:33.800Z", "relationship_type": "based-on", "source_ref": "indicator--8368e97b-8842-4036-92e3-368e43d73e4a", "target_ref": "domain-name--423deac9-5ab5-4211-b99f-fc86dbfe47d8" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b93b2e96-7a7d-4ee0-83c7-18ee56095caa", "created": "2025-12-17T11:18:34.100Z", "modified": "2025-12-17T11:18:34.103Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'appleid-manageids.info']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:34.103Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8e9292f2-eebd-40b2-87c2-1d27c679c9d0", "created": "2025-12-17T11:18:34.103Z", "modified": "2025-12-17T11:18:34.103Z", "relationship_type": "based-on", "source_ref": "indicator--b93b2e96-7a7d-4ee0-83c7-18ee56095caa", "target_ref": "domain-name--c601ee96-bff8-445b-a20f-f88376b36626" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--148c7ad9-872d-4338-a1bc-4c0f7faff0a9", "created": "2025-12-17T11:18:34.287Z", "modified": "2025-12-17T11:18:34.289Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'applessecure.site']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:34.289Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--04e93aa5-0d5f-4731-afbb-ee6270d43cce", "created": "2025-12-17T11:18:34.289Z", "modified": "2025-12-17T11:18:34.289Z", "relationship_type": "based-on", "source_ref": "indicator--148c7ad9-872d-4338-a1bc-4c0f7faff0a9", "target_ref": "domain-name--930a9070-f0b3-43ba-bb97-1dd402ae55b5" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--95b0c8eb-d27f-49fc-9800-15c699f73054", "created": "2025-12-17T11:18:34.488Z", "modified": "2025-12-17T11:18:34.497Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'auth-03chase.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:34.497Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3ff5c2a9-0f99-40af-9fc0-a37fd3db7afb", "created": "2025-12-17T11:18:34.497Z", "modified": "2025-12-17T11:18:34.497Z", "relationship_type": "based-on", "source_ref": "indicator--95b0c8eb-d27f-49fc-9800-15c699f73054", "target_ref": "domain-name--202dc1f2-b10f-4857-b739-2fe4c66195cc" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--15e5fb44-adb1-437a-8619-9150d282c8c4", "created": "2025-12-17T11:18:34.751Z", "modified": "2025-12-17T11:18:34.753Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'banking-commbank.support']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:34.753Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b0945d77-1fdd-4c5e-86e3-a39cd236d986", "created": "2025-12-17T11:18:34.753Z", "modified": "2025-12-17T11:18:34.753Z", "relationship_type": "based-on", "source_ref": "indicator--15e5fb44-adb1-437a-8619-9150d282c8c4", "target_ref": "domain-name--89e97eef-bb39-4199-af66-1c3057d87eb0" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--113b3d1c-f999-4fbe-a98c-87f0989d2da2", "created": "2025-12-17T11:18:35.097Z", "modified": "2025-12-17T11:18:35.100Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'citi-securelogin.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:35.100Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2a0440ca-5da7-47be-8edc-a3ea3af71a45", "created": "2025-12-17T11:18:35.100Z", "modified": "2025-12-17T11:18:35.100Z", "relationship_type": "based-on", "source_ref": "indicator--113b3d1c-f999-4fbe-a98c-87f0989d2da2", "target_ref": "domain-name--0615cea4-cdb2-4719-85f6-dff7f8186c63" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--161e9202-ab34-4b69-9c32-6d960b2ce5e1", "created": "2025-12-17T11:18:35.438Z", "modified": "2025-12-17T11:18:35.440Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'claireapplewhite.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:35.440Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--519229cc-3042-47ea-8012-b3059cb6c474", "created": "2025-12-17T11:18:35.440Z", "modified": "2025-12-17T11:18:35.440Z", "relationship_type": "based-on", "source_ref": "indicator--161e9202-ab34-4b69-9c32-6d960b2ce5e1", "target_ref": "domain-name--fdc64f7b-3a3e-4be4-a7da-b62dd263e1f5" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1ca52b38-9127-4514-9848-c0ac2fd6f6ab", "created": "2025-12-17T11:18:35.692Z", "modified": "2025-12-17T11:18:35.694Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'cvwwwe9851.xyz']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:35.694Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c3424185-3f87-4258-ab22-74a314371705", "created": "2025-12-17T11:18:35.694Z", "modified": "2025-12-17T11:18:35.694Z", "relationship_type": "based-on", "source_ref": "indicator--1ca52b38-9127-4514-9848-c0ac2fd6f6ab", "target_ref": "domain-name--41d10ccf-cbe7-41d5-9aa7-4db20b1494d4" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c5cc27b-6917-4add-abd8-36065abbfdfc", "created": "2025-12-17T11:18:35.944Z", "modified": "2025-12-17T11:18:35.947Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'docsaccount.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:35.947Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0d97edd5-ac25-4b97-b76d-99657572f10d", "created": "2025-12-17T11:18:35.947Z", "modified": "2025-12-17T11:18:35.947Z", "relationship_type": "based-on", "source_ref": "indicator--5c5cc27b-6917-4add-abd8-36065abbfdfc", "target_ref": "domain-name--e0366677-0043-4297-8d17-b4209e4342dd" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--84afd306-826e-4691-afa4-eb5b6c48222e", "created": "2025-12-17T11:18:36.434Z", "modified": "2025-12-17T11:18:36.436Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'ebankingcode.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:36.436Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3e28f68c-793c-4401-898c-ff0d3ac7bf51", "created": "2025-12-17T11:18:36.436Z", "modified": "2025-12-17T11:18:36.436Z", "relationship_type": "based-on", "source_ref": "indicator--84afd306-826e-4691-afa4-eb5b6c48222e", "target_ref": "domain-name--db1e7f7f-cf32-4973-a247-5a723e3a4ab5" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cee125a3-01fe-4c54-bb2f-c040beaf7e1b", "created": "2025-12-17T11:18:36.728Z", "modified": "2025-12-17T11:18:36.734Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'hbsc-payment.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:36.734Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a10bedd4-e446-47c6-a3cb-5396318bc50f", "created": "2025-12-17T11:18:36.734Z", "modified": "2025-12-17T11:18:36.734Z", "relationship_type": "based-on", "source_ref": "indicator--cee125a3-01fe-4c54-bb2f-c040beaf7e1b", "target_ref": "domain-name--095f7b72-cba7-4f87-9277-026553d99547" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--42fc0a92-0871-433d-a637-b2e0900238fa", "created": "2025-12-17T11:18:37.079Z", "modified": "2025-12-17T11:18:37.082Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'hotelesanticrisis.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:37.082Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--105860e5-9182-4aef-a1a9-c77bba5a7814", "created": "2025-12-17T11:18:37.082Z", "modified": "2025-12-17T11:18:37.082Z", "relationship_type": "based-on", "source_ref": "indicator--42fc0a92-0871-433d-a637-b2e0900238fa", "target_ref": "domain-name--5e133d53-8a89-49be-8a00-69b3bff9b72d" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9d65a352-9a7a-4741-974b-f34524487c1b", "created": "2025-12-17T11:18:38.301Z", "modified": "2025-12-17T11:18:38.312Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'icloudfindsimap.com']", "pattern_type": "stix", "valid_from": "2025-12-17T11:18:38.313Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a83d735a-7acc-425c-bd5d-77e85a4b11c1", "created": "2025-12-17T11:18:38.318Z", "modified": "2025-12-17T11:18:38.320Z", "relationship_type": "based-on", "source_ref": "indicator--9d65a352-9a7a-4741-974b-f34524487c1b", "target_ref": "domain-name--596e0808-e00e-4955-8704-27ccf3d0bd76" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--27974c2d-3036-4688-bc0d-a4a2b348f3f6", "created": "2025-12-17T11:19:07.509Z", "modified": "2025-12-17T11:19:08.667Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'imap-support.info']", "pattern_type": "stix", "valid_from": "2025-12-17T11:19:08.915Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--64826449-5a2d-4155-a19d-ae2ba6722626", "created": "2025-12-17T11:19:08.924Z", "modified": "2025-12-17T11:19:08.924Z", "relationship_type": "based-on", "source_ref": "indicator--27974c2d-3036-4688-bc0d-a4a2b348f3f6", "target_ref": "domain-name--1451434c-2656-4f33-97b1-69f6d27147d0" } ] }

Playbook for the Secure Enterprise

Compliance Impact Scoreboard

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

EXECUTIVE INSIGHTS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.