Cybersecurity Latest Rundown

Threat Rundown

Industry Watch

🚨 Healthcare (HIPAA) CRITICAL

Threat activity targeting EMR/Patient Systems

Key threat: Systemic ransomware risk to hospital infrastructure causing patient harm.

Action: Review Hospital Ransomware Really is The Pitt, APT28 Targets Ukrainian UKR-net Users

Technology & Infrastructure (SOX) ELEVATED

Active Zero-Day Exploitation

Key threat: Zero-day exploitation in Cisco and SonicWall appliances.

Action: Review China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear, SonicWall warns of actively exploited flaw in SMA 100 AMC

CyberSecurity Latest Rundown

Heroes, we are deep into the holiday season. Still work to be done. Here's a curated look at the current cybersecurity landscape for December 18, 2025.

CRITICAL ITEMS

China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear
Date & Time: 2025-12-18T07:12:31

State-sponsored actors are actively exploiting a zero-day vulnerability in Cisco Secure Email Gateway and Web Manager appliances to infiltrate networks. This critical flaw allows attackers to bypass authentication and gain administrative access to security perimeters.

Business impact

A compromise of security appliances grants attackers unrestricted visibility into encrypted traffic and email communications; expect potential theft of intellectual property, immediate regulatory scrutiny under SOX, and significant remediation costs to rebuild trust in the network perimeter.

Recommended action

Ask your IT team: "Have we isolated our Cisco Secure Email and Web Manager appliances from the internet and applied the mitigation for CVE-2025-20393 immediately?"

CVE: CVE-2025-20393 | Compliance: SOX | Source: SecurityWeek ↗.
SonicWall warns of actively exploited flaw in SMA 100 AMC
Date & Time: 2025-12-17T19:36:14

SonicWall has confirmed a privilege escalation vulnerability in the SMA1000 Appliance Management Console is being exploited in the wild as a zero-day. Attackers are leveraging this to gain unauthorized elevated access to remote access infrastructure.

Business impact

Exploitation of remote access VPNs can lead to full network compromise and ransomware deployment; this creates immediate liability under SOX and SOC 2 frameworks due to failure in access controls and potential data exfiltration.

Recommended action

Ask your IT team: "Have we applied the emergency patches for our SonicWall SMA1000 series appliances to address CVE-2025-40602?"

CVE: CVE-2025-40602 | Compliance: SOX, SOC 2 | Source: securityaffairs.com ↗.
Microsoft December Update Breaks Critical IIS Servers
Date & Time: 2025-12-18T11:19:42

The latest Microsoft security update (KB5071546) has caused widespread failures in Message Queuing (MSMQ) services, effectively breaking critical IIS server functionality across multiple Windows versions. This is a regression issue affecting stability rather than a malicious attack.

Business impact

Organizations relying on IIS and MSMQ for transaction processing or web applications face immediate operational downtime; this directly impacts revenue generation and availability SLAs required by GDPR and SOX.

Recommended action

Ask your IT team: "Are our IIS servers experiencing MSMQ failures, and should we pause the deployment of KB5071546 until a fix is verified?"

CVE: n/a | Compliance: GDPR, SOX | Source: TechRepublic ↗.
React2Shell fallout spreads to sensitive targets
Date & Time: 2025-12-17T22:59:59

The React2Shell vulnerability is seeing an all-time high in public exploitation, with attackers installing stealth backdoors across internet infrastructure. The persistence of this flaw allows threat actors to maintain long-term access even after initial remediation attempts.

Business impact

Widespread exploitation of infrastructure scaffolding implies that standard perimeter defenses may be bypassed, leading to long-term espionage or data theft that triggers FISMA and SOX reporting requirements.

Recommended action

Ask your IT team: "Have we scanned our public-facing infrastructure for React2Shell indicators and verified that no backdoors were planted prior to patching?"

CVE: n/a | Compliance: SOX, FISMA | Source: CyberScoop ↗.

HIGH SEVERITY ITEMS

Amazon: Ongoing cryptomining campaign uses hacked AWS accounts
Date & Time: 2025-12-18T07:15:58

AWS GuardDuty is tracking a campaign where attackers use compromised IAM credentials to launch cryptomining operations on EC2 and ECS instances. The attackers employ persistent techniques to maintain access.

Business impact

Unauthorized compute usage leads to massive unexpected cloud bills and potential service degradation for legitimate applications, impacting financial controls under SOX.

Recommended action

Ask your IT team: "Are we monitoring AWS GuardDuty alerts for unauthorized EC2 launches and have we rotated IAM keys for service accounts recently?"

CVE: n/a | Compliance: SOX | Source: Lifeboat ↗.
APT28 Targets Ukrainian UKR-net Users in Long-Running Campaign
Date & Time: 2025-12-17T15:30:00

Russian state-sponsored actor APT28 is conducting a sustained credential harvesting campaign against UKR.net users. This demonstrates continued aggressive espionage capabilities targeting webmail services.

Business impact

While targeted at Ukraine, APT28 tactics often spill over to global entities; compromised credentials can lead to unauthorized access to sensitive communications, impacting HIPAA and SOX compliance.

Recommended action

Ask your IT team: "Have we updated our threat intelligence feeds to include the latest APT28 indicators related to this campaign?"

CVE: n/a | Compliance: HIPAA, SOX | Source: The Hacker News ↗.
ShadyPanda: The Silent Browser Takeover Threat
Date & Time: 2025-12-17T18:00:00

The ShadyPanda campaign exploits trusted browser extensions to compromise millions of users, turning legitimate software into malicious tools. This represents a significant supply chain risk at the endpoint level.

Business impact

Malicious extensions can capture keystrokes, session tokens, and sensitive data displayed in browsers, directly threatening HIPAA patient data and SOX financial data integrity.

Recommended action

Ask your IT team: "Do we have visibility into browser extensions installed on corporate endpoints and can we block unapproved extensions?"

CVE: n/a | Compliance: HIPAA, SOX | Source: Qualys ↗.

MEDIUM SEVERITY ITEMS

U.S. CISA adds Cisco, SonicWall, and ASUS flaws to KEV catalog
Date & Time: 2025-12-18T10:18:02

CISA has updated its Known Exploited Vulnerabilities catalog to include recent flaws in Cisco, SonicWall, and ASUS products. This mandates federal agencies to patch by specific deadlines and signals high risk for private sector.

CVE: n/a | Compliance: SOX, FISMA | Source: securityaffairs.com ↗.
France arrests suspect tied to cyberattack on Interior Ministry
Date & Time: 2025-12-18T07:16:11

French authorities have arrested a suspect linked to a cyberattack on the Ministry of the Interior. This highlights the active law enforcement response to attacks on government infrastructure.

CVE: n/a | Compliance: FISMA, SOX | Source: Lifeboat ↗.
Vulnerability in Govee devices with cloud connectivity firmware
Date & Time: 2025-12-18T10:55:00

A flaw in the binding process of Govee's cloud platform allows remote attackers to hijack IoT devices. This vulnerability highlights the risks associated with cloud-connected smart devices in enterprise environments.

Business impact

Compromised IoT devices can serve as entry points for lateral movement into the corporate network, potentially violating HIPAA security rules if these devices are on medical networks.

Recommended action

Ask your IT team: "Do we have Govee smart devices on our corporate or guest networks, and are they isolated from critical systems?"

CVE: CVE-2025-10910 | Compliance: HIPAA, SOX | Source: cert.pl ↗.

EXECUTIVE INSIGHTS

Hospital Ransomware Really is The Pitt
Date & Time: 2025-12-18T09:15:41

An analysis of why hospitals remain primary targets for ransomware, emphasizing that resilience—not just compliance checklists—must drive security strategy to prevent patient harm.

Source: Security Boulevard ↗.
2026 Cyber Predictions: Accelerating AI, Data Sovereignty
Date & Time: 2025-12-18T08:48:28

Strategic forecast for 2026 highlighting how AI-driven threats and data sovereignty mandates will reshape the CISO agenda and hybrid infrastructure risks.

Source: Security Boulevard ↗.

VENDOR SPOTLIGHT

Spotlight Rationale: The "ShadyPanda" campaign identified in today's intelligence highlights the critical risk of malicious browser extensions compromising enterprise data. Traditional endpoint protection often misses these browser-layer threats.

Threat Context: ShadyPanda: The Silent Browser Takeover Threat

Platform Focus: Qualys TruRisk Eliminate

Qualys TruRisk Eliminate specifically addresses the gap in browser security by identifying risky behaviors and malicious extensions like those used by ShadyPanda. It allows organizations to move beyond simple vulnerability patching to actively eliminate risk factors such as unauthorized browser add-ons that bypass standard firewalls and AV.

Actionable Platform Guidance: Use the TruRisk Eliminate module to run a query for all installed browser extensions across the fleet. Configure a policy to automatically disable extensions with a reputation score below the corporate threshold or those specifically flagged as "ShadyPanda" indicators.

Source: Qualys ↗.

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Qualys TruRisk Eliminate

# Step 1: Access Qualys Cloud Platform and navigate to TruRisk Eliminate
# Step 2: Create a new Remediation Policy for Browser Extensions

Policy Name: Block_ShadyPanda_Extensions
Scope: All_Workstations

# Step 3: Define Block Criteria
Criteria:
- Extension_Reputation EQUALS 'Malicious'
- Extension_Name CONTAINS 'ShadyPanda' OR 'AquaShell'
# Note: AquaShell included based on cross-threat indicators

# Step 4: Action
Action: Uninstall_Silently
Notify_User: False

# Step 5: Save and Activate Policy

2. YARA Rule for AquaShell/ShadyPanda Indicators

rule AquaShell_ShadyPanda_Detection {
meta:
description = "Detects AquaShell and ShadyPanda related artifacts based on Dec 18 2025 intelligence"
author = "Threat Rundown"
date = "2025-12-18"
reference = "https://www.techrepublic.com/?p=4340752"
severity = "medium"
tlp = "white"
strings:
$s1 = "AquaShell" ascii wide
$s2 = "AquaPurge" ascii wide
$s3 = "AquaTunnel" ascii wide
$s4 = "Chisel" ascii wide
$s5 = "UAT" ascii wide
$h1 = { 4D 5A 90 00 03 00 00 00 }
condition:
uint16(0) == 0x5A4D and (any of ($s*) or $h1)
}

3. SIEM Query — AWS IAM Compromise (Cryptomining)

index=security sourcetype="aws:cloudtrail"
eventName="RunInstances" OR eventName="CreateFleet"
| eval risk_score=case(
userAgent LIKE "%Kali%" OR userAgent LIKE "%Parrot%", 100,
errorCode="Client.UnauthorizedOperation", 50,
1==1, 25)
| where risk_score >= 50
| table _time, src_ip, userIdentity.arn, userAgent, risk_score
| sort -_time

4. PowerShell Script — Check for Govee Device Binding Flaw Indicators

$computers = "localhost", "SERVER01", "WKSTN01"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
# Check for potential Govee related software or services
$goveeCheck = Get-WmiObject -Class Win32_Product -ComputerName $computer |
Where-Object { $_.Name -like "*Govee*" }

if ($goveeCheck) {
Write-Host "ALERT: Govee software detected on $computer - Review for CVE-2025-10910" -ForegroundColor Red
} else {
Write-Host "Clean: No Govee software found on $computer"
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--c34a094e-1786-4ec1-bb48-70ba1e9caa82", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--4093154f-71f8-4bdf-852f-ef2f357fb9ca", "created": "2025-12-18T15:25:23.863Z", "modified": "2025-12-18T15:25:23.863Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--043beaf2-8186-4b08-90c2-1107038f1002", "created": "2025-12-18T15:25:23.863Z", "modified": "2025-12-18T15:25:23.863Z", "name": "Threat Intelligence Report - 2025-12-18", "description": "Threat Intelligence Report - 2025-12-18\n\nThis report consolidates actionable cybersecurity intelligence from 79 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Microsoft December Update Breaks Critical IIS Servers (Score: 100)\n• SonicWall warns of actively exploited flaw in SMA 100 AMC (Score: 100)\n• U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog (Score: 100)\n• Browser extensions with 8 million users collect extended AI conversations (Score: 100)\n• Vulnerability in Govee devices with cloud connectivity firmware (Score: 100)\n\nEXTRACTED ENTITIES:\n• 32 Attack Pattern(s)\n• 7 Domain Name(s)\n• 7 File:Hashes.Md5(s)\n• 2 File:Hashes.Sha 1(s)\n• 4 File:Hashes.Sha 256(s)\n• 7 Indicator(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 201 Relationship(s)\n• 5 Threat Actor(s)\n• 5 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-12-18T15:25:23.863Z", "object_refs": [ "identity--4093154f-71f8-4bdf-852f-ef2f357fb9ca", "vulnerability--9f650d03-ca41-4571-be97-ba4550ff932d", "vulnerability--521ee690-b7c3-46d8-bbd6-38a0434d7e86", "vulnerability--ae4a8eba-432a-457f-b5ca-74e1921cbab0", "vulnerability--45bd1d6b-c7a7-481e-906a-5fd5f4dfda48", "vulnerability--09cfd756-732a-426d-8c11-8d9ddb3e9e05", "identity--ae4d5f46-29c5-40ae-842b-378abf057c12", "identity--4e9b4c49-e9d4-4528-94d2-741592f6960c", "identity--3f81aa9d-ca8d-45fa-b473-86decb42f206", "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "identity--99c2d616-7417-412a-af6f-1a18fd3cdfea", "identity--812144f6-484a-44c6-aa70-28b34b9ac440", "identity--0f09a8f8-0638-43b6-ba59-10a163cbf35e", "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "identity--1044ef7c-7d96-43dd-b3cb-5725d5a7e299", "identity--cf7736e5-f588-4648-ae33-da67b72eb10f", "identity--9fd57f96-ecd8-4908-863c-6023bd272f87", "identity--24871f3f-e08d-419a-8af1-8ef89d1bfc34", "identity--89f62a82-0de4-4989-a780-aec4291e19ad", "identity--ee66b244-4262-466e-9fc1-6df9931a5539", "attack-pattern--9246b259-7396-4bbe-8fb6-c229ccc22e6d", "identity--94ff51be-448e-4e6f-a817-8fa1f9363485", "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "identity--8b78b8ae-97f0-4d50-857f-f5bd5c0ff202", "identity--b3bdea14-e0b2-4345-a6dd-a8d4a32eaada", "identity--161fc746-cd49-4615-ab48-81a93a1b16b4", "identity--d656b75c-7852-4c6e-b421-a822d7664ae7", "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "identity--bd8495ee-d647-4863-a669-5e155338dcc4", "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "attack-pattern--aa1845f4-913c-40c6-96ac-d19b1dd58616", "attack-pattern--b3ae94a2-b47a-4b30-9d9a-5c3a1d8717fe", "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "attack-pattern--84b7fc1e-6f1b-4dc6-9bcc-488b2727c7af", "attack-pattern--aafb87d3-d5e3-44d3-9260-c41332dda176", "attack-pattern--6ffaba66-d6ac-4af3-b4f3-8a5adabce2bb", "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "attack-pattern--34e7763c-ff57-4a68-9e1e-ebf4113d5699", "attack-pattern--c33dd9cf-88cc-4541-ad0d-7cb0b3568581", "attack-pattern--85c280bd-77ac-4193-89a6-22f3258889e1", "attack-pattern--dbb59a97-9800-4d55-9334-d22a554ef223", "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "attack-pattern--d123f673-06c3-45e4-a800-7bb58177799f", "attack-pattern--4e848890-246a-47e8-8d6b-1f4ce8315437", "attack-pattern--e0527a36-7149-4bfd-b201-8a74a4f38dc5", "attack-pattern--39e179f7-eb33-4dba-86f0-c13dbcbd2a1b", "attack-pattern--aa4dcee8-9977-4032-8aa1-f12c8350d606", "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "attack-pattern--5391a1ff-d556-4631-ba60-8905f720bf7f", "attack-pattern--66e614e6-1ec5-41d9-ba44-34ed358d91aa", "attack-pattern--63aeef6b-2fb0-45bd-b09b-d5ed6c1d0d7c", "attack-pattern--1d28031b-7dbc-4872-80f3-2948acef8495", "attack-pattern--c675ce6b-a194-49ed-b0f3-6f0025cd093a", "relationship--0aad07ca-ef84-414a-9bd2-5108363b6a4e", "relationship--1e204507-50f8-4a96-9cb3-711d30f5ec01", "relationship--c86fd171-6b98-4352-834d-52de9d56679b", "relationship--97165ede-9101-469f-a008-ef8b8c373add", "relationship--04d838fc-600d-4299-9928-0c7c7e208962", "relationship--99ce11fa-92ae-4a48-b797-f4b29dbd14ba", "relationship--ae32c11e-fa89-4705-94f9-9c45e8a3f6c8", "relationship--d612329a-a8ea-4add-9fd8-41674cb204c4", "relationship--decc1e6a-c90f-4170-bb4a-0ab58b1d6600", "relationship--2c024447-60b6-4689-ae55-4edb63d582fd", "relationship--1e0784ff-b050-4b01-83e5-92489c1068dc", "relationship--aa3ec0a4-a43c-410a-a959-6545f35b2a6f", "relationship--b89eb742-6330-427e-94f3-b547269ee0b2", "relationship--19f4ad40-0c19-4a85-ba0a-ae77ba54c179", "relationship--f6015d3a-a5f7-4621-8162-40bb2d43bdf2", "relationship--79bfad4b-045f-4f91-8ef0-67e251ea3ac2", "relationship--65aa219d-11e3-4e57-b366-53fbfa225bda", "relationship--61731556-8396-46c1-9104-c1c602706cc3", "relationship--7d3eaba3-16d4-41b9-895d-ad3a5b980b46", "relationship--97b2412c-efa1-48f3-96ae-731145379d3c", "relationship--e633b239-21c9-4c6b-8830-6c7e3fd5be09", "relationship--b1ff2333-243b-4812-94dd-013eab7e7989", "relationship--62c74539-05f2-4283-831b-f7656d977b8f", "relationship--9902108e-134f-4f3a-bd96-508c8f9b172a", "relationship--bf780037-545e-406f-b1d6-e6b6ceede857", "relationship--d68d0390-a74d-4b1e-a573-880b4fa51b6d", "relationship--b5cbdbc9-1d0f-4fc0-8da3-874cca131823", "relationship--48d9826a-dde2-42de-98de-2d763875498d", "relationship--b319736b-dbc2-40bf-937a-2895c6d4d37b", "relationship--ba83cc52-b953-4a79-818d-c50b62fd8c2b", "relationship--6d563986-acfe-4fb3-af73-2703b5d448f1", "relationship--4b959601-2d78-4c40-a108-cdeac55f14d7", "relationship--0a32777a-858e-421c-9899-5fffc24aa549", "relationship--eb5fe0ea-09c2-4ff1-9667-cf99288bb86f", "relationship--aa309a0d-3520-441a-9557-a8f1e00d65d2", "relationship--78769ea5-4e31-41ca-b978-0547006ebd6f", "relationship--fc25bc8b-0ec1-42bf-b29f-8348b468d3fe", "relationship--55ad3d39-92c9-4f1c-8a48-132d10e81802", "relationship--b8461c54-2187-466a-9c76-c55ad73444f9", "relationship--2f3505df-e962-4599-aa41-707fd98b35c8", "relationship--6707f002-a0f2-4750-909b-b201d222e3cd", "relationship--59afe74c-3d36-4948-a018-a88ff9933e7f", "relationship--61603f66-e64f-4919-b865-8ba6865d9d13", "relationship--feeab942-4061-4317-a562-2e1dc218269b", "relationship--633d63e8-42c1-48c2-b05d-23b66b96d45e", "relationship--11f84063-de43-444a-9016-cee44656ef0e", "relationship--2b43ba8c-a8e4-49c3-94e7-b2febcca13f9", "relationship--b34386da-0dc3-4800-929e-bfa7c35bb7a1", "relationship--d79abbef-92d6-4947-a928-fefa6c87ffa4", "relationship--8875bd73-3fce-4377-9554-ce6c5b9931c7", "relationship--375d01df-bfe3-43ab-bb0d-8e0810e3a234", "relationship--9e0984aa-75e8-465c-8a44-f8de1f330ece", "relationship--cdae1039-8bbe-43eb-b794-19063ae50155", "relationship--45358d22-fa2f-41c5-a2b8-4ef0badc471f", "relationship--84bb6ca2-bb56-46f8-8472-31ccbea73528", "relationship--359bb1ae-4f76-4062-a673-fda3aab539bf", "relationship--dd6bf28f-1f9a-41d1-9b84-bb64094bdbe9", "relationship--7be49a21-55c4-45db-b376-1dc5e1e18e69", "relationship--6b66360c-8a30-4451-a268-b8c02d42c005", "relationship--0a531af2-f30e-4ccc-8925-3f180a681918", "relationship--fa854871-572b-434f-901e-1ff7ad88b622", "relationship--ffb43e2f-e607-4a89-95ef-4a779f54b0b2", "relationship--985381a1-6b4e-434c-9d61-8057417da88b", "relationship--6176247e-80b7-48da-826e-e7e5832849d4", "relationship--5aecec61-835f-4454-8280-8ecf2c7edc03", "relationship--1aff14e4-8bf8-496f-bebd-31833ed7cd57", "relationship--ea48853d-b6d7-4d57-9a9d-eec0fa4722f4", "relationship--f0fe1777-1860-43f4-8ab7-bfd9260bf84c", "relationship--eb3fdac4-bdaa-43ac-afc9-dbcb33abed23", "relationship--0a3c3b43-47e9-46c5-aa9c-ff9222918dab", "relationship--53d0c296-6f78-481c-8a10-eb55b02b37ae", "relationship--cb080dc7-6137-49f9-b3f5-d8a41eea1e05", "relationship--d4065064-d098-4d17-ad26-3e6d7f8404e8", "relationship--65d97eeb-7fe6-404a-9ea0-8976ee9540dc", "relationship--f1ab0b52-4467-4de0-ba51-74b7a48740a9", "relationship--c64efd12-8d15-483b-9dea-e0d3ca8be496", "relationship--2d84899c-e4c1-47e2-a21d-3c6bca94f56b", "relationship--70168ae6-bc07-4fa3-aa61-572710b41d1e", "relationship--0dc0e789-8492-4d1f-af87-1bd188dcc1c4", "relationship--5eb309c0-0f38-4e4f-b25d-ccd55b44dd39", "relationship--197f8121-86ca-4fe4-8b56-b6db2266c721", "relationship--848a4b1d-46e3-4404-b4f6-565c14843fb9", "relationship--0c7c4a47-099a-498e-8b91-3c79e54516a3", "relationship--725ea26d-dbd4-4616-ace3-459d88519a2a", "relationship--4fc1f82c-f2d7-47b1-8dc2-3af2da2087e9", "relationship--9208e9e6-ce10-46da-b0da-7659139de8b5", "relationship--8c198de0-b9ba-4b93-bd7d-3f2eb7b28ed6", "relationship--764ff2ad-5880-4caa-a7d5-1406822c8c5b", "relationship--1b4d6930-9e23-4c3b-bf48-6a9df01eaf44", "relationship--68591271-c35e-4cc9-bc51-3572b822f9e7", "relationship--459f6a5f-7fd2-4542-bada-00d3457dc3ce", "relationship--aba579a2-549b-4140-9112-43ae0b986eac", "relationship--a349c827-6973-4bee-9c1c-fd136deca164", "relationship--281955ac-8cae-435c-89d7-2bad687ee018", "relationship--14684e14-7e65-4bea-9f92-dcab3a89ff77", "relationship--facfff31-3df9-4a62-bc56-897675595a2d", "relationship--148b34df-4d89-4712-854e-d912b0060a29", "relationship--a7a0292a-6a4f-422c-a129-21bde683a346", "relationship--bd703eeb-3af9-4f53-9887-9dc7e440a318", "relationship--3018be31-0320-4619-8b75-f1623ed42c0a", "relationship--d1d13bc8-2658-4c58-a94e-a797b0fad460", "relationship--454b0647-45aa-4e2e-ae39-827c8dc30f59", "relationship--0db08369-978b-4972-9825-467e56e1a38d", "relationship--ec612a9a-8d8f-449e-8a4d-240a2d76564c", "relationship--14f1df28-f71a-43a5-b4d3-626b83f7872b", "relationship--938c81fc-8790-4f57-ae56-7cdf0f531189", "relationship--71c256b9-7f34-409e-bb64-2181c80fd49d", "relationship--9898172d-5709-4aac-9020-5c620455fea5", "relationship--04ec1724-980c-43bf-b314-5ceb874950ee", "relationship--b58675a5-c3a8-444b-8b63-8c34435df113", "relationship--32e9daa5-7159-4ca7-a0ca-c37d41e224b1", "relationship--1c9c6440-3154-426e-be6e-b9e97e36eeaf", "relationship--22c222ff-2cfc-45ba-9c9e-7caada2c20c6", "relationship--1319a470-0526-4d31-b0d0-bb41acba12bd", "relationship--58907b24-e5b3-450d-9159-4064655cedeb", "relationship--740c96e7-896a-4ba4-ad09-a4a1b38aba9d", "relationship--7851ce83-f796-4370-8529-b0083a570301", "relationship--346e9b55-b1b7-47de-800e-8252cf6a713f", "relationship--9ae0a71c-1e0f-4ee4-9e64-9c88712b3d63", "relationship--ae826215-7fcf-432b-a4d9-40051609708b", "relationship--25fce65c-ffda-48e7-a793-2eebac04c31c", "relationship--1b8fdf62-d1a5-4a5e-aff5-bea47f2a539f", "relationship--32df8e9f-0ceb-49c5-8b8b-bd36463cf5e8", "relationship--ab39e2e8-8863-4da7-9130-679a195b1ef2", "relationship--d6edd590-0574-42ce-a4ea-fb16ac04adf1", "relationship--88a6880b-7dda-4b87-8334-e4f95320227e", "relationship--aede9887-e0a7-4972-aab9-ad560a87f3eb", "relationship--9a664e6e-9125-4abd-ac43-8e1691c40480", "relationship--de109527-5cc3-4e55-8855-1bc0da133bcf", "relationship--ef70f0ca-71d8-48c1-aec9-3f4b5c1b72a3", "relationship--28d200d7-7676-4e8f-81a2-166d80f9af8e", "relationship--f814a462-90d0-4b8c-b3ff-63b168b67d1b", "relationship--2349cac7-17e3-477c-8bf4-bd2df55812b5", "relationship--ee1ef8ae-814b-4c3c-834f-31ad82289363", "relationship--ec5bf371-4343-48c6-9286-da22b3cc4d66", "relationship--4acbe4ef-e60c-48d5-b1f8-b747ecef911d", "relationship--88108878-2be5-4b91-b36c-08b0a3f15f83", "relationship--52a7ed65-b7b4-406a-ac2c-50b67d0961aa", "relationship--4a4c5641-e495-4eca-908b-998ad95d014c", "relationship--e4ff809a-5577-4339-8109-99546020e686", "relationship--2ee6e337-64a3-4b82-a333-54cbe4169ff4", "relationship--7ce60f61-7912-46eb-a793-a5ff5bb71404", "relationship--4b2af402-bf85-42bf-9e66-9ec25231e3db", "relationship--ae79722f-135f-4e36-b959-2a7fc0212fa6", "relationship--330d126c-706f-454f-b7d0-1dc87f1dfec2", "relationship--ca7cc123-950c-4a97-8bc1-6539c5b40660", "relationship--a78db522-4728-48ba-8ae4-7ee32f0c068b", "relationship--220009d6-8be6-4386-8953-29f7aa15e49d", "relationship--0c94673e-7ba6-44b1-be8d-425bdbd872a6", "relationship--15da1154-5d68-4f3f-bc5b-adb5529eeed7", "relationship--5f1e7ccf-f5b9-460c-9011-d300b31cfd32", "relationship--b0e330f4-fbc1-46c5-84ad-bf34e20665e6", "relationship--f2507d68-c207-4583-81f8-bcb94ed61f91", "relationship--1234b719-16b3-428d-a877-e45a9d9c3776", "relationship--6c9d29be-2ec8-46d5-adb7-31fccc2c81bf", "relationship--7f5a2618-46f0-4f6a-b8f2-7e5b86f9e37a", "relationship--cb2389e1-3497-43cc-aa84-6c3b6a807b77", "relationship--9abff608-8ff6-4d26-a5f2-3f88c968b64b", "relationship--46344d6e-3c20-4fad-b6aa-f56a9156f13d", "relationship--f14e4051-784a-4a23-a925-2ee0dfea1d37", "relationship--2d06715c-0518-42b3-8b24-e01d589ac272", "relationship--0c772933-5d1f-4a0c-a24c-2c113f21c1e5", "relationship--ba49f23b-7699-41a2-a6ff-2e0b61292d89", "relationship--65518a4e-d3b7-46ec-a552-2e93718c49d3", "relationship--ce580501-553b-445b-a81f-923f5566581a", "relationship--b189cb77-fce1-4cdd-bf8c-ea9455d18644", "relationship--81288d8a-8799-4f69-ac08-682193cf556d", "relationship--4f86b40a-5a1b-468e-b759-c1324608709f", "relationship--e29086b3-ea44-4c57-af50-84dd4c594432", "relationship--df884b11-0b7a-48d1-87f6-d976516ff652", "relationship--f921b5f7-e3ad-4323-8fe3-a7b0d82f65d2", "relationship--1e9a51be-a71c-4c96-9bae-a9674979f85c", "relationship--949ce607-b538-410a-88f8-ad51b53e15d7", "relationship--c797c214-a6da-4d5c-9643-4d9a810616c0", "relationship--cc675c4b-8117-4809-8202-0857e45c5f46", "relationship--a1b33cad-7aa1-4e0d-8acd-30ff526e95b1", "relationship--20c52f95-c365-4b01-9797-af2c15a67349", "relationship--ed3186a8-7d81-42d4-8244-18c97101f6d4", "relationship--6ab0947f-a482-4367-a205-0a552fc5a29e", "relationship--f0385972-ae21-4cb2-8acf-8ba8a8bf1df4", "relationship--3705273c-148d-4049-9977-35913ae0ae5e", "relationship--4594e999-b23f-4b8d-9b49-0cd8defed251", "relationship--83fad3ce-ccb9-471c-9838-391afa7aaa13", "relationship--424b78cf-69f9-41b8-8e90-b1d24c195727", "relationship--22fb3bda-5f3d-4c1b-80aa-2f1265043c79", "relationship--883c507b-9f10-485e-a518-619d45a21449", "relationship--fedf72b0-266e-4f0f-893b-f48f9dc46bd9", "relationship--15ff4861-a2b5-4dce-839a-24b3ee293214", "relationship--0ca21017-39b0-4472-9610-97f7e0368fc1", "relationship--a99125e3-c890-4c91-84e8-94da0551b53f", "relationship--2562d42b-d6a6-478d-9929-4e1b77d12f0e", "relationship--4e7da082-edcd-4d65-9acf-f7f24558e59c", "relationship--087110ba-3fb7-49ea-8eb5-886dc5209284", "relationship--9131c249-09a8-43a8-b9bb-743384d166a3", "file:hashes.MD5--ccab0b91-c9fb-4d01-9d46-69f13f081d43", "file:hashes.MD5--0db5088f-cb05-4590-a73a-da9a76f0fba5", "file:hashes.MD5--a298daf4-5a30-4fec-b560-a05ed87e950a", "file:hashes.MD5--bb31bfa6-a8c4-48cd-984b-160410157444", "file:hashes.MD5--336221b0-03c5-4cc4-a6d7-73b6e811bd88", "file:hashes.MD5--8f84a4fd-846d-40ee-86f9-4e5a9ba976b0", "file:hashes.SHA-1--921cb24d-d05b-4528-a75e-fddb89558217", "file:hashes.SHA-256--dfaf5644-cfa9-449d-a20c-bee2dad0a21b", "file:hashes.MD5--258c2c01-3547-49ff-baeb-e3d86aa5b40a", "file:hashes.SHA-1--e450e7e2-9da9-48cc-a54b-f54b181777a9", "file:hashes.SHA-256--6bc4280f-c721-42a8-b1ae-147f70db874f", "file:hashes.SHA-256--cea44c92-223b-4595-be1f-6a4129d39284", "file:hashes.SHA-256--7d0a91c6-5188-45e8-b4aa-55aad0b049aa", "domain-name--993974a9-668a-48ae-88ff-f360c4b12726", "domain-name--1226ddba-ab91-428d-8f23-0b702db3ba7b", "domain-name--bd07adf0-d69d-49c0-8e95-34bb060e9f8f", "domain-name--2b694ead-197b-414a-805c-afacd9be9874", "domain-name--4fcbfbe0-6812-4372-9ad7-33524cdc6f6b", "domain-name--c19a29e4-5e24-4df6-98a4-4cdd9068fd3b", "domain-name--becc53bd-4341-4ab2-a723-4deb938826c7", "indicator--749655ba-82cd-48ce-bbb5-fc14de3f1620", "relationship--f42b2236-fc6c-44f5-bbb0-e3bf9296b6eb", "indicator--398bffe0-15d0-4617-a52e-7bc2c33fce65", "relationship--7b65788b-6d7d-4e03-afbc-cda532d7780b", "indicator--c2319a40-b296-4dcb-8c6d-cd9a62fa6139", "relationship--18660ab7-a67f-431c-bcf8-c8dc404cb938", "indicator--2cc98d83-00ff-4ef6-b3e6-fa806f175a54", "relationship--1dd7f1fb-d6c0-484c-8b4e-d06cdd61e64f", "indicator--c7ef318d-a4bf-4039-8f3a-da53c94e7745", "relationship--a82a4548-9c13-446d-9bad-bc1a99a106fa", "indicator--a95ed932-fb1f-45d5-aa28-90529c37dc60", "relationship--0f43d436-26a5-4ad2-bd6e-4c8339a9544f", "indicator--6805df87-9f8a-4dde-abbe-9fc5fdb54fb2", "relationship--535b033f-fb55-4722-9197-49a373d8d4da" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--4093154f-71f8-4bdf-852f-ef2f357fb9ca", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.851Z", "modified": "2025-12-18T15:25:23.851Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--9f650d03-ca41-4571-be97-ba4550ff932d", "name": "CVE-2025-40602", "description": "A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).. CVSS Score: 6.6 (MEDIUM). CISA KEV: Active exploitation confirmed", "x_cvss_score": 6.6, "x_cvss_severity": "MEDIUM", "x_kev_status": true, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-40602", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40602" }, { "source_name": "nvd", "external_id": "CVE-2025-40602", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40602" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--521ee690-b7c3-46d8-bbd6-38a0434d7e86", "name": "CVE-2025-23006", "description": "Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.. CVSS Score: 9.8 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 50.3% exploitation probability", "x_cvss_score": 9.8, "x_cvss_severity": "CRITICAL", "x_kev_status": true, "x_epss_score": 0.50325, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-23006", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23006" }, { "source_name": "nvd", "external_id": "CVE-2025-23006", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--ae4a8eba-432a-457f-b5ca-74e1921cbab0", "name": "CVE-2025-10910", "description": "A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account.\nThe server‑side API allows device association using a set of identifiers: \"device\", \"sku\", \"type\", and a client‑computed \"value\", that are not cryptographically bound to a secret originating from the device itself.\n\nThe vulnerability ha", "x_kev_status": false, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-10910", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10910" }, { "source_name": "nvd", "external_id": "CVE-2025-10910", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10910" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--45bd1d6b-c7a7-481e-906a-5fd5f4dfda48", "name": "CVE-2025-59374", "description": "\"UNSUPPORTED WHEN ASSIGNED\" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products. CISA KEV: Active exploitation confirmed. EPSS: 0.0% exploitation probability", "x_kev_status": true, "x_epss_score": 0.00044, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-59374", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59374" }, { "source_name": "nvd", "external_id": "CVE-2025-59374", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59374" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--09cfd756-732a-426d-8c11-8d9ddb3e9e05", "name": "CVE-2025-55182", "description": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.. CVSS Score: 10.0 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 76.0% exploitation probability", "x_cvss_score": 10.0, "x_cvss_severity": "CRITICAL", "x_kev_status": true, "x_epss_score": 0.76008, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-55182", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55182" }, { "source_name": "nvd", "external_id": "CVE-2025-55182", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "identity", "id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12", "name": "Microsoft", "identity_class": "organization", "labels": [ "identity" ], "description": "Microsoft is a multinational technology corporation that specializes in developing, manufacturing, licensing, and supporting a wide range of software products, services, and devices. Known for its Windows operating system, Microsoft Office suite, and cloud services through Azure, the company plays a significant role in the technology sector. Microsoft's products are integral to both personal and enterprise computing environments, making it a key player in cybersecurity and IT infrastructure.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "identity", "id": "identity--4e9b4c49-e9d4-4528-94d2-741592f6960c", "name": "Infrastructure Security Agency", "identity_class": "government", "labels": [ "identity" ], "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is a federal agency responsible for protecting the United States' critical infrastructure from cyber threats. As part of the Department of Homeland Security, CISA plays a crucial role in coordinating national efforts to prevent and respond to cyber attacks. In this context, CISA is mentioned as the agency adding vulnerabilities to its Known Exploited Vulnerabilities catalog, highlighting its importance in the cybersecurity landscape.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "identity", "id": "identity--3f81aa9d-ca8d-45fa-b473-86decb42f206", "name": "Govee", "identity_class": "organization", "labels": [ "identity" ], "description": "Govee is a technology company that produces smart home devices, including those with cloud connectivity. The company's products have been found to be vulnerable to certain exploits, highlighting the need for secure coding practices and regular security updates. As a vendor of IoT devices, Govee's security posture is critical to protecting its customers' data and preventing potential attacks.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "name": "UAT-9686", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "UAT-9686 is a China-nexus advanced persistent threat (APT) actor that has been actively exploiting a zero-day flaw in Cisco AsyncOS software to target Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This threat group has deployed a collection of custom-built hacking tools to maintain persistent access to compromised systems, indicating a high level of sophistication and capabilities.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 89, "type": "identity", "id": "identity--99c2d616-7417-412a-af6f-1a18fd3cdfea", "name": "Cisco Secure Email", "identity_class": "system", "labels": [ "identity" ], "description": "Cisco Secure Email is a suite of email security solutions designed to protect organizations from email-based threats. It provides threat protection, filtering, and management for email gateways and web content, ensuring secure communication channels. Cisco Secure Email is part of Cisco's broader security portfolio and has been targeted by advanced persistent threat (APT) actors, highlighting its critical role in enterprise security.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "identity", "id": "identity--812144f6-484a-44c6-aa70-28b34b9ac440", "name": "Biosig Project Libbiosig", "identity_class": "software", "labels": [ "identity" ], "description": "Biosig Project Libbiosig is a software library for processing and analyzing biosignals. It is used in various applications, including medical research and device development. The vulnerabilities disclosed by Cisco Talos' Vulnerability Discovery & Research team highlight the importance of securing software libraries, as they can be used in a wide range of products and systems. The Biosig Project Libbiosig library is a specific target of these vulnerabilities, making it a relevant entity in the context of cybersecurity.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "identity", "id": "identity--0f09a8f8-0638-43b6-ba59-10a163cbf35e", "name": "Secure Mobile Access", "identity_class": "system", "labels": [ "identity" ], "description": "Secure Mobile Access (SMA) is a specific software platform developed by SonicWall, a cybersecurity company. SMA is a secure remote access solution that provides users with secure access to network resources. The SMA 100 series appliances have been reportedly exploited in the wild, highlighting the importance of securing such systems to prevent unauthorized access. As a targeted system, SMA is a critical entity in the context of cybersecurity threat intelligence.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "name": "ShadyPanda", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "ShadyPanda is a threat actor group that has been observed exploiting trusted browser extensions to compromise millions of users. This group's tactics demonstrate how legitimate software can be leveraged for malicious purposes, highlighting the importance of vigilance in software development and user security practices. ShadyPanda's activities pose a significant risk to user privacy and security, making them a notable threat in the cybersecurity landscape.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "identity", "id": "identity--1044ef7c-7d96-43dd-b3cb-5725d5a7e299", "name": "GuardDuty", "identity_class": "system", "labels": [ "identity" ], "description": "GuardDuty is a cloud security service provided by Amazon Web Services (AWS) that leverages machine learning and threat intelligence to continuously monitor for malicious activity and unauthorized behavior to protect AWS accounts and workloads. It specifically targets AWS resources such as EC2 and ECS instances, detecting threats like crypto-mining campaigns and compromised IAM credentials.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "identity", "id": "identity--cf7736e5-f588-4648-ae33-da67b72eb10f", "name": "Elastic Container Service", "identity_class": "system", "labels": [ "identity" ], "description": "Elastic Container Service (ECS) is a container orchestration service offered by Amazon Web Services (AWS) that allows users to run and manage containerized applications. ECS is a critical component of AWS's cloud infrastructure, and its compromise can have significant security implications. In this context, ECS is being targeted by a crypto-mining campaign using compromised credentials, highlighting the importance of securing access to this service.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.852Z", "confidence": 95, "type": "identity", "id": "identity--9fd57f96-ecd8-4908-863c-6023bd272f87", "name": "GhostFrame", "identity_class": "system", "labels": [ "identity" ], "description": "GhostFrame is an advanced phishing kit that enables threat actors to create sophisticated phishing campaigns. It is part of the growing trend of phishing-as-a-service platforms, which provide malicious actors with the tools needed to conduct large-scale phishing attacks. GhostFrame is designed to bypass two-factor authentication (2FA) mechanisms, making it a significant threat to organizations and individuals.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.852Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--24871f3f-e08d-419a-8af1-8ef89d1bfc34", "name": "France’s Ministry of the Interior", "identity_class": "government", "labels": [ "identity" ], "description": "France’s Ministry of the Interior is the government agency responsible for the internal security, public order, and domestic policy of France. It oversees law enforcement, emergency services, and immigration, playing a crucial role in maintaining national security and public safety. As a critical government entity, it is a prime target for cyberattacks aimed at disrupting or compromising government operations.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--89f62a82-0de4-4989-a780-aec4291e19ad", "name": "Public Prosecutor Laure Beccuau", "identity_class": "government", "labels": [ "identity" ], "description": "Public Prosecutor Laure Beccuau is a government official responsible for investigating and prosecuting cybercrime cases. In this context, Laure Beccuau is mentioned as the Public Prosecutor who issued a statement regarding the arrest of a suspected hacker. As a government official involved in cybersecurity-related law enforcement, Laure Beccuau is a valid entity in the context of threat intelligence.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--ee66b244-4262-466e-9fc1-6df9931a5539", "name": "WhatsApp", "identity_class": "organization", "labels": [ "identity" ], "description": "WhatsApp is a popular messaging app owned by Meta Platforms, Inc. The platform's device-linking feature is being exploited by attackers in the GhostPairing campaign to hijack accounts without requiring authentication. This vulnerability highlights the importance of securing authentication mechanisms in widely used communication platforms.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "attack-pattern", "id": "attack-pattern--9246b259-7396-4bbe-8fb6-c229ccc22e6d", "name": "GhostPairing", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "unknown" } ], "description": "GhostPairing is a novel attack campaign exploiting WhatsApp's device-linking feature to hijack user accounts without authentication. Attackers abuse the pairing code mechanism to gain unauthorized access, highlighting a previously unknown vulnerability in the popular messaging platform. This campaign demonstrates the evolving tactics of threat actors in targeting widely-used communication services.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--94ff51be-448e-4e6f-a817-8fa1f9363485", "name": "Virginia Mental Health Authority", "identity_class": "organization", "labels": [ "identity" ], "description": "The Virginia Mental Health Authority is a state government agency responsible for providing mental health services to residents of Virginia. As the victim of a data breach, the agency's sensitive information and that of its patients may have been compromised, highlighting the need for robust cybersecurity measures to protect sensitive data.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "name": "Operation ForumTroll", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "Operation ForumTroll is a threat actor campaign attributed to a series of phishing attacks targeting individuals within Russia. The operation has been linked to a fresh set of attacks, indicating an ongoing and active threat. The attribution of this operation to a specific threat actor suggests a level of sophistication and organization, highlighting the need for increased vigilance and defensive measures.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "malware", "id": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "name": "DarkGate malware", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "DarkGate is a specific malware family that is being used in ClickFix attack campaigns to trick users into manually installing it via fake browser extension alerts. This malware is notable for its ability to evade detection and its use in targeted attacks. Its discovery by researchers at Point Wild highlights the ongoing threat of malware and the need for users to be cautious when installing software.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--8b78b8ae-97f0-4d50-857f-f5bd5c0ff202", "name": "WordPress", "identity_class": "software", "labels": [ "identity" ], "description": "WordPress is a free and open-source content management system (CMS) used by millions of websites worldwide. As a widely-used platform, WordPress is a frequent target for cyber attacks, including vulnerabilities in its core software, themes, and plugins. The security of WordPress is crucial for protecting websites and their users from various threats, including data breaches, malware infections, and unauthorized access. Understanding WordPress security is essential for website administrators and security professionals to ensure the integrity and confidentiality of online data.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--b3bdea14-e0b2-4345-a6dd-a8d4a32eaada", "name": "Project AEGIS", "identity_class": "system", "labels": [ "identity" ], "description": "Project AEGIS is a fully autonomous adversarial machine learning (ML) simulation tool designed to test the effectiveness of deception techniques, such as Honey Tokens, against smart AI attackers. This tool is used to simulate and analyze the behavior of AI-powered attacks, allowing researchers to evaluate the efficacy of various defensive strategies. By providing a controlled environment for testing, Project AEGIS enables the development of more robust and resilient security systems.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--161fc746-cd49-4615-ab48-81a93a1b16b4", "name": "GitHub", "identity_class": "organization", "labels": [ "identity" ], "description": "GitHub is a prominent web-based platform that facilitates version control and collaboration on software development projects. It enables users to store, manage, and share code repositories, making it a crucial tool for developers worldwide. GitHub also provides security features such as dependency scanning and security alerts to help users identify and mitigate vulnerabilities in their code.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--d656b75c-7852-4c6e-b421-a822d7664ae7", "name": "Hewlett Packard Enterprise", "identity_class": "organization", "labels": [ "identity" ], "description": "Hewlett Packard Enterprise (HPE) is a multinational information technology company specializing in providing enterprise-level solutions. HPE offers a broad range of products and services, including servers, storage systems, networking equipment, and software solutions tailored for business customers. Notably, HPE develops and maintains software like HPE OneView, which has been subject to security vulnerabilities requiring patches to prevent remote code execution.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "name": "APT28", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "APT28 is a sophisticated threat actor group attributed to Russian state-sponsored activities, known for conducting sustained credential-harvesting campaigns targeting users of specific webmail and news services. This group's activities have been observed in various regions, including Ukraine, and are characterized by their use of phishing and other social engineering tactics to compromise user credentials.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "identity", "id": "identity--bd8495ee-d647-4863-a669-5e155338dcc4", "name": "Rapid7", "identity_class": "organization", "labels": [ "identity" ], "description": "Rapid7 is a prominent cybersecurity company known for its AI-driven Security Operations Center (SOC) solutions. They provide tools such as Rapid7 InsightIDR, a Security Information and Event Management (SIEM) system, which offers monitoring, detection, and automated response capabilities. Rapid7's solutions are designed to integrate with various security tools, providing AI-based SOC capabilities, auto-investigation of alerts, and automation features to enhance cybersecurity defenses.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "name": "codenamed UAT", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "UAT-9686 is a China-nexus advanced persistent threat (APT) actor that has been actively exploiting a zero-day flaw in Cisco AsyncOS software to target Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This APT group's activities demonstrate a high level of sophistication and intent to compromise critical infrastructure, highlighting the need for organizations to prioritize vulnerability management and threat intelligence.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.853Z", "modified": "2025-12-18T15:25:23.853Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--aa1845f4-913c-40c6-96ac-d19b1dd58616", "name": "Abuse Elevation Control Mechanism", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1548", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1548/", "external_id": "T1548" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.854Z", "modified": "2025-12-18T15:25:23.854Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--b3ae94a2-b47a-4b30-9d9a-5c3a1d8717fe", "name": "Access Token Manipulation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1134", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1134/", "external_id": "T1134" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.854Z", "modified": "2025-12-18T15:25:23.854Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.854Z", "modified": "2025-12-18T15:25:23.854Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.854Z", "modified": "2025-12-18T15:25:23.854Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.854Z", "modified": "2025-12-18T15:25:23.854Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.854Z", "modified": "2025-12-18T15:25:23.854Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--84b7fc1e-6f1b-4dc6-9bcc-488b2727c7af", "name": "System Information Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1082", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1082/", "external_id": "T1082" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--aafb87d3-d5e3-44d3-9260-c41332dda176", "name": "File and Directory Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1083", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1083/", "external_id": "T1083" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--6ffaba66-d6ac-4af3-b4f3-8a5adabce2bb", "name": "Process Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1057", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1057/", "external_id": "T1057" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "name": "Create or Modify System Process", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1543", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1543/", "external_id": "T1543" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "name": "Boot or Logon Autostart Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/", "external_id": "T1547" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--34e7763c-ff57-4a68-9e1e-ebf4113d5699", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c33dd9cf-88cc-4541-ad0d-7cb0b3568581", "name": "Application Layer Protocol", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1071", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1071/", "external_id": "T1071" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--85c280bd-77ac-4193-89a6-22f3258889e1", "name": "Non-Application Layer Protocol", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1095", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1095/", "external_id": "T1095" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--dbb59a97-9800-4d55-9334-d22a554ef223", "name": "Valid Accounts", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1078", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1078/", "external_id": "T1078" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--d123f673-06c3-45e4-a800-7bb58177799f", "name": "Browser Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1176.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1176/001/", "external_id": "T1176.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--4e848890-246a-47e8-8d6b-1f4ce8315437", "name": "System Firmware", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1542.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1542/001/", "external_id": "T1542.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--e0527a36-7149-4bfd-b201-8a74a4f38dc5", "name": "Kernel Modules and Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/006/", "external_id": "T1547.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 78, "type": "attack-pattern", "id": "attack-pattern--39e179f7-eb33-4dba-86f0-c13dbcbd2a1b", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 72, "type": "attack-pattern", "id": "attack-pattern--aa4dcee8-9977-4032-8aa1-f12c8350d606", "name": "Browser Session Hijacking", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1185", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1185/", "external_id": "T1185" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--5391a1ff-d556-4631-ba60-8905f720bf7f", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--66e614e6-1ec5-41d9-ba44-34ed358d91aa", "name": "Boot or Logon Initialization Scripts", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1037", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1037/", "external_id": "T1037" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 67, "type": "attack-pattern", "id": "attack-pattern--63aeef6b-2fb0-45bd-b09b-d5ed6c1d0d7c", "name": "Office Application Startup", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1137", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1137/", "external_id": "T1137" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 66, "type": "attack-pattern", "id": "attack-pattern--1d28031b-7dbc-4872-80f3-2948acef8495", "name": "Malware", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/001/", "external_id": "T1588.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "confidence": 65, "type": "attack-pattern", "id": "attack-pattern--c675ce6b-a194-49ed-b0f3-6f0025cd093a", "name": "Office Test", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1137.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1137/002/", "external_id": "T1137.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0aad07ca-ef84-414a-9bd2-5108363b6a4e", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--9246b259-7396-4bbe-8fb6-c229ccc22e6d", "confidence": 60, "description": "Co-occurrence: UAT-9686 and GhostPairing () in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1e204507-50f8-4a96-9cb3-711d30f5ec01", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--aa1845f4-913c-40c6-96ac-d19b1dd58616", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Abuse Elevation Control Mechanism (T1548) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c86fd171-6b98-4352-834d-52de9d56679b", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--b3ae94a2-b47a-4b30-9d9a-5c3a1d8717fe", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Access Token Manipulation (T1134) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--97165ede-9101-469f-a008-ef8b8c373add", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--04d838fc-600d-4299-9928-0c7c7e208962", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--99ce11fa-92ae-4a48-b797-f4b29dbd14ba", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae32c11e-fa89-4705-94f9-9c45e8a3f6c8", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d612329a-a8ea-4add-9fd8-41674cb204c4", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--decc1e6a-c90f-4170-bb4a-0ab58b1d6600", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--84b7fc1e-6f1b-4dc6-9bcc-488b2727c7af", "confidence": 60, "description": "Co-occurrence: UAT-9686 and System Information Discovery (T1082) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2c024447-60b6-4689-ae55-4edb63d582fd", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--aafb87d3-d5e3-44d3-9260-c41332dda176", "confidence": 60, "description": "Co-occurrence: UAT-9686 and File and Directory Discovery (T1083) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1e0784ff-b050-4b01-83e5-92489c1068dc", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--6ffaba66-d6ac-4af3-b4f3-8a5adabce2bb", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Process Discovery (T1057) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aa3ec0a4-a43c-410a-a959-6545f35b2a6f", "created": "2025-12-18T15:25:23.855Z", "modified": "2025-12-18T15:25:23.855Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b89eb742-6330-427e-94f3-b547269ee0b2", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--19f4ad40-0c19-4a85-ba0a-ae77ba54c179", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--34e7763c-ff57-4a68-9e1e-ebf4113d5699", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f6015d3a-a5f7-4621-8162-40bb2d43bdf2", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--c33dd9cf-88cc-4541-ad0d-7cb0b3568581", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Application Layer Protocol (T1071) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--79bfad4b-045f-4f91-8ef0-67e251ea3ac2", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--85c280bd-77ac-4193-89a6-22f3258889e1", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Non-Application Layer Protocol (T1095) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--65aa219d-11e3-4e57-b366-53fbfa225bda", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--dbb59a97-9800-4d55-9334-d22a554ef223", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Valid Accounts (T1078) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--61731556-8396-46c1-9104-c1c602706cc3", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7d3eaba3-16d4-41b9-895d-ad3a5b980b46", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--d123f673-06c3-45e4-a800-7bb58177799f", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--97b2412c-efa1-48f3-96ae-731145379d3c", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--4e848890-246a-47e8-8d6b-1f4ce8315437", "confidence": 60, "description": "Co-occurrence: UAT-9686 and System Firmware (T1542.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e633b239-21c9-4c6b-8830-6c7e3fd5be09", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--e0527a36-7149-4bfd-b201-8a74a4f38dc5", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Kernel Modules and Extensions (T1547.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b1ff2333-243b-4812-94dd-013eab7e7989", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--39e179f7-eb33-4dba-86f0-c13dbcbd2a1b", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--62c74539-05f2-4283-831b-f7656d977b8f", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--aa4dcee8-9977-4032-8aa1-f12c8350d606", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Browser Session Hijacking (T1185) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9902108e-134f-4f3a-bd96-508c8f9b172a", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bf780037-545e-406f-b1d6-e6b6ceede857", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d68d0390-a74d-4b1e-a573-880b4fa51b6d", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b5cbdbc9-1d0f-4fc0-8da3-874cca131823", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--48d9826a-dde2-42de-98de-2d763875498d", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--5391a1ff-d556-4631-ba60-8905f720bf7f", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b319736b-dbc2-40bf-937a-2895c6d4d37b", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--66e614e6-1ec5-41d9-ba44-34ed358d91aa", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ba83cc52-b953-4a79-818d-c50b62fd8c2b", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--63aeef6b-2fb0-45bd-b09b-d5ed6c1d0d7c", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Office Application Startup (T1137) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6d563986-acfe-4fb3-af73-2703b5d448f1", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--1d28031b-7dbc-4872-80f3-2948acef8495", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Malware (T1588.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4b959601-2d78-4c40-a108-cdeac55f14d7", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "attack-pattern--c675ce6b-a194-49ed-b0f3-6f0025cd093a", "confidence": 60, "description": "Co-occurrence: UAT-9686 and Office Test (T1137.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0a32777a-858e-421c-9899-5fffc24aa549", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--9246b259-7396-4bbe-8fb6-c229ccc22e6d", "confidence": 60, "description": "Co-occurrence: ShadyPanda and GhostPairing () in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eb5fe0ea-09c2-4ff1-9667-cf99288bb86f", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--aa1845f4-913c-40c6-96ac-d19b1dd58616", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Abuse Elevation Control Mechanism (T1548) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aa309a0d-3520-441a-9557-a8f1e00d65d2", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--b3ae94a2-b47a-4b30-9d9a-5c3a1d8717fe", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Access Token Manipulation (T1134) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--78769ea5-4e31-41ca-b978-0547006ebd6f", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fc25bc8b-0ec1-42bf-b29f-8348b468d3fe", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--55ad3d39-92c9-4f1c-8a48-132d10e81802", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b8461c54-2187-466a-9c76-c55ad73444f9", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2f3505df-e962-4599-aa41-707fd98b35c8", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6707f002-a0f2-4750-909b-b201d222e3cd", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--84b7fc1e-6f1b-4dc6-9bcc-488b2727c7af", "confidence": 60, "description": "Co-occurrence: ShadyPanda and System Information Discovery (T1082) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--59afe74c-3d36-4948-a018-a88ff9933e7f", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--aafb87d3-d5e3-44d3-9260-c41332dda176", "confidence": 60, "description": "Co-occurrence: ShadyPanda and File and Directory Discovery (T1083) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--61603f66-e64f-4919-b865-8ba6865d9d13", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--6ffaba66-d6ac-4af3-b4f3-8a5adabce2bb", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Process Discovery (T1057) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--feeab942-4061-4317-a562-2e1dc218269b", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--633d63e8-42c1-48c2-b05d-23b66b96d45e", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--11f84063-de43-444a-9016-cee44656ef0e", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--34e7763c-ff57-4a68-9e1e-ebf4113d5699", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2b43ba8c-a8e4-49c3-94e7-b2febcca13f9", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--c33dd9cf-88cc-4541-ad0d-7cb0b3568581", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Application Layer Protocol (T1071) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b34386da-0dc3-4800-929e-bfa7c35bb7a1", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--85c280bd-77ac-4193-89a6-22f3258889e1", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Non-Application Layer Protocol (T1095) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d79abbef-92d6-4947-a928-fefa6c87ffa4", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--dbb59a97-9800-4d55-9334-d22a554ef223", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Valid Accounts (T1078) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8875bd73-3fce-4377-9554-ce6c5b9931c7", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--375d01df-bfe3-43ab-bb0d-8e0810e3a234", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--d123f673-06c3-45e4-a800-7bb58177799f", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9e0984aa-75e8-465c-8a44-f8de1f330ece", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--4e848890-246a-47e8-8d6b-1f4ce8315437", "confidence": 60, "description": "Co-occurrence: ShadyPanda and System Firmware (T1542.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cdae1039-8bbe-43eb-b794-19063ae50155", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--e0527a36-7149-4bfd-b201-8a74a4f38dc5", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Kernel Modules and Extensions (T1547.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--45358d22-fa2f-41c5-a2b8-4ef0badc471f", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--39e179f7-eb33-4dba-86f0-c13dbcbd2a1b", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--84bb6ca2-bb56-46f8-8472-31ccbea73528", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--aa4dcee8-9977-4032-8aa1-f12c8350d606", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Browser Session Hijacking (T1185) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--359bb1ae-4f76-4062-a673-fda3aab539bf", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dd6bf28f-1f9a-41d1-9b84-bb64094bdbe9", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7be49a21-55c4-45db-b376-1dc5e1e18e69", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6b66360c-8a30-4451-a268-b8c02d42c005", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0a531af2-f30e-4ccc-8925-3f180a681918", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--5391a1ff-d556-4631-ba60-8905f720bf7f", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fa854871-572b-434f-901e-1ff7ad88b622", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--66e614e6-1ec5-41d9-ba44-34ed358d91aa", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ffb43e2f-e607-4a89-95ef-4a779f54b0b2", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--63aeef6b-2fb0-45bd-b09b-d5ed6c1d0d7c", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Office Application Startup (T1137) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--985381a1-6b4e-434c-9d61-8057417da88b", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--1d28031b-7dbc-4872-80f3-2948acef8495", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Malware (T1588.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6176247e-80b7-48da-826e-e7e5832849d4", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--c675ce6b-a194-49ed-b0f3-6f0025cd093a", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Office Test (T1137.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5aecec61-835f-4454-8280-8ecf2c7edc03", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--9246b259-7396-4bbe-8fb6-c229ccc22e6d", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and GhostPairing () in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1aff14e4-8bf8-496f-bebd-31833ed7cd57", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--aa1845f4-913c-40c6-96ac-d19b1dd58616", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Abuse Elevation Control Mechanism (T1548) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ea48853d-b6d7-4d57-9a9d-eec0fa4722f4", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.856Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--b3ae94a2-b47a-4b30-9d9a-5c3a1d8717fe", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Access Token Manipulation (T1134) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f0fe1777-1860-43f4-8ab7-bfd9260bf84c", "created": "2025-12-18T15:25:23.856Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eb3fdac4-bdaa-43ac-afc9-dbcb33abed23", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0a3c3b43-47e9-46c5-aa9c-ff9222918dab", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--53d0c296-6f78-481c-8a10-eb55b02b37ae", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cb080dc7-6137-49f9-b3f5-d8a41eea1e05", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d4065064-d098-4d17-ad26-3e6d7f8404e8", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--84b7fc1e-6f1b-4dc6-9bcc-488b2727c7af", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and System Information Discovery (T1082) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--65d97eeb-7fe6-404a-9ea0-8976ee9540dc", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--aafb87d3-d5e3-44d3-9260-c41332dda176", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and File and Directory Discovery (T1083) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f1ab0b52-4467-4de0-ba51-74b7a48740a9", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--6ffaba66-d6ac-4af3-b4f3-8a5adabce2bb", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Process Discovery (T1057) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c64efd12-8d15-483b-9dea-e0d3ca8be496", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2d84899c-e4c1-47e2-a21d-3c6bca94f56b", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--70168ae6-bc07-4fa3-aa61-572710b41d1e", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--34e7763c-ff57-4a68-9e1e-ebf4113d5699", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0dc0e789-8492-4d1f-af87-1bd188dcc1c4", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--c33dd9cf-88cc-4541-ad0d-7cb0b3568581", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Application Layer Protocol (T1071) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5eb309c0-0f38-4e4f-b25d-ccd55b44dd39", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--85c280bd-77ac-4193-89a6-22f3258889e1", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Non-Application Layer Protocol (T1095) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--197f8121-86ca-4fe4-8b56-b6db2266c721", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--dbb59a97-9800-4d55-9334-d22a554ef223", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Valid Accounts (T1078) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--848a4b1d-46e3-4404-b4f6-565c14843fb9", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0c7c4a47-099a-498e-8b91-3c79e54516a3", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--d123f673-06c3-45e4-a800-7bb58177799f", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--725ea26d-dbd4-4616-ace3-459d88519a2a", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--4e848890-246a-47e8-8d6b-1f4ce8315437", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and System Firmware (T1542.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4fc1f82c-f2d7-47b1-8dc2-3af2da2087e9", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--e0527a36-7149-4bfd-b201-8a74a4f38dc5", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Kernel Modules and Extensions (T1547.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9208e9e6-ce10-46da-b0da-7659139de8b5", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--39e179f7-eb33-4dba-86f0-c13dbcbd2a1b", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8c198de0-b9ba-4b93-bd7d-3f2eb7b28ed6", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--aa4dcee8-9977-4032-8aa1-f12c8350d606", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Browser Session Hijacking (T1185) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--764ff2ad-5880-4caa-a7d5-1406822c8c5b", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1b4d6930-9e23-4c3b-bf48-6a9df01eaf44", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--68591271-c35e-4cc9-bc51-3572b822f9e7", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--459f6a5f-7fd2-4542-bada-00d3457dc3ce", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aba579a2-549b-4140-9112-43ae0b986eac", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--5391a1ff-d556-4631-ba60-8905f720bf7f", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a349c827-6973-4bee-9c1c-fd136deca164", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--66e614e6-1ec5-41d9-ba44-34ed358d91aa", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--281955ac-8cae-435c-89d7-2bad687ee018", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--63aeef6b-2fb0-45bd-b09b-d5ed6c1d0d7c", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Office Application Startup (T1137) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--14684e14-7e65-4bea-9f92-dcab3a89ff77", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--1d28031b-7dbc-4872-80f3-2948acef8495", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Malware (T1588.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--facfff31-3df9-4a62-bc56-897675595a2d", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "target_ref": "attack-pattern--c675ce6b-a194-49ed-b0f3-6f0025cd093a", "confidence": 60, "description": "Co-occurrence: Operation ForumTroll and Office Test (T1137.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--148b34df-4d89-4712-854e-d912b0060a29", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--9246b259-7396-4bbe-8fb6-c229ccc22e6d", "confidence": 60, "description": "Co-occurrence: APT28 and GhostPairing () in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a7a0292a-6a4f-422c-a129-21bde683a346", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--aa1845f4-913c-40c6-96ac-d19b1dd58616", "confidence": 60, "description": "Co-occurrence: APT28 and Abuse Elevation Control Mechanism (T1548) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bd703eeb-3af9-4f53-9887-9dc7e440a318", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--b3ae94a2-b47a-4b30-9d9a-5c3a1d8717fe", "confidence": 60, "description": "Co-occurrence: APT28 and Access Token Manipulation (T1134) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3018be31-0320-4619-8b75-f1623ed42c0a", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 60, "description": "Co-occurrence: APT28 and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d1d13bc8-2658-4c58-a94e-a797b0fad460", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 60, "description": "Co-occurrence: APT28 and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--454b0647-45aa-4e2e-ae39-827c8dc30f59", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 60, "description": "Co-occurrence: APT28 and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0db08369-978b-4972-9825-467e56e1a38d", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 60, "description": "Co-occurrence: APT28 and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ec612a9a-8d8f-449e-8a4d-240a2d76564c", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 60, "description": "Co-occurrence: APT28 and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--14f1df28-f71a-43a5-b4d3-626b83f7872b", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--84b7fc1e-6f1b-4dc6-9bcc-488b2727c7af", "confidence": 60, "description": "Co-occurrence: APT28 and System Information Discovery (T1082) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--938c81fc-8790-4f57-ae56-7cdf0f531189", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--aafb87d3-d5e3-44d3-9260-c41332dda176", "confidence": 60, "description": "Co-occurrence: APT28 and File and Directory Discovery (T1083) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--71c256b9-7f34-409e-bb64-2181c80fd49d", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--6ffaba66-d6ac-4af3-b4f3-8a5adabce2bb", "confidence": 60, "description": "Co-occurrence: APT28 and Process Discovery (T1057) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9898172d-5709-4aac-9020-5c620455fea5", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 60, "description": "Co-occurrence: APT28 and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--04ec1724-980c-43bf-b314-5ceb874950ee", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 60, "description": "Co-occurrence: APT28 and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b58675a5-c3a8-444b-8b63-8c34435df113", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--34e7763c-ff57-4a68-9e1e-ebf4113d5699", "confidence": 60, "description": "Co-occurrence: APT28 and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--32e9daa5-7159-4ca7-a0ca-c37d41e224b1", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--c33dd9cf-88cc-4541-ad0d-7cb0b3568581", "confidence": 60, "description": "Co-occurrence: APT28 and Application Layer Protocol (T1071) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1c9c6440-3154-426e-be6e-b9e97e36eeaf", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--85c280bd-77ac-4193-89a6-22f3258889e1", "confidence": 60, "description": "Co-occurrence: APT28 and Non-Application Layer Protocol (T1095) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--22c222ff-2cfc-45ba-9c9e-7caada2c20c6", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--dbb59a97-9800-4d55-9334-d22a554ef223", "confidence": 60, "description": "Co-occurrence: APT28 and Valid Accounts (T1078) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1319a470-0526-4d31-b0d0-bb41acba12bd", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 60, "description": "Co-occurrence: APT28 and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--58907b24-e5b3-450d-9159-4064655cedeb", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--d123f673-06c3-45e4-a800-7bb58177799f", "confidence": 60, "description": "Co-occurrence: APT28 and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--740c96e7-896a-4ba4-ad09-a4a1b38aba9d", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--4e848890-246a-47e8-8d6b-1f4ce8315437", "confidence": 60, "description": "Co-occurrence: APT28 and System Firmware (T1542.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7851ce83-f796-4370-8529-b0083a570301", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--e0527a36-7149-4bfd-b201-8a74a4f38dc5", "confidence": 60, "description": "Co-occurrence: APT28 and Kernel Modules and Extensions (T1547.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--346e9b55-b1b7-47de-800e-8252cf6a713f", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--39e179f7-eb33-4dba-86f0-c13dbcbd2a1b", "confidence": 60, "description": "Co-occurrence: APT28 and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9ae0a71c-1e0f-4ee4-9e64-9c88712b3d63", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--aa4dcee8-9977-4032-8aa1-f12c8350d606", "confidence": 60, "description": "Co-occurrence: APT28 and Browser Session Hijacking (T1185) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae826215-7fcf-432b-a4d9-40051609708b", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 60, "description": "Co-occurrence: APT28 and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--25fce65c-ffda-48e7-a793-2eebac04c31c", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 60, "description": "Co-occurrence: APT28 and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1b8fdf62-d1a5-4a5e-aff5-bea47f2a539f", "created": "2025-12-18T15:25:23.857Z", "modified": "2025-12-18T15:25:23.857Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 60, "description": "Co-occurrence: APT28 and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--32df8e9f-0ceb-49c5-8b8b-bd36463cf5e8", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 60, "description": "Co-occurrence: APT28 and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ab39e2e8-8863-4da7-9130-679a195b1ef2", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--5391a1ff-d556-4631-ba60-8905f720bf7f", "confidence": 60, "description": "Co-occurrence: APT28 and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d6edd590-0574-42ce-a4ea-fb16ac04adf1", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--66e614e6-1ec5-41d9-ba44-34ed358d91aa", "confidence": 60, "description": "Co-occurrence: APT28 and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--88a6880b-7dda-4b87-8334-e4f95320227e", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--63aeef6b-2fb0-45bd-b09b-d5ed6c1d0d7c", "confidence": 60, "description": "Co-occurrence: APT28 and Office Application Startup (T1137) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aede9887-e0a7-4972-aab9-ad560a87f3eb", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--1d28031b-7dbc-4872-80f3-2948acef8495", "confidence": 60, "description": "Co-occurrence: APT28 and Malware (T1588.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9a664e6e-9125-4abd-ac43-8e1691c40480", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "attack-pattern--c675ce6b-a194-49ed-b0f3-6f0025cd093a", "confidence": 60, "description": "Co-occurrence: APT28 and Office Test (T1137.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--de109527-5cc3-4e55-8855-1bc0da133bcf", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--9246b259-7396-4bbe-8fb6-c229ccc22e6d", "confidence": 60, "description": "Co-occurrence: codenamed UAT and GhostPairing () in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ef70f0ca-71d8-48c1-aec9-3f4b5c1b72a3", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--aa1845f4-913c-40c6-96ac-d19b1dd58616", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Abuse Elevation Control Mechanism (T1548) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--28d200d7-7676-4e8f-81a2-166d80f9af8e", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--b3ae94a2-b47a-4b30-9d9a-5c3a1d8717fe", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Access Token Manipulation (T1134) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f814a462-90d0-4b8c-b3ff-63b168b67d1b", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2349cac7-17e3-477c-8bf4-bd2df55812b5", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ee1ef8ae-814b-4c3c-834f-31ad82289363", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ec5bf371-4343-48c6-9286-da22b3cc4d66", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4acbe4ef-e60c-48d5-b1f8-b747ecef911d", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--88108878-2be5-4b91-b36c-08b0a3f15f83", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--84b7fc1e-6f1b-4dc6-9bcc-488b2727c7af", "confidence": 60, "description": "Co-occurrence: codenamed UAT and System Information Discovery (T1082) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--52a7ed65-b7b4-406a-ac2c-50b67d0961aa", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--aafb87d3-d5e3-44d3-9260-c41332dda176", "confidence": 60, "description": "Co-occurrence: codenamed UAT and File and Directory Discovery (T1083) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4a4c5641-e495-4eca-908b-998ad95d014c", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--6ffaba66-d6ac-4af3-b4f3-8a5adabce2bb", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Process Discovery (T1057) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e4ff809a-5577-4339-8109-99546020e686", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2ee6e337-64a3-4b82-a333-54cbe4169ff4", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7ce60f61-7912-46eb-a793-a5ff5bb71404", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--34e7763c-ff57-4a68-9e1e-ebf4113d5699", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4b2af402-bf85-42bf-9e66-9ec25231e3db", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--c33dd9cf-88cc-4541-ad0d-7cb0b3568581", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Application Layer Protocol (T1071) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae79722f-135f-4e36-b959-2a7fc0212fa6", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--85c280bd-77ac-4193-89a6-22f3258889e1", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Non-Application Layer Protocol (T1095) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--330d126c-706f-454f-b7d0-1dc87f1dfec2", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--dbb59a97-9800-4d55-9334-d22a554ef223", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Valid Accounts (T1078) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ca7cc123-950c-4a97-8bc1-6539c5b40660", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a78db522-4728-48ba-8ae4-7ee32f0c068b", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--d123f673-06c3-45e4-a800-7bb58177799f", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--220009d6-8be6-4386-8953-29f7aa15e49d", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--4e848890-246a-47e8-8d6b-1f4ce8315437", "confidence": 60, "description": "Co-occurrence: codenamed UAT and System Firmware (T1542.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0c94673e-7ba6-44b1-be8d-425bdbd872a6", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--e0527a36-7149-4bfd-b201-8a74a4f38dc5", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Kernel Modules and Extensions (T1547.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--15da1154-5d68-4f3f-bc5b-adb5529eeed7", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--39e179f7-eb33-4dba-86f0-c13dbcbd2a1b", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5f1e7ccf-f5b9-460c-9011-d300b31cfd32", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--aa4dcee8-9977-4032-8aa1-f12c8350d606", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Browser Session Hijacking (T1185) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b0e330f4-fbc1-46c5-84ad-bf34e20665e6", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f2507d68-c207-4583-81f8-bcb94ed61f91", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1234b719-16b3-428d-a877-e45a9d9c3776", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6c9d29be-2ec8-46d5-adb7-31fccc2c81bf", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7f5a2618-46f0-4f6a-b8f2-7e5b86f9e37a", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--5391a1ff-d556-4631-ba60-8905f720bf7f", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cb2389e1-3497-43cc-aa84-6c3b6a807b77", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--66e614e6-1ec5-41d9-ba44-34ed358d91aa", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9abff608-8ff6-4d26-a5f2-3f88c968b64b", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--63aeef6b-2fb0-45bd-b09b-d5ed6c1d0d7c", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Office Application Startup (T1137) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--46344d6e-3c20-4fad-b6aa-f56a9156f13d", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--1d28031b-7dbc-4872-80f3-2948acef8495", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Malware (T1588.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f14e4051-784a-4a23-a925-2ee0dfea1d37", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "target_ref": "attack-pattern--c675ce6b-a194-49ed-b0f3-6f0025cd093a", "confidence": 60, "description": "Co-occurrence: codenamed UAT and Office Test (T1137.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2d06715c-0518-42b3-8b24-e01d589ac272", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--9246b259-7396-4bbe-8fb6-c229ccc22e6d", "confidence": 55, "description": "Co-occurrence: DarkGate malware and GhostPairing () in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0c772933-5d1f-4a0c-a24c-2c113f21c1e5", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--aa1845f4-913c-40c6-96ac-d19b1dd58616", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Abuse Elevation Control Mechanism (T1548) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ba49f23b-7699-41a2-a6ff-2e0b61292d89", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--b3ae94a2-b47a-4b30-9d9a-5c3a1d8717fe", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Access Token Manipulation (T1134) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--65518a4e-d3b7-46ec-a552-2e93718c49d3", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--c99b8707-1226-4372-9f66-73b5d45b3f78", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ce580501-553b-445b-a81f-923f5566581a", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--f826e543-c895-41dc-bac3-389ef1a14778", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b189cb77-fce1-4cdd-bf8c-ea9455d18644", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--4aa52e9f-03db-4ed5-95a5-13ee3d59c0c9", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--81288d8a-8799-4f69-ac08-682193cf556d", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--0f708337-bf93-4058-bd1e-02de7daccae3", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4f86b40a-5a1b-468e-b759-c1324608709f", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--25e754f9-fb2d-471d-9dff-3828bb7ea3bb", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e29086b3-ea44-4c57-af50-84dd4c594432", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--84b7fc1e-6f1b-4dc6-9bcc-488b2727c7af", "confidence": 55, "description": "Co-occurrence: DarkGate malware and System Information Discovery (T1082) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--df884b11-0b7a-48d1-87f6-d976516ff652", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--aafb87d3-d5e3-44d3-9260-c41332dda176", "confidence": 55, "description": "Co-occurrence: DarkGate malware and File and Directory Discovery (T1083) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f921b5f7-e3ad-4323-8fe3-a7b0d82f65d2", "created": "2025-12-18T15:25:23.858Z", "modified": "2025-12-18T15:25:23.858Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--6ffaba66-d6ac-4af3-b4f3-8a5adabce2bb", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Process Discovery (T1057) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1e9a51be-a71c-4c96-9bae-a9674979f85c", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--f17cca1e-3dc9-4560-9d62-a742bfe947ec", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Create or Modify System Process (T1543) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--949ce607-b538-410a-88f8-ad51b53e15d7", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--1b66db10-73b6-438b-a141-759fcc3f9b66", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Boot or Logon Autostart Execution (T1547) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c797c214-a6da-4d5c-9643-4d9a810616c0", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--34e7763c-ff57-4a68-9e1e-ebf4113d5699", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cc675c4b-8117-4809-8202-0857e45c5f46", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--c33dd9cf-88cc-4541-ad0d-7cb0b3568581", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Application Layer Protocol (T1071) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a1b33cad-7aa1-4e0d-8acd-30ff526e95b1", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--85c280bd-77ac-4193-89a6-22f3258889e1", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Non-Application Layer Protocol (T1095) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--20c52f95-c365-4b01-9797-af2c15a67349", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--dbb59a97-9800-4d55-9334-d22a554ef223", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Valid Accounts (T1078) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ed3186a8-7d81-42d4-8244-18c97101f6d4", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--d5f68c3e-3583-497a-8fd3-6fe32b38bf5f", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6ab0947f-a482-4367-a205-0a552fc5a29e", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--d123f673-06c3-45e4-a800-7bb58177799f", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f0385972-ae21-4cb2-8acf-8ba8a8bf1df4", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--4e848890-246a-47e8-8d6b-1f4ce8315437", "confidence": 55, "description": "Co-occurrence: DarkGate malware and System Firmware (T1542.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3705273c-148d-4049-9977-35913ae0ae5e", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--e0527a36-7149-4bfd-b201-8a74a4f38dc5", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Kernel Modules and Extensions (T1547.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4594e999-b23f-4b8d-9b49-0cd8defed251", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--39e179f7-eb33-4dba-86f0-c13dbcbd2a1b", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--83fad3ce-ccb9-471c-9838-391afa7aaa13", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--aa4dcee8-9977-4032-8aa1-f12c8350d606", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Browser Session Hijacking (T1185) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--424b78cf-69f9-41b8-8e90-b1d24c195727", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--cc16d880-ad7c-42bb-98e3-ec0ea5e864bf", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--22fb3bda-5f3d-4c1b-80aa-2f1265043c79", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--cc98d5fb-a57e-47af-845c-7805ee3a7946", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--883c507b-9f10-485e-a518-619d45a21449", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--f25aeb02-492b-4d84-ba74-953779e3c255", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fedf72b0-266e-4f0f-893b-f48f9dc46bd9", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--e57f3d8f-db5e-465c-9294-c7831e03227e", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--15ff4861-a2b5-4dce-839a-24b3ee293214", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--5391a1ff-d556-4631-ba60-8905f720bf7f", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0ca21017-39b0-4472-9610-97f7e0368fc1", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--66e614e6-1ec5-41d9-ba44-34ed358d91aa", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a99125e3-c890-4c91-84e8-94da0551b53f", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--63aeef6b-2fb0-45bd-b09b-d5ed6c1d0d7c", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Office Application Startup (T1137) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2562d42b-d6a6-478d-9929-4e1b77d12f0e", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--1d28031b-7dbc-4872-80f3-2948acef8495", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Malware (T1588.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4e7da082-edcd-4d65-9acf-f7f24558e59c", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "uses", "source_ref": "malware--11ffba4c-863f-46af-a191-bcd8a5e36a8f", "target_ref": "attack-pattern--c675ce6b-a194-49ed-b0f3-6f0025cd093a", "confidence": 55, "description": "Co-occurrence: DarkGate malware and Office Test (T1137.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--087110ba-3fb7-49ea-8eb5-886dc5209284", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "related-to", "source_ref": "threat-actor--460baef6-757d-4a45-9a3d-6919e602294a", "target_ref": "threat-actor--06287371-a463-4db8-998f-ece0a325d389", "confidence": 85, "description": "Both entities describe the same threat actor", "x_validation_method": "llm-semantic-discovery" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9131c249-09a8-43a8-b9bb-743384d166a3", "created": "2025-12-18T15:25:23.859Z", "modified": "2025-12-18T15:25:23.859Z", "relationship_type": "related-to", "source_ref": "threat-actor--a4948aa2-fa1b-40cb-ad64-3bab783f6427", "target_ref": "threat-actor--24ca391b-d7ed-46a2-84ce-d4e0d6cbe04f", "confidence": 85, "description": "Operation ForumTroll is attributed to a threat actor, and APT28 is a known threat actor with similar activities", "x_validation_method": "llm-semantic-discovery" }, { "type": "file:hashes.MD5", "value": "149da23d732922b04f82d634750532f3", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "Kaspersky crimeware report: Emotet, DarkGate and LokiBot | Securelist" ], "id": "file:hashes.MD5--ccab0b91-c9fb-4d01-9d46-69f13f081d43" }, { "type": "file:hashes.MD5", "value": "1b9e9d90136d033a52d2c282503f33b7", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "Kaspersky crimeware report: Emotet, DarkGate and LokiBot | Securelist" ], "id": "file:hashes.MD5--0db5088f-cb05-4590-a73a-da9a76f0fba5" }, { "type": "file:hashes.MD5", "value": "238f7e8cd973a386b61348ab2629a912", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "Kaspersky crimeware report: Emotet, DarkGate and LokiBot | Securelist" ], "id": "file:hashes.MD5--a298daf4-5a30-4fec-b560-a05ed87e950a" }, { "type": "file:hashes.MD5", "value": "2c5cf406f3e4cfa448b167751eaea73b", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "Kaspersky crimeware report: Emotet, DarkGate and LokiBot | Securelist" ], "id": "file:hashes.MD5--bb31bfa6-a8c4-48cd-984b-160410157444" }, { "type": "file:hashes.MD5", "value": "31707f4c58be2db4fc43cba74f22c9e2", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "Kaspersky crimeware report: Emotet, DarkGate and LokiBot | Securelist" ], "id": "file:hashes.MD5--336221b0-03c5-4cc4-a6d7-73b6e811bd88" }, { "type": "file:hashes.MD5", "value": "df3ee4fb63c971899e15479f9bca6853", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "Kaspersky crimeware report: Emotet, DarkGate and LokiBot | Securelist" ], "id": "file:hashes.MD5--8f84a4fd-846d-40ee-86f9-4e5a9ba976b0" }, { "type": "file:hashes.SHA-1", "value": "667c5c6660607276bc76af4c87dc2daf67605115", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "Kaspersky crimeware report: Emotet, DarkGate and LokiBot | Securelist" ], "id": "file:hashes.SHA-1--921cb24d-d05b-4528-a75e-fddb89558217" }, { "type": "file:hashes.SHA-256", "value": "8924eb9498e658c131a56354ee7f6577e51e028a518b614a027911d2cdf4e279", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "Kaspersky crimeware report: Emotet, DarkGate and LokiBot | Securelist" ], "id": "file:hashes.SHA-256--dfaf5644-cfa9-449d-a20c-bee2dad0a21b" }, { "type": "file:hashes.MD5", "value": "b2d5a1369b5b88c18e5123b948683ba8", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "file:hashes.MD5--258c2c01-3547-49ff-baeb-e3d86aa5b40a" }, { "type": "file:hashes.SHA-1", "value": "7f537f5045e5e4b77ccb8dcfbd04555b85b11821", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "file:hashes.SHA-1--e450e7e2-9da9-48cc-a54b-f54b181777a9" }, { "type": "file:hashes.SHA-256", "value": "206042ec2b6bc377296c8b7901ce1a00c393df89e7c4cbbb1b8da1a86a153b67", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "file:hashes.SHA-256--6bc4280f-c721-42a8-b1ae-147f70db874f" }, { "type": "file:hashes.SHA-256", "value": "9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "file:hashes.SHA-256--cea44c92-223b-4595-be1f-6a4129d39284" }, { "type": "file:hashes.SHA-256", "value": "e5ca3a8732a4645de632d0a6edfaf064bdd34a4824102fbc2b328a974350db8f", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "file:hashes.SHA-256--7d0a91c6-5188-45e8-b4aa-55aad0b049aa" }, { "type": "domain-name", "value": "a4scan.com", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "domain-name--993974a9-668a-48ae-88ff-f360c4b12726" }, { "type": "domain-name", "value": "advanced-ip-scanne.com", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "domain-name--1226ddba-ab91-428d-8f23-0b702db3ba7b" }, { "type": "domain-name", "value": "advanced-ips-scanne.com", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "domain-name--bd07adf0-d69d-49c0-8e95-34bb060e9f8f" }, { "type": "domain-name", "value": "advancedscanner.link", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "domain-name--2b694ead-197b-414a-805c-afacd9be9874" }, { "type": "domain-name", "value": "ipadvancedscanner.com", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "domain-name--4fcbfbe0-6812-4372-9ad7-33524cdc6f6b" }, { "type": "domain-name", "value": "top.advscan.com", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot" ], "id": "domain-name--c19a29e4-5e24-4df6-98a4-4cdd9068fd3b" }, { "type": "domain-name", "value": "ipangry.com", "source": "OTX", "malware_families": [ "DarkGate malware" ], "pulse_names": [ "DarkGate reloaded via malvertising and SEO poisoning campaigns" ], "id": "domain-name--becc53bd-4341-4ab2-a723-4deb938826c7" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--749655ba-82cd-48ce-bbb5-fc14de3f1620", "created": "2025-12-18T15:21:31.077Z", "modified": "2025-12-18T15:21:31.077Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'a4scan.com']", "pattern_type": "stix", "valid_from": "2025-12-18T15:21:31.077Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f42b2236-fc6c-44f5-bbb0-e3bf9296b6eb", "created": "2025-12-18T15:21:31.077Z", "modified": "2025-12-18T15:21:31.077Z", "relationship_type": "based-on", "source_ref": "indicator--749655ba-82cd-48ce-bbb5-fc14de3f1620", "target_ref": "domain-name--993974a9-668a-48ae-88ff-f360c4b12726" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--398bffe0-15d0-4617-a52e-7bc2c33fce65", "created": "2025-12-18T15:21:31.086Z", "modified": "2025-12-18T15:21:31.086Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'advanced-ip-scanne.com']", "pattern_type": "stix", "valid_from": "2025-12-18T15:21:31.086Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7b65788b-6d7d-4e03-afbc-cda532d7780b", "created": "2025-12-18T15:21:31.086Z", "modified": "2025-12-18T15:21:31.086Z", "relationship_type": "based-on", "source_ref": "indicator--398bffe0-15d0-4617-a52e-7bc2c33fce65", "target_ref": "domain-name--1226ddba-ab91-428d-8f23-0b702db3ba7b" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c2319a40-b296-4dcb-8c6d-cd9a62fa6139", "created": "2025-12-18T15:21:31.096Z", "modified": "2025-12-18T15:21:31.096Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'advanced-ips-scanne.com']", "pattern_type": "stix", "valid_from": "2025-12-18T15:21:31.096Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--18660ab7-a67f-431c-bcf8-c8dc404cb938", "created": "2025-12-18T15:21:31.096Z", "modified": "2025-12-18T15:21:31.096Z", "relationship_type": "based-on", "source_ref": "indicator--c2319a40-b296-4dcb-8c6d-cd9a62fa6139", "target_ref": "domain-name--bd07adf0-d69d-49c0-8e95-34bb060e9f8f" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2cc98d83-00ff-4ef6-b3e6-fa806f175a54", "created": "2025-12-18T15:21:31.105Z", "modified": "2025-12-18T15:21:31.105Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'advancedscanner.link']", "pattern_type": "stix", "valid_from": "2025-12-18T15:21:31.105Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1dd7f1fb-d6c0-484c-8b4e-d06cdd61e64f", "created": "2025-12-18T15:21:31.105Z", "modified": "2025-12-18T15:21:31.105Z", "relationship_type": "based-on", "source_ref": "indicator--2cc98d83-00ff-4ef6-b3e6-fa806f175a54", "target_ref": "domain-name--2b694ead-197b-414a-805c-afacd9be9874" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c7ef318d-a4bf-4039-8f3a-da53c94e7745", "created": "2025-12-18T15:21:31.113Z", "modified": "2025-12-18T15:21:31.113Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'ipadvancedscanner.com']", "pattern_type": "stix", "valid_from": "2025-12-18T15:21:31.113Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a82a4548-9c13-446d-9bad-bc1a99a106fa", "created": "2025-12-18T15:21:31.113Z", "modified": "2025-12-18T15:21:31.113Z", "relationship_type": "based-on", "source_ref": "indicator--c7ef318d-a4bf-4039-8f3a-da53c94e7745", "target_ref": "domain-name--4fcbfbe0-6812-4372-9ad7-33524cdc6f6b" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a95ed932-fb1f-45d5-aa28-90529c37dc60", "created": "2025-12-18T15:21:31.122Z", "modified": "2025-12-18T15:21:31.122Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'top.advscan.com']", "pattern_type": "stix", "valid_from": "2025-12-18T15:21:31.122Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0f43d436-26a5-4ad2-bd6e-4c8339a9544f", "created": "2025-12-18T15:21:31.122Z", "modified": "2025-12-18T15:21:31.122Z", "relationship_type": "based-on", "source_ref": "indicator--a95ed932-fb1f-45d5-aa28-90529c37dc60", "target_ref": "domain-name--c19a29e4-5e24-4df6-98a4-4cdd9068fd3b" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6805df87-9f8a-4dde-abbe-9fc5fdb54fb2", "created": "2025-12-18T15:21:31.131Z", "modified": "2025-12-18T15:21:31.131Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'ipangry.com']", "pattern_type": "stix", "valid_from": "2025-12-18T15:21:31.131Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--535b033f-fb55-4722-9197-49a373d8d4da", "created": "2025-12-18T15:21:31.131Z", "modified": "2025-12-18T15:21:31.131Z", "relationship_type": "based-on", "source_ref": "indicator--6805df87-9f8a-4dde-abbe-9fc5fdb54fb2", "target_ref": "domain-name--becc53bd-4341-4ab2-a723-4deb938826c7" } ] }

Playbook for the Secure Enterprise

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

MEDIUM SEVERITY ITEMS

EXECUTIVE INSIGHTS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.