Cybersecurity Latest Rundown

Threat Rundown

Industry Watch

CVE-2025-52691 CVE-2025-13915

🚨 Technology & SaaS (SOX/FISMA) CRITICAL

Threat activity targeting API & Mail infrastructure

Key threat: Maximum severity RCEs in SmarterMail and IBM API Connect allowing full system compromise.

Action: Review SmarterMail RCE (CVE-2025-52691) and IBM API Connect Auth Bypass (CVE-2025-13915)

Healthcare & Finance (HIPAA/SOX) ELEVATED

Multi-stage phishing & Supply Chain risks

Key threat: Google Cloud email abuse and Trust Wallet supply chain attacks.

Action: Review Google Cloud Phishing Campaign and Trust Wallet Supply Chain Attack

CyberSecurity Latest Rundown

Heroes, a curated look at the current cybersecurity landscape for January 2, 2026.

CRITICAL ITEMS

SmarterMail Maximum Severity RCE Flaw
Date & Time: 2025-12-31

Singapore's Cyber Security Agency has issued a warning for a maximum severity vulnerability (CVSS 10.0) in SmarterMail that allows unauthenticated attackers to execute arbitrary code via file upload. This is a "door wide open" scenario where no credentials are needed to take full control of the mail server.

Business impact

Immediate compromise of corporate email infrastructure, leading to data exfiltration, business email compromise (BEC) fraud, and potential lateral movement into the wider network. Expect severe GDPR/regulatory fines if sensitive communications are exposed.

Recommended action

Verify with IT immediately: "Is our SmarterMail instance isolated from the internet or patched to the latest version to mitigate CVE-2025-52691?"

CVE: CVE-2025-52691 | Compliance: SOX, FISMA | Source: SecurityAffairs ↗
IBM API Connect Critical Authentication Bypass
Date & Time: 2025-12-31

IBM has disclosed a critical flaw (CVSS 9.8) in its API Connect platform that allows attackers to bypass authentication and gain remote access. This vulnerability undermines the security gateway that manages and secures your organization's APIs.

Business impact

Attackers could gain unauthorized access to backend systems and sensitive data exposed via APIs, potentially leading to massive data breaches and service disruption. This directly impacts the integrity of digital transformation initiatives and customer trust.

Recommended action

Ask your security team: "Have we applied the critical patches for IBM API Connect, and are we auditing logs for unauthorized API access attempts?"

CVE: CVE-2025-13915 | Compliance: SOX | Source: The Hacker News ↗
RondoDox Botnet Exploits React2Shell Vulnerability
Date & Time: 2026-01-02

The RondoDox botnet is actively exploiting a critical flaw in Next.js servers to deploy cryptominers and malware. Operators are weaponizing this vulnerability to compromise web servers at scale.

Business impact

Compromised servers result in performance degradation due to mining, increased cloud compute costs, and a foothold for attackers to launch further attacks or steal application data. This poses a direct risk to web application availability and integrity.

Recommended action

Request verification: "Are our Next.js applications running vulnerable versions, and do we have detection rules in place for RondoDox indicators?"

CVE: CVE-2025-55182 | Compliance: CMMC, SOX | Source: SecurityWeek ↗, SecurityAffairs ↗
MongoBleed Memory Corruption in MongoDB
Date & Time: 2026-01-01

A new vulnerability dubbed "MongoBleed" allows unauthenticated memory disclosure in MongoDB databases. This memory corruption issue can be exploited to leak sensitive data resident in the database's memory.

Business impact

Potential leakage of highly sensitive data, including authentication tokens or PII, without leaving traditional access logs. This is a significant compliance risk for GDPR and SOX environments.

Recommended action

Ask your database administrators: "Is our MongoDB infrastructure exposed to untrusted networks, and have we assessed our exposure to CVE-2025-14847?"

CVE: CVE-2025-14847 | Compliance: SOX, GDPR | Source: Reddit ↗
Trust Wallet Confirms $8.5M Supply Chain Attack
Date & Time: 2026-01-01

Trust Wallet has confirmed a second supply-chain attack linked to the "Shai-Hulud" actor, compromising their Chrome extension and resulting in $8.5 million in stolen crypto assets. This highlights the persistent risk of software supply chain compromises.

Business impact

Significant financial loss for users and severe reputational damage for the provider. For enterprises, this underscores the risk of using browser extensions that manage financial assets or sensitive keys.

Recommended action

Mandate a review of approved browser extensions and consider blocking non-essential cryptocurrency wallet extensions on corporate devices.

CVE: n/a | Compliance: SOX | Source: SecurityAffairs ↗

HIGH SEVERITY ITEMS

Google Cloud Email Feature Abused for Phishing
Date & Time: 2026-01-02

Attackers are abusing Google Cloud's Application Integration service to send phishing emails that appear to come from legitimate Google infrastructure. This technique bypasses traditional email filters by leveraging the trust associated with Google's domain.

Business impact

Increased likelihood of employees falling for phishing attacks, leading to credential theft or malware infection. The high trust level of the source makes user training less effective.

Recommended action

Update email security gateway policies to scrutinize emails from Google Cloud Application Integration services and alert employees to this specific spoofing tactic.

CVE: n/a | Compliance: HIPAA, SOX | Source: The Hacker News ↗
Adobe ColdFusion Targeted in Holiday Campaign
Date & Time: 2026-01-02

A coordinated campaign targeted Adobe ColdFusion servers over the holiday break, attempting to exploit a dozen known vulnerabilities. Attackers often utilize holiday periods to strike when security teams are understaffed.

Business impact

Unpatched ColdFusion servers are high-value targets that can provide deep access into corporate networks. Successful exploitation can lead to data theft and ransomware deployment.

Recommended action

Verify that all Adobe ColdFusion instances are fully patched and behind a WAF. Investigate any anomalous traffic recorded during the holiday period.

CVE: n/a | Compliance: SOX | Source: SecurityWeek ↗
DarkSpectre Browser Extension Campaign Impacts 8.8M Users
Date & Time: 2026-01-01

A massive malicious browser extension campaign codenamed "DarkSpectre" has impacted nearly 9 million users across Chrome, Edge, and Firefox. The extensions are used to harvest user data and inject malicious ads.

Business impact

Widespread data leakage of employee browsing habits and potential capture of internal application data. This represents a significant shadow IT risk.

Recommended action

Audit installed browser extensions across the enterprise and enforce a strict allow-list policy for browser add-ons.

CVE: n/a | Compliance: SOX | Source: Lifeboat ↗

MEDIUM SEVERITY ITEMS

CISA Known Exploited Vulnerabilities Surged 20% in 2025
Date & Time: 2026-01-02

CISA added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2025, representing a 20% increase. This metric highlights the accelerating pace at which threat actors weaponize new flaws.

CVE: n/a | Compliance: SOX, GDPR | Source: Cyble ↗

EXECUTIVE INSIGHTS

Browser AI Agents Riskier Than Human Employees
Date & Time: 2025-12-31

New research from SquareX suggests that Browser AI Agents are becoming a greater security liability than human employees. As organizations rush to adopt AI productivity tools, these agents often have excessive permissions and can be manipulated into performing malicious actions, representing a new attack surface for 2026.

Source: Security Boulevard ↗

VENDOR SPOTLIGHT

Spotlight Rationale: Selected for its relevance to the Google Cloud Email Phishing and RondoDox campaigns, which utilize multi-stage attacks and subtle signals that bypass traditional filters.

Threat Context: Cybercriminals Abuse Google Cloud Email Feature

Platform Focus: Seceon Open Threat Management (OTM) Platform

Seceon addresses the "complexity problem" of modern threats by ingesting and correlating telemetry from web, endpoint, DNS, cloud, and network sources in real-time. Unlike traditional SIEMs that may miss the subtle indicators of the Google Cloud App Integration abuse or the RondoDox botnet traffic when viewed in isolation, Seceon's AI/ML models correlate these low-level signals to reveal the broader attack narrative.

Actionable Platform Guidance: Enable the "AI-Driven Correlation" module specifically for Cloud and Email logs. Configure the platform to flag "anomalous application integration usage" combined with "external email relay" events to detect the specific Google Cloud phishing vector described in today's intelligence.

Source: Seceon ↗, Kratikal ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Seceon

# Seceon OTM Configuration for Multi-Stage Phishing Detection

1. Navigate to Policy Management > Correlation Rules.
2. Create New Rule: "Google Cloud App Integration Abuse".
3. Data Sources: Select 'Email Gateway' AND 'Cloud Audit Logs'.
4. Condition:
IF (Email.Source_Domain == "google.com" AND Email.Header.X-Originating-IP != [Known_Google_Ranges])
AND
(Cloud.Event == "Application Integration Trigger" WITH Severity > Medium)
5. Action: Set Risk Score +50, Trigger Alert "Potential Cloud Phishing Abuse".
6. Save and Deploy to Staging.

2. YARA Rule for RondoDox Botnet

rule RondoDox_React2Shell_Malware {
meta:
description = "Detects RondoDox botnet artifacts targeting React2Shell (CVE-2025-55182)"
author = "Threat Rundown"
date = "2026-01-02"
reference = "https://www.securityweek.com/?p=44801"
severity = "high"
tlp = "white"
strings:
$s1 = "Future" ascii wide
$s2 = "You" ascii wide
$s3 = "Invalid" ascii wide
$s4 = "Indexing" ascii wide
condition:
any of ($s*)
}

3. SIEM Query — Google Cloud Phishing Abuse

index=email sourcetype="google:workspace"
(sender_domain="google.com" OR sender_domain="appspot.com")
subject="*Action Required*" OR subject="*Security Alert*"
| eval risk_score=case(
match(headers, "X-Google-App-Integration"), 80,
match(body, "Application Integration"), 60,
1==1, 0)
| where risk_score >= 60
| table _time, src_ip, sender_address, subject, risk_score
| sort -_time

4. PowerShell Script — SmarterMail Version Check

$computers = "localhost", "MAIL01", "EXCHANGE01"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Invoke-Command -ComputerName $computer -ScriptBlock {
$service = Get-Service -Name "SmarterMail" -ErrorAction SilentlyContinue
if ($service) {
$path = (Get-WmiObject win32_service | Where-Object {$_.Name -eq 'SmarterMail'}).PathName
$version = (Get-Item $path.Replace('"','')).VersionInfo.ProductVersion
Write-Host "SmarterMail found on $env:COMPUTERNAME - Version: $version"
}
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--aca67750-0835-4f25-9341-720b85ffa6b7", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--9a24fd6d-a586-48db-bb08-aab62ea607ab", "created": "2026-01-02T12:39:26.244Z", "modified": "2026-01-02T12:39:26.244Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--9665c651-ab12-4881-b09e-39d75ed5ad65", "created": "2026-01-02T12:39:26.244Z", "modified": "2026-01-02T12:39:26.244Z", "name": "Threat Intelligence Report - 2026-01-02", "description": "Threat Intelligence Report - 2026-01-02\n\nThis report consolidates actionable cybersecurity intelligence from 62 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• RondoDox Botnet Exploiting React2Shell Vulnerability (Score: 100)\n• Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign (Score: 100)\n• Adobe ColdFusion Servers Targeted in Coordinated Campaign (Score: 100)\n• CISA Known Exploited Vulnerabilities Surged 20% in 2025 (Score: 100)\n• React2Shell under attack: RondoDox Botnet spreads miners and malware (Score: 100)\n\nEXTRACTED ENTITIES:\n• 16 Attack Pattern(s)\n• 23 Domain Name(s)\n• 12 File:Hashes.Md5(s)\n• 8 File:Hashes.Sha 1(s)\n• 23 Indicator(s)\n• 3 Malware(s)\n• 1 Marking Definition(s)\n• 93 Relationship(s)\n• 3 Threat Actor(s)\n• 11 Tool(s)\n• 8 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2026-01-02T12:39:26.244Z", "object_refs": [ "identity--9a24fd6d-a586-48db-bb08-aab62ea607ab", "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "vulnerability--b92231d2-d9b1-4177-ab65-401adc9a2c6d", "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "identity--b5ce8592-6617-462d-b7e8-8f3a2272a0cf", "vulnerability--d95868d7-4f07-4d84-b742-07ee4cf4adbf", "vulnerability--09cfd756-732a-426d-8c11-8d9ddb3e9e05", "identity--852f1ded-54a0-4678-8751-1aa05a63754e", "tool--110bd33b-429b-4d56-bc0c-d65f82c89552", "tool--65ccf4fb-0919-4be6-9835-b712b1f056a5", "vulnerability--f2c42dbe-e16d-4283-9151-c7c085f96cb9", "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "threat-actor--eb542bb6-573d-4d93-81f9-21ecb17ff423", "tool--eb33f5b9-a211-409d-ba91-a9b0d6b0f75e", "tool--c34a5a3d-44b4-445d-9d85-478167123542", "tool--f2491320-0c6c-4b71-a50a-d287256ea95f", "identity--6741006f-839c-40a5-9d6e-5c3499671c57", "vulnerability--0939e377-efcf-44d2-ba69-a9794c7184bc", "vulnerability--0eeed38c-ad53-4d03-91b9-68adce80181b", "identity--62522ca0-5df7-4a7f-b817-a969c39fad76", "identity--84cc9f98-37d8-4790-bdcd-597ce6a2e6ac", "identity--9bafa8cc-056c-4e34-bb2d-61e718a0438b", "identity--6a693eb5-52d0-4a9c-9407-96e3ba6cdfad", "identity--3cf91ae9-0a36-4c4f-aad7-9717e2e1a2cd", "vulnerability--2d772e96-d3ee-4b7e-9d39-aefee3a980da", "tool--3c84c3be-72bb-491a-aad0-31af4eb5a66d", "vulnerability--be935a82-14b4-4a2e-a314-fedab3129d53", "threat-actor--2d398e94-0377-4c95-9239-c472d3f1eca9", "identity--c562a7c3-1c96-4809-b60a-0e23213ecf63", "tool--e097aaca-caee-4b4b-aa8f-0ea32c643efe", "tool--66e228d6-f965-4c4c-945f-949be0c45803", "tool--cd74e8f4-ca24-409e-9878-ad91c3aa57f1", "tool--fc1edf37-07d8-470b-a34a-c50f2247b5ea", "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "tool--64a2e1d0-3271-4fea-9042-f00f041b6446", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--5cf0f3fb-3459-4a3d-ad3c-4700efcfecd8", "relationship--90a0406c-dc6f-4f4a-b369-007b91ebae74", "relationship--cf986515-f13f-44d3-9562-6234c5eb9a79", "relationship--b4eb0925-99e0-430d-b33f-1cb830e758bb", "relationship--2af95980-1da5-41ec-9e98-6dd72dcc66d2", "relationship--21fc51ad-202d-42c1-972d-fa9764ef21db", "relationship--7c520bf0-bbf8-4f00-afec-4c2cf7ca53ab", "relationship--a552fc15-ed0e-432a-a60f-7a3f150f2819", "relationship--d1a7eadf-3746-4890-a83c-170933b1066d", "relationship--a0c4cd7d-83cf-4b74-8a23-15720a133e62", "relationship--c2d6bac7-3751-41c6-ade3-5cf55856888f", "relationship--063f5b82-988a-4412-9110-aa0b86ac838a", "relationship--2ed026b2-9f69-4096-ad86-0e417e5bd5ea", "relationship--d721ee78-13e0-460d-9251-a8bfa9b40c20", "relationship--705228c0-a258-4f8c-81a5-36ab2879fd1b", "relationship--bdd881fb-3d38-4e18-86bf-4df4f00f95f4", "relationship--61cd4057-dded-455e-9364-643234d6f82c", "relationship--9d40e904-eaab-4a2b-b7c8-34cc8c406019", "relationship--58877a1b-a2e6-468f-bb64-bfdc2149e8db", "relationship--6d822c56-66dd-46ba-a986-b3a66cb5ce5d", "relationship--c5f3bcc3-4de4-4041-9d62-cbb6a1d53720", "relationship--15b1ad05-6ee2-4cc1-8700-0f06e580e1da", "relationship--a7b81bcc-2ae6-413f-a5d5-4e79a4730ada", "relationship--592d82d3-e47a-4d10-a23a-451f6d54cf04", "relationship--02a1ff43-0082-4f52-b323-d796c8a86525", "relationship--bfe9168b-3f74-4e53-b3ad-9b7e2cd2a58b", "relationship--12e8c1b3-d6b6-4a10-ab80-58d722d312b1", "relationship--2ac7a692-53ac-4d9b-8c4e-60ebab192a6d", "relationship--4397f63b-6df0-4e42-92b8-80b38d6fdb3f", "relationship--b06793ad-3500-4d32-9f09-8b658863c611", "relationship--05612c4a-125b-4616-89cb-f68f3562d034", "relationship--edfc2eba-8c88-47b0-95a1-ade3b23fb592", "relationship--69e50a71-a39c-4689-a081-99850c8a4bef", "relationship--6673a568-e3b2-4ee3-9c35-3d7bdf9d7704", "relationship--65d4909a-dc1d-4c5f-8083-0c6c700eff4c", "relationship--f9ba76dc-00a0-49a5-b1be-42e400436f53", "relationship--6be5753e-eb1e-496c-8540-47e76701cf8a", "relationship--ae22acd7-62ad-4bb0-9ba8-304fff6e8e16", "relationship--43d3e2a9-00fe-4fb7-b44c-062032188247", "relationship--5207e54a-be63-45a7-90ee-6863c3c7f5a5", "relationship--f0776186-610d-4ad1-ada4-a30a7c98ccd3", "relationship--fd1e95e4-02da-44cb-a281-0b4172a6bed4", "relationship--3f9e6a86-851f-49db-a226-f0e89b99a05a", "relationship--bf6bded5-93b1-4be8-8bf3-87f0a7184451", "relationship--da9bf87f-72d9-4920-b932-bee6817622f8", "relationship--d93befee-8b16-4677-b88b-7ab644a64650", "relationship--92907e35-c503-4196-b2b2-498a047950aa", "relationship--7a199d41-bf44-4e54-80ed-e347eaa49087", "relationship--c95c869d-4b25-444c-8df1-2bedf329cc6c", "relationship--37308e11-2bff-4979-9876-a7d24defb083", "relationship--7f061ec0-3268-4061-9ebb-34774cb3b467", "relationship--d29368f4-0b56-4697-83ae-0f8fa8a07325", "relationship--7bf3f3ab-36dc-4495-8f0f-34ccc9538986", "relationship--a27e5de9-63f5-462c-9dc4-ce8a931e84e4", "relationship--d603ff24-0e18-4489-b83b-fbb032b81944", "relationship--f6986ec6-ad46-463c-8656-11bb66af868c", "relationship--392769e5-3f05-4281-aa82-5699f3067e01", "relationship--39a37a6f-341a-4c67-9eb0-4f24b632f1cb", "relationship--68a495ea-c63d-4f8c-8656-3b0d85229183", "relationship--341432df-a52c-4d42-a04f-bcbac976a6b9", "relationship--243a9a5b-4dea-41bd-ace1-31edc21fd3a2", "relationship--bf8394ef-1870-4ce4-86e0-ce8e92cbf5dc", "relationship--7120077d-b85c-46df-9091-4b098e614404", "relationship--aac23a91-0570-46d4-88cb-692a9c4da306", "relationship--75b1cad6-1abc-4c04-ab99-d863ff9cba29", "relationship--9bcc0918-73c6-479a-b9eb-a89a2276d8a6", "relationship--89caf2c6-c7e2-426d-8688-4b1033f9dc71", "relationship--58ade21e-6178-4291-a741-8a22c8255f79", "relationship--03d8bb12-9f9a-4f0c-8e74-2e8e61b283d8", "relationship--40851a02-22f0-4dfd-a75c-f1f426b7b1c9", "relationship--0cdff21b-5155-4a9d-a6c3-cb52fff24898", "file:hashes.MD5--22659bba-866a-4a76-8bc9-12a89c5c117e", "file:hashes.MD5--549c17f0-6d26-4fe9-950d-639e35b0aaf9", "file:hashes.MD5--02882737-8de6-472a-933c-e20cdd5ca90e", "file:hashes.MD5--e4bbab79-87d4-47d1-9cb7-a1e0823e961b", "file:hashes.MD5--97a94d52-ce8b-48ac-9d79-704beba94ae6", "file:hashes.MD5--4ce5e15b-2acd-4571-a5ce-463b7a91bfdc", "file:hashes.MD5--a1cc5ebb-dea3-4ad4-b3ff-2dba0ea8c79e", "file:hashes.MD5--477e87c6-ff7e-45dc-b78e-36cdc2aa2bab", "file:hashes.MD5--836f761a-af62-4e5e-a266-938c06a4464e", "file:hashes.MD5--e897c6f6-1903-45ff-b176-57d774c3076d", "file:hashes.MD5--f0679444-2b5f-402e-8a68-7d67d7f9294e", "file:hashes.MD5--fd8385cb-fd2d-4c49-9b9f-6ae1ae880592", "file:hashes.SHA-1--e11f5338-bbbc-48d5-9633-9d3e1d66ce60", "file:hashes.SHA-1--83dd181e-5a5a-4531-bfd1-63574090b033", "file:hashes.SHA-1--829a6f68-0ce6-467f-9df2-3382acaee30b", "file:hashes.SHA-1--319a836a-745a-43d8-97c3-1405ceed85f5", "file:hashes.SHA-1--0deab427-779f-4cba-a929-f0932ebdf338", "file:hashes.SHA-1--61318092-b63d-4fa7-acd5-ac063b0c46ae", "file:hashes.SHA-1--347d4395-9822-4056-b55c-37595828ea55", "file:hashes.SHA-1--b08d0f4c-72b2-4af5-ab51-0734ab0a5872", "domain-name--09f89b5f-6d7f-465c-afe1-d201a8a19cd9", "domain-name--514ce44f-efda-4e7d-a69f-98cd7b2922f5", "domain-name--533b5e6b-5821-4295-abe6-f39797febb5b", "domain-name--7b702c6e-c293-4a3a-9668-83e1cf4426ef", "domain-name--2ec55aae-9943-4991-9e5c-38c575def978", "domain-name--31dd4ee6-4a65-48dc-a231-6882cc6ccbf9", "domain-name--aa1780be-acaa-442d-a3fb-25cceb006604", "domain-name--e90ac1b2-ffc4-4646-a3cc-0d4f8298bb8e", "domain-name--0cd13fbd-0716-4a3b-8584-50ee7aa84f08", "domain-name--27deadcc-ad34-4a8d-8646-722572e3e01a", "domain-name--dc45ddb2-b718-4f19-89dd-a97e3b361f85", "domain-name--1c93f9b2-7662-4f3f-aca4-928cee116983", "domain-name--a9e384b6-2522-4019-90e5-459bf2b81249", "domain-name--7844e0ef-9f49-431b-a795-4292e4798d4f", "domain-name--ba4a7349-9dc9-4d74-95ce-e72aeed97806", "domain-name--249cd7f1-cc79-46ce-b4eb-9c7323544377", "domain-name--592be6f9-fee6-4a1f-8559-f06989c2e2b5", "domain-name--6fdcab22-2def-48e1-a8c0-51965446cedb", "domain-name--752d79e5-63e1-4c6a-916e-cd69fbdda636", "domain-name--f13433ce-a320-469e-aa8a-88fab05fd581", "domain-name--f0c9f53f-c9bb-4852-bfb9-e03287c69e49", "domain-name--6291c0ee-ac03-4da4-97f0-63f3f4c352c7", "domain-name--a77cca0e-3498-4000-b6f9-d42d27ea9900", "indicator--a2929553-abcf-49a6-83bd-251406a12e97", "relationship--312ad359-86c5-4494-ad49-cf0d0104154e", "indicator--162887a3-ef33-4a53-9098-a6d19bc2df14", "relationship--2c6a3a6b-59f9-43ee-9442-4b2e8ee4f0cf", "indicator--d9fb8a89-5b5b-4551-868d-1eca85d96633", "relationship--b1d3272d-9eca-4801-9813-04f45afe7317", "indicator--24c5dfbe-110e-4ac5-94cd-156b873e97c7", "relationship--d5e239af-bb9e-4c4b-b0c0-3bd9b9c851bd", "indicator--644b13c0-f04f-461e-8451-ad8a5ca15f0b", "relationship--2d045e53-25b8-4ad5-9bd7-3d801883e262", "indicator--709fd8a5-2d2a-4ee9-be77-9fced7f1a359", "relationship--66a7e412-9c51-4d36-bdfe-a662dbb3b75a", "indicator--3ca3ee22-361e-4a17-a4ed-f3cc6defca1d", "relationship--4b9bfeed-78ad-4273-9bad-3cb66d7f9edc", "indicator--a8818498-0b2d-4b9d-8f54-ee6c4ab43abf", "relationship--ac820a25-7b80-423d-b3a8-576438571d84", "indicator--21289a7c-bcd5-4679-a0d4-4ba8d87d83bc", "relationship--dc5f95a0-fc26-4420-bb16-0ab553bd2d7e", "indicator--87e8b4ee-01b0-4df6-84d8-054ca63c83ed", "relationship--bd53548b-5d8a-4bd6-bee8-e45c762188ba", "indicator--db0beeea-550d-48bc-a72f-3c09ffd17198", "relationship--54a552e3-64c5-4a7b-a767-ed88bfb8b1d6", "indicator--ce49436e-cd85-462b-be8e-3fc61319e3e6", "relationship--39259367-5df0-4bbd-9898-08487df1acce", "indicator--8b983d63-5871-48ef-a1f9-35a583cfcb88", "relationship--a89f2c25-8ee3-4372-b1c8-6771fd683f1d", "indicator--edb44467-5e82-4605-8b13-edb2ca6287bb", "relationship--09bead34-f270-434f-ab92-5e80c6fbe6b1", "indicator--c16767d5-d767-4fc5-bfd4-aa0c22fcbd62", "relationship--ba0f3473-d4e7-408f-96d5-c3755b9c5007", "indicator--203897dc-29fb-4ccd-9aa7-2abb91c1025a", "relationship--2e2b0231-e356-4941-8c3d-7aad950980d3", "indicator--5b0e03d8-9cf8-4025-ad2d-edb7056a5b58", "relationship--90a1d571-950b-4f2a-a430-0c4190f5174c", "indicator--66988d65-506c-445f-b5ee-40331e805722", "relationship--5560c51b-cf9a-4c26-825e-585b5f0d2a24", "indicator--a2daa877-18af-429a-aab5-a3b9db4c6f57", "relationship--977c7147-2436-4531-bc84-5ef5c9241f4b", "indicator--e640f940-ac64-4169-9540-f6f0ee48468c", "relationship--a46f3d40-146f-4344-a47e-881b96a7a975", "indicator--0990d0c1-8c99-45ee-9dad-a5135805d401", "relationship--6f1db20d-dcd0-4adc-a08f-c40abd2a005d", "indicator--1a18b5e2-c1a9-47eb-85d4-71fa184f88d2", "relationship--e516de2a-6b45-4617-aefb-35327862c530", "indicator--6bd2278e-c3a2-4d41-9450-65b53e78aacd", "relationship--ff39fdb6-6193-4ad9-ad92-9d40230692b3" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--9a24fd6d-a586-48db-bb08-aab62ea607ab", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "malware", "id": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "name": "RondoDox", "is_family": true, "malware_types": [ "bot" ], "labels": [ "malicious-activity" ], "description": "A botnet exploiting a vulnerability", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 92, "type": "vulnerability", "id": "vulnerability--b92231d2-d9b1-4177-ab65-401adc9a2c6d", "name": "SecurityWeek", "description": "A vulnerability in MongoDB", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "identity", "id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "name": "Google", "identity_class": "organization", "labels": [ "identity" ], "description": "Google is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "identity", "id": "identity--b5ce8592-6617-462d-b7e8-8f3a2272a0cf", "name": "Check Point", "identity_class": "unknown", "labels": [ "identity" ], "description": "Check Point is a cybersecurity company.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--d95868d7-4f07-4d84-b742-07ee4cf4adbf", "name": "React2Shell", "description": "React2Shell is a vulnerability in React Server Components that could lead to denial-of-service attacks or the exposure of source code. It is one of several recently discovered flaws in React Server Components, including CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. React2Shell is considered a dangerous vulnerability that requires immediate attention from security teams to prevent exploitation by threat actors.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--09cfd756-732a-426d-8c11-8d9ddb3e9e05", "name": "CVE-2025-55182", "description": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.. CVSS Score: 10.0 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 47.4% exploitation probability", "x_cvss_score": 10.0, "x_cvss_severity": "CRITICAL", "x_kev_status": true, "x_epss_score": 0.47368, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-55182", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55182" }, { "source_name": "nvd", "external_id": "CVE-2025-55182", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "identity", "id": "identity--852f1ded-54a0-4678-8751-1aa05a63754e", "name": "Gmail", "identity_class": "unknown", "labels": [ "identity" ], "description": "Email service", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "tool", "id": "tool--110bd33b-429b-4d56-bc0c-d65f82c89552", "name": "Google Gemini AI", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "AI chatbot", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "tool", "id": "tool--65ccf4fb-0919-4be6-9835-b712b1f056a5", "name": "API Connect", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Software with a known vulnerability", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--f2c42dbe-e16d-4283-9151-c7c085f96cb9", "name": "CVE-2025-13915", "description": "IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.. CVSS Score: 9.8 (CRITICAL). EPSS: 0.4% exploitation probability", "x_cvss_score": 9.8, "x_cvss_severity": "CRITICAL", "x_kev_status": false, "x_epss_score": 0.00373, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-13915", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13915" }, { "source_name": "nvd", "external_id": "CVE-2025-13915", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13915" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "name": "ShadyPanda", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "ShadyPanda is a threat group that has been operating for at least seven years, using a unique approach to compromise targets. They publish or acquire harmless extensions, allowing them to establish a foothold and gather intelligence before striking. This group's tactics demonstrate a high level of sophistication and patience, making them a significant threat to organizations. Their ability to blend in and avoid detection for extended periods makes them a challenging adversary to detect and mitigate.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "malware", "id": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "name": "GhostPoster", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "description": "Malicious browser extension", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.237Z", "modified": "2026-01-02T12:39:26.237Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--eb542bb6-573d-4d93-81f9-21ecb17ff423", "name": "DarkSpectre", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "Malicious campaign", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--eb33f5b9-a211-409d-ba91-a9b0d6b0f75e", "name": "Google Chrome", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "A popular web browser developed by Google.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--c34a5a3d-44b4-445d-9d85-478167123542", "name": "Microsoft Edge", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Web browser", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--f2491320-0c6c-4b71-a50a-d287256ea95f", "name": "Mozilla Firefox", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Web browser", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "identity", "id": "identity--6741006f-839c-40a5-9d6e-5c3499671c57", "name": "Cisco", "identity_class": "organization", "labels": [ "identity" ], "description": "Cisco is a technology company.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--0939e377-efcf-44d2-ba69-a9794c7184bc", "name": "MongoBleed", "description": "An event where data is accessed without authorization.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--0eeed38c-ad53-4d03-91b9-68adce80181b", "name": "CVE-2025-14847", "description": "Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, Mong. CVSS Score: 7.5 (HIGH). CISA KEV: Active exploitation confirmed. EPSS: 68.7% exploitation probability", "x_cvss_score": 7.5, "x_cvss_severity": "HIGH", "x_kev_status": true, "x_epss_score": 0.68682, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-14847", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14847" }, { "source_name": "nvd", "external_id": "CVE-2025-14847", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14847" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "identity", "id": "identity--62522ca0-5df7-4a7f-b817-a969c39fad76", "name": "Non-Human Identities", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cybersecurity news website", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "identity", "id": "identity--84cc9f98-37d8-4790-bdcd-597ce6a2e6ac", "name": "Security Boulevard", "identity_class": "organization", "labels": [ "identity" ], "description": "A cybersecurity-focused online publication", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "identity", "id": "identity--9bafa8cc-056c-4e34-bb2d-61e718a0438b", "name": "Cybersecurity", "identity_class": "organization", "labels": [ "identity" ], "description": "Cybersecurity is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "identity", "id": "identity--6a693eb5-52d0-4a9c-9407-96e3ba6cdfad", "name": "China", "identity_class": "unknown", "labels": [ "identity" ], "description": "China is a country.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "identity", "id": "identity--3cf91ae9-0a36-4c4f-aad7-9717e2e1a2cd", "name": "Condé Nast", "identity_class": "unknown", "labels": [ "identity" ], "description": "A global media company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--2d772e96-d3ee-4b7e-9d39-aefee3a980da", "name": "CVE-2025-29927", "description": "Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed . CVSS Score: 9.1 (CRITICAL). EPSS: 92.4% exploitation probability", "x_cvss_score": 9.1, "x_cvss_severity": "CRITICAL", "x_kev_status": false, "x_epss_score": 0.92365, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-29927", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29927" }, { "source_name": "nvd", "external_id": "CVE-2025-29927", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29927" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--3c84c3be-72bb-491a-aad0-31af4eb5a66d", "name": "Adobe ColdFusion", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "GreyNoise threat intelligence platform", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--be935a82-14b4-4a2e-a314-fedab3129d53", "name": "Coordinated Campaign", "description": "Adobe ColdFusion web application server", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--2d398e94-0377-4c95-9239-c472d3f1eca9", "name": "CloudSEK", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "description": "Coordinated campaign targeting Adobe ColdFusion servers", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "identity", "id": "identity--c562a7c3-1c96-4809-b60a-0e23213ecf63", "name": "Gemini", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cybersecurity company providing threat intelligence and digital risk protection.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--e097aaca-caee-4b4b-aa8f-0ea32c643efe", "name": "Shield", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Gemini AI chatbot", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--66e228d6-f965-4c4c-945f-949be0c45803", "name": "Shai-Hulud", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Zero Trust security concept", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--cd74e8f4-ca24-409e-9878-ad91c3aa57f1", "name": "Post-Quantum Identity and Access Management for AI Agents", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Google Chrome web browser", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--fc1edf37-07d8-470b-a34a-c50f2247b5ea", "name": "Qilin", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Post-Quantum Identity and Access Management for AI Agents concept", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 92, "type": "malware", "id": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "name": "Covenant Health Data Breach", "is_family": true, "malware_types": [ "ransomware" ], "labels": [ "malicious-activity" ], "description": "A type of ransomware known for targeting large enterprises.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 95, "type": "tool", "id": "tool--64a2e1d0-3271-4fea-9042-f00f041b6446", "name": "FIDO2", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Covenant Health data breach incident", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.238Z", "modified": "2026-01-02T12:39:26.238Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "name": "Remote Services", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1021", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1021/", "external_id": "T1021" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "name": "Botnet", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1584.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1584/005/", "external_id": "T1584.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "name": "LSA Secrets", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_id": "T1003.004", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1003/004/", "external_id": "T1003.004" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "name": "Cloud Secrets Management Stores", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_id": "T1555.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1555/006/", "external_id": "T1555.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 78, "type": "attack-pattern", "id": "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "name": "Safe Mode Boot", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1562.009", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1562/009/", "external_id": "T1562.009" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 71, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "name": "Browser Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1176.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1176/001/", "external_id": "T1176.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--5cf0f3fb-3459-4a3d-ad3c-4700efcfecd8", "name": "Boot or Logon Initialization Scripts", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1037", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1037/", "external_id": "T1037" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--90a0406c-dc6f-4f4a-b369-007b91ebae74", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "targets", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "vulnerability--b92231d2-d9b1-4177-ab65-401adc9a2c6d", "confidence": 85, "description": "Co-occurrence in intelligence context", "x_validation_method": "three-llm-consensus" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cf986515-f13f-44d3-9562-6234c5eb9a79", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "targets", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "vulnerability--d95868d7-4f07-4d84-b742-07ee4cf4adbf", "confidence": 85, "description": "Co-occurrence in intelligence context", "x_validation_method": "three-llm-consensus" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b4eb0925-99e0-430d-b33f-1cb830e758bb", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2af95980-1da5-41ec-9e98-6dd72dcc66d2", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--21fc51ad-202d-42c1-972d-fa9764ef21db", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7c520bf0-bbf8-4f00-afec-4c2cf7ca53ab", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a552fc15-ed0e-432a-a60f-7a3f150f2819", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d1a7eadf-3746-4890-a83c-170933b1066d", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a0c4cd7d-83cf-4b74-8a23-15720a133e62", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c2d6bac7-3751-41c6-ade3-5cf55856888f", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Botnet (T1584.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--063f5b82-988a-4412-9110-aa0b86ac838a", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "confidence": 60, "description": "Co-occurrence: ShadyPanda and LSA Secrets (T1003.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2ed026b2-9f69-4096-ad86-0e417e5bd5ea", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Cloud Secrets Management Stores (T1555.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d721ee78-13e0-460d-9251-a8bfa9b40c20", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--705228c0-a258-4f8c-81a5-36ab2879fd1b", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Botnet (T1583.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bdd881fb-3d38-4e18-86bf-4df4f00f95f4", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--61cd4057-dded-455e-9364-643234d6f82c", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9d40e904-eaab-4a2b-b7c8-34cc8c406019", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--58877a1b-a2e6-468f-bb64-bfdc2149e8db", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6d822c56-66dd-46ba-a986-b3a66cb5ce5d", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "threat-actor--ed70a1ea-0748-4318-9623-4105653cb15f", "target_ref": "attack-pattern--5cf0f3fb-3459-4a3d-ad3c-4700efcfecd8", "confidence": 60, "description": "Co-occurrence: ShadyPanda and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c5f3bcc3-4de4-4041-9d62-cbb6a1d53720", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: RondoDox and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--15b1ad05-6ee2-4cc1-8700-0f06e580e1da", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: RondoDox and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a7b81bcc-2ae6-413f-a5d5-4e79a4730ada", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 55, "description": "Co-occurrence: RondoDox and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--592d82d3-e47a-4d10-a23a-451f6d54cf04", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 55, "description": "Co-occurrence: RondoDox and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--02a1ff43-0082-4f52-b323-d796c8a86525", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 55, "description": "Co-occurrence: RondoDox and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bfe9168b-3f74-4e53-b3ad-9b7e2cd2a58b", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "confidence": 55, "description": "Co-occurrence: RondoDox and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--12e8c1b3-d6b6-4a10-ab80-58d722d312b1", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 55, "description": "Co-occurrence: RondoDox and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2ac7a692-53ac-4d9b-8c4e-60ebab192a6d", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: RondoDox and Botnet (T1584.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4397f63b-6df0-4e42-92b8-80b38d6fdb3f", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "confidence": 55, "description": "Co-occurrence: RondoDox and LSA Secrets (T1003.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b06793ad-3500-4d32-9f09-8b658863c611", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "confidence": 55, "description": "Co-occurrence: RondoDox and Cloud Secrets Management Stores (T1555.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--05612c4a-125b-4616-89cb-f68f3562d034", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "confidence": 55, "description": "Co-occurrence: RondoDox and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--edfc2eba-8c88-47b0-95a1-ade3b23fb592", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: RondoDox and Botnet (T1583.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--69e50a71-a39c-4689-a081-99850c8a4bef", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: RondoDox and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6673a568-e3b2-4ee3-9c35-3d7bdf9d7704", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 55, "description": "Co-occurrence: RondoDox and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--65d4909a-dc1d-4c5f-8083-0c6c700eff4c", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 55, "description": "Co-occurrence: RondoDox and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f9ba76dc-00a0-49a5-b1be-42e400436f53", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 55, "description": "Co-occurrence: RondoDox and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6be5753e-eb1e-496c-8540-47e76701cf8a", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--5cf0f3fb-3459-4a3d-ad3c-4700efcfecd8", "confidence": 55, "description": "Co-occurrence: RondoDox and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae22acd7-62ad-4bb0-9ba8-304fff6e8e16", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: GhostPoster and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--43d3e2a9-00fe-4fb7-b44c-062032188247", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: GhostPoster and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5207e54a-be63-45a7-90ee-6863c3c7f5a5", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 55, "description": "Co-occurrence: GhostPoster and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f0776186-610d-4ad1-ada4-a30a7c98ccd3", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 55, "description": "Co-occurrence: GhostPoster and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fd1e95e4-02da-44cb-a281-0b4172a6bed4", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 55, "description": "Co-occurrence: GhostPoster and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3f9e6a86-851f-49db-a226-f0e89b99a05a", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "confidence": 55, "description": "Co-occurrence: GhostPoster and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bf6bded5-93b1-4be8-8bf3-87f0a7184451", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 55, "description": "Co-occurrence: GhostPoster and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--da9bf87f-72d9-4920-b932-bee6817622f8", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: GhostPoster and Botnet (T1584.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d93befee-8b16-4677-b88b-7ab644a64650", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "confidence": 55, "description": "Co-occurrence: GhostPoster and LSA Secrets (T1003.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--92907e35-c503-4196-b2b2-498a047950aa", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "confidence": 55, "description": "Co-occurrence: GhostPoster and Cloud Secrets Management Stores (T1555.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7a199d41-bf44-4e54-80ed-e347eaa49087", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "confidence": 55, "description": "Co-occurrence: GhostPoster and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c95c869d-4b25-444c-8df1-2bedf329cc6c", "created": "2026-01-02T12:39:26.239Z", "modified": "2026-01-02T12:39:26.239Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: GhostPoster and Botnet (T1583.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--37308e11-2bff-4979-9876-a7d24defb083", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: GhostPoster and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7f061ec0-3268-4061-9ebb-34774cb3b467", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 55, "description": "Co-occurrence: GhostPoster and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d29368f4-0b56-4697-83ae-0f8fa8a07325", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 55, "description": "Co-occurrence: GhostPoster and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7bf3f3ab-36dc-4495-8f0f-34ccc9538986", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 55, "description": "Co-occurrence: GhostPoster and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a27e5de9-63f5-462c-9dc4-ce8a931e84e4", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--e2aede3e-6d44-40bb-ba8a-a4c4cbf31bd1", "target_ref": "attack-pattern--5cf0f3fb-3459-4a3d-ad3c-4700efcfecd8", "confidence": 55, "description": "Co-occurrence: GhostPoster and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d603ff24-0e18-4489-b83b-fbb032b81944", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f6986ec6-ad46-463c-8656-11bb66af868c", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--392769e5-3f05-4281-aa82-5699f3067e01", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--39a37a6f-341a-4c67-9eb0-4f24b632f1cb", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--68a495ea-c63d-4f8c-8656-3b0d85229183", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--341432df-a52c-4d42-a04f-bcbac976a6b9", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--243a9a5b-4dea-41bd-ace1-31edc21fd3a2", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bf8394ef-1870-4ce4-86e0-ce8e92cbf5dc", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Botnet (T1584.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7120077d-b85c-46df-9091-4b098e614404", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and LSA Secrets (T1003.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aac23a91-0570-46d4-88cb-692a9c4da306", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Cloud Secrets Management Stores (T1555.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--75b1cad6-1abc-4c04-ab99-d863ff9cba29", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--8dd2a740-fa1b-4f41-be82-018bed51553e", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Safe Mode Boot (T1562.009) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9bcc0918-73c6-479a-b9eb-a89a2276d8a6", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Botnet (T1583.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--89caf2c6-c7e2-426d-8688-4b1033f9dc71", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--58ade21e-6178-4291-a741-8a22c8255f79", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--03d8bb12-9f9a-4f0c-8e74-2e8e61b283d8", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Scheduled Task (T1053.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--40851a02-22f0-4dfd-a75c-f1f426b7b1c9", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Socket Filters (T1205.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0cdff21b-5155-4a9d-a6c3-cb52fff24898", "created": "2026-01-02T12:39:26.242Z", "modified": "2026-01-02T12:39:26.242Z", "relationship_type": "uses", "source_ref": "malware--fa140fbb-3d11-4ba6-8bd6-dee9d62bd563", "target_ref": "attack-pattern--5cf0f3fb-3459-4a3d-ad3c-4700efcfecd8", "confidence": 55, "description": "Co-occurrence: Covenant Health Data Breach and Boot or Logon Initialization Scripts (T1037) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "file:hashes.MD5", "value": "210600be82239d3cc845b993ef7713e2", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--22659bba-866a-4a76-8bc9-12a89c5c117e" }, { "type": "file:hashes.MD5", "value": "242bc60a43eabeed6410fdb3e2428a3a", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--549c17f0-6d26-4fe9-950d-639e35b0aaf9" }, { "type": "file:hashes.MD5", "value": "297bec80a7bee340d10d4ea429909796", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--02882737-8de6-472a-933c-e20cdd5ca90e" }, { "type": "file:hashes.MD5", "value": "3ba7a49934b2f5fdb01e5ba157a66c98", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--e4bbab79-87d4-47d1-9cb7-a1e0823e961b" }, { "type": "file:hashes.MD5", "value": "50608632718649bc00ab1edf5724a9af", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--97a94d52-ce8b-48ac-9d79-704beba94ae6" }, { "type": "file:hashes.MD5", "value": "6536ebe330f403aa8d574f45cb8e72cb", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--4ce5e15b-2acd-4571-a5ce-463b7a91bfdc" }, { "type": "file:hashes.MD5", "value": "73a19307b88c0e9468b49ee3135be5f4", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--a1cc5ebb-dea3-4ad4-b3ff-2dba0ea8c79e" }, { "type": "file:hashes.MD5", "value": "7a0c180b3fdc7fe574aaf9f6502d8496", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--477e87c6-ff7e-45dc-b78e-36cdc2aa2bab" }, { "type": "file:hashes.MD5", "value": "a98f4242a2281e1f32e51f0cfed391b0", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--836f761a-af62-4e5e-a266-938c06a4464e" }, { "type": "file:hashes.MD5", "value": "b9719cea1bf4f95c7632975b82876f96", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--e897c6f6-1903-45ff-b176-57d774c3076d" }, { "type": "file:hashes.MD5", "value": "c0df8197455bae7b8a6ca2e835867a6a", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--f0679444-2b5f-402e-8a68-7d67d7f9294e" }, { "type": "file:hashes.MD5", "value": "f022baae5f1873b46aaf2c5cc03e1e21", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.MD5--fd8385cb-fd2d-4c49-9b9f-6ae1ae880592" }, { "type": "file:hashes.SHA-1", "value": "0287d785d44bb1cab51a6c3278a90c84de5f6a02", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.SHA-1--e11f5338-bbbc-48d5-9633-9d3e1d66ce60" }, { "type": "file:hashes.SHA-1", "value": "0ba9196a71259d3a2ca0b5b92dba196d82fde0fc", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.SHA-1--83dd181e-5a5a-4531-bfd1-63574090b033" }, { "type": "file:hashes.SHA-1", "value": "10a96be58694716d36b3f18835aa24dc2e964967", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.SHA-1--829a6f68-0ce6-467f-9df2-3382acaee30b" }, { "type": "file:hashes.SHA-1", "value": "2f42087269ba4138acddbab8537c9d80c4f8bea8", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.SHA-1--319a836a-745a-43d8-97c3-1405ceed85f5" }, { "type": "file:hashes.SHA-1", "value": "4b19500185e82a7454a046caba1c20678b2f6fad", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.SHA-1--0deab427-779f-4cba-a929-f0932ebdf338" }, { "type": "file:hashes.SHA-1", "value": "b8f3ff1cb8c1eb350767d07e2d88e329e5ff0807", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.SHA-1--61318092-b63d-4fa7-acd5-ac063b0c46ae" }, { "type": "file:hashes.SHA-1", "value": "bd289ef73d5604939e6f157fba4a3f601ac22a93", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.SHA-1--347d4395-9822-4056-b55c-37595828ea55" }, { "type": "file:hashes.SHA-1", "value": "c1cb2cb474cd2b5b9054e1fcfb6996a9d156e49e", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat" ], "id": "file:hashes.SHA-1--b08d0f4c-72b2-4af5-ab51-0734ab0a5872" }, { "type": "domain-name", "value": "mitarchive.info", "source": "OTX", "malware_families": [ "GhostPoster" ], "pulse_names": [ "IOC - Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users" ], "id": "domain-name--09f89b5f-6d7f-465c-afe1-d201a8a19cd9" }, { "type": "domain-name", "value": "www.dealctr.com", "source": "OTX", "malware_families": [ "GhostPoster" ], "pulse_names": [ "IOC - Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users" ], "id": "domain-name--514ce44f-efda-4e7d-a69f-98cd7b2922f5" }, { "type": "domain-name", "value": "www.liveupdt.com", "source": "OTX", "malware_families": [ "GhostPoster" ], "pulse_names": [ "IOC - Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users" ], "id": "domain-name--533b5e6b-5821-4295-abe6-f39797febb5b" }, { "type": "domain-name", "value": "evalyn.quitzon.ethereal.email", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--7b702c6e-c293-4a3a-9668-83e1cf4426ef" }, { "type": "domain-name", "value": "second.shop", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--2ec55aae-9943-4991-9e5c-38c575def978" }, { "type": "domain-name", "value": "online-login-securedevice.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--31dd4ee6-4a65-48dc-a231-6882cc6ccbf9" }, { "type": "domain-name", "value": "cpcalendars.vdkly5s9o8.site", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--aa1780be-acaa-442d-a3fb-25cceb006604" }, { "type": "domain-name", "value": "exsnodus.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--e90ac1b2-ffc4-4646-a3cc-0d4f8298bb8e" }, { "type": "domain-name", "value": "dqulkev.tk", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--0cd13fbd-0716-4a3b-8584-50ee7aa84f08" }, { "type": "domain-name", "value": "www.kerugma.pro", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--27deadcc-ad34-4a8d-8646-722572e3e01a" }, { "type": "domain-name", "value": "ilya22853.gmail.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--dc45ddb2-b718-4f19-89dd-a97e3b361f85" }, { "type": "domain-name", "value": "richardllau899.zoho.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--1c93f9b2-7662-4f3f-aca4-928cee116983" }, { "type": "domain-name", "value": "www.rakoten-account.dqulkev.tk", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--a9e384b6-2522-4019-90e5-459bf2b81249" }, { "type": "domain-name", "value": "firstbytedns.net", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--7844e0ef-9f49-431b-a795-4292e4798d4f" }, { "type": "domain-name", "value": "seanricketts.yahoo.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--ba4a7349-9dc9-4d74-95ce-e72aeed97806" }, { "type": "domain-name", "value": "cit106account.ml", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--249cd7f1-cc79-46ce-b4eb-9c7323544377" }, { "type": "domain-name", "value": "emiratestarianae.gmail.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--592be6f9-fee6-4a1f-8559-f06989c2e2b5" }, { "type": "domain-name", "value": "zyzhxmedical.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--6fdcab22-2def-48e1-a8c0-51965446cedb" }, { "type": "domain-name", "value": "webdisk.stl-invest.us", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--752d79e5-63e1-4c6a-916e-cd69fbdda636" }, { "type": "domain-name", "value": "cpcalendars.flourine.web4africa.net", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--f13433ce-a320-469e-aa8a-88fab05fd581" }, { "type": "domain-name", "value": "www.vipwhatsapp.online", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--f0c9f53f-c9bb-4852-bfb9-e03287c69e49" }, { "type": "domain-name", "value": "vlaanderen-site.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--6291c0ee-ac03-4da4-97f0-63f3f4c352c7" }, { "type": "domain-name", "value": "bigpapimuller.outlook.com", "source": "OTX", "malware_families": [ "Covenant Health Data Breach" ], "pulse_names": [ "Sauron - Malware Domain Feed V2" ], "id": "domain-name--a77cca0e-3498-4000-b6f9-d42d27ea9900" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a2929553-abcf-49a6-83bd-251406a12e97", "created": "2026-01-02T12:38:53.321Z", "modified": "2026-01-02T12:38:53.321Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'mitarchive.info']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.321Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--312ad359-86c5-4494-ad49-cf0d0104154e", "created": "2026-01-02T12:38:53.321Z", "modified": "2026-01-02T12:38:53.321Z", "relationship_type": "based-on", "source_ref": "indicator--a2929553-abcf-49a6-83bd-251406a12e97", "target_ref": "domain-name--09f89b5f-6d7f-465c-afe1-d201a8a19cd9" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--162887a3-ef33-4a53-9098-a6d19bc2df14", "created": "2026-01-02T12:38:53.340Z", "modified": "2026-01-02T12:38:53.340Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'www.dealctr.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.340Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2c6a3a6b-59f9-43ee-9442-4b2e8ee4f0cf", "created": "2026-01-02T12:38:53.340Z", "modified": "2026-01-02T12:38:53.340Z", "relationship_type": "based-on", "source_ref": "indicator--162887a3-ef33-4a53-9098-a6d19bc2df14", "target_ref": "domain-name--514ce44f-efda-4e7d-a69f-98cd7b2922f5" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d9fb8a89-5b5b-4551-868d-1eca85d96633", "created": "2026-01-02T12:38:53.350Z", "modified": "2026-01-02T12:38:53.350Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'www.liveupdt.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.350Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b1d3272d-9eca-4801-9813-04f45afe7317", "created": "2026-01-02T12:38:53.350Z", "modified": "2026-01-02T12:38:53.350Z", "relationship_type": "based-on", "source_ref": "indicator--d9fb8a89-5b5b-4551-868d-1eca85d96633", "target_ref": "domain-name--533b5e6b-5821-4295-abe6-f39797febb5b" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--24c5dfbe-110e-4ac5-94cd-156b873e97c7", "created": "2026-01-02T12:38:53.362Z", "modified": "2026-01-02T12:38:53.362Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'evalyn.quitzon.ethereal.email']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.362Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d5e239af-bb9e-4c4b-b0c0-3bd9b9c851bd", "created": "2026-01-02T12:38:53.362Z", "modified": "2026-01-02T12:38:53.362Z", "relationship_type": "based-on", "source_ref": "indicator--24c5dfbe-110e-4ac5-94cd-156b873e97c7", "target_ref": "domain-name--7b702c6e-c293-4a3a-9668-83e1cf4426ef" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--644b13c0-f04f-461e-8451-ad8a5ca15f0b", "created": "2026-01-02T12:38:53.373Z", "modified": "2026-01-02T12:38:53.373Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'second.shop']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.373Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2d045e53-25b8-4ad5-9bd7-3d801883e262", "created": "2026-01-02T12:38:53.373Z", "modified": "2026-01-02T12:38:53.373Z", "relationship_type": "based-on", "source_ref": "indicator--644b13c0-f04f-461e-8451-ad8a5ca15f0b", "target_ref": "domain-name--2ec55aae-9943-4991-9e5c-38c575def978" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--709fd8a5-2d2a-4ee9-be77-9fced7f1a359", "created": "2026-01-02T12:38:53.384Z", "modified": "2026-01-02T12:38:53.384Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'online-login-securedevice.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.384Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--66a7e412-9c51-4d36-bdfe-a662dbb3b75a", "created": "2026-01-02T12:38:53.384Z", "modified": "2026-01-02T12:38:53.384Z", "relationship_type": "based-on", "source_ref": "indicator--709fd8a5-2d2a-4ee9-be77-9fced7f1a359", "target_ref": "domain-name--31dd4ee6-4a65-48dc-a231-6882cc6ccbf9" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3ca3ee22-361e-4a17-a4ed-f3cc6defca1d", "created": "2026-01-02T12:38:53.394Z", "modified": "2026-01-02T12:38:53.394Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'cpcalendars.vdkly5s9o8.site']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.394Z", "labels": [ "malicious-activity" ], "confidence": 80 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4b9bfeed-78ad-4273-9bad-3cb66d7f9edc", "created": "2026-01-02T12:38:53.394Z", "modified": "2026-01-02T12:38:53.394Z", "relationship_type": "based-on", "source_ref": "indicator--3ca3ee22-361e-4a17-a4ed-f3cc6defca1d", "target_ref": "domain-name--aa1780be-acaa-442d-a3fb-25cceb006604" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a8818498-0b2d-4b9d-8f54-ee6c4ab43abf", "created": "2026-01-02T12:38:53.404Z", "modified": "2026-01-02T12:38:53.404Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'exsnodus.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.404Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ac820a25-7b80-423d-b3a8-576438571d84", "created": "2026-01-02T12:38:53.404Z", "modified": "2026-01-02T12:38:53.404Z", "relationship_type": "based-on", "source_ref": "indicator--a8818498-0b2d-4b9d-8f54-ee6c4ab43abf", "target_ref": "domain-name--e90ac1b2-ffc4-4646-a3cc-0d4f8298bb8e" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--21289a7c-bcd5-4679-a0d4-4ba8d87d83bc", "created": "2026-01-02T12:38:53.414Z", "modified": "2026-01-02T12:38:53.414Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'dqulkev.tk']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.414Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dc5f95a0-fc26-4420-bb16-0ab553bd2d7e", "created": "2026-01-02T12:38:53.414Z", "modified": "2026-01-02T12:38:53.414Z", "relationship_type": "based-on", "source_ref": "indicator--21289a7c-bcd5-4679-a0d4-4ba8d87d83bc", "target_ref": "domain-name--0cd13fbd-0716-4a3b-8584-50ee7aa84f08" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--87e8b4ee-01b0-4df6-84d8-054ca63c83ed", "created": "2026-01-02T12:38:53.425Z", "modified": "2026-01-02T12:38:53.425Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'www.kerugma.pro']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.425Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bd53548b-5d8a-4bd6-bee8-e45c762188ba", "created": "2026-01-02T12:38:53.425Z", "modified": "2026-01-02T12:38:53.425Z", "relationship_type": "based-on", "source_ref": "indicator--87e8b4ee-01b0-4df6-84d8-054ca63c83ed", "target_ref": "domain-name--27deadcc-ad34-4a8d-8646-722572e3e01a" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--db0beeea-550d-48bc-a72f-3c09ffd17198", "created": "2026-01-02T12:38:53.436Z", "modified": "2026-01-02T12:38:53.436Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'ilya22853.gmail.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.436Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--54a552e3-64c5-4a7b-a767-ed88bfb8b1d6", "created": "2026-01-02T12:38:53.436Z", "modified": "2026-01-02T12:38:53.436Z", "relationship_type": "based-on", "source_ref": "indicator--db0beeea-550d-48bc-a72f-3c09ffd17198", "target_ref": "domain-name--dc45ddb2-b718-4f19-89dd-a97e3b361f85" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ce49436e-cd85-462b-be8e-3fc61319e3e6", "created": "2026-01-02T12:38:53.475Z", "modified": "2026-01-02T12:38:53.475Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'richardllau899.zoho.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.475Z", "labels": [ "malicious-activity" ], "confidence": 80 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--39259367-5df0-4bbd-9898-08487df1acce", "created": "2026-01-02T12:38:53.475Z", "modified": "2026-01-02T12:38:53.475Z", "relationship_type": "based-on", "source_ref": "indicator--ce49436e-cd85-462b-be8e-3fc61319e3e6", "target_ref": "domain-name--1c93f9b2-7662-4f3f-aca4-928cee116983" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8b983d63-5871-48ef-a1f9-35a583cfcb88", "created": "2026-01-02T12:38:53.491Z", "modified": "2026-01-02T12:38:53.491Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'www.rakoten-account.dqulkev.tk']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.492Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a89f2c25-8ee3-4372-b1c8-6771fd683f1d", "created": "2026-01-02T12:38:53.492Z", "modified": "2026-01-02T12:38:53.492Z", "relationship_type": "based-on", "source_ref": "indicator--8b983d63-5871-48ef-a1f9-35a583cfcb88", "target_ref": "domain-name--a9e384b6-2522-4019-90e5-459bf2b81249" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--edb44467-5e82-4605-8b13-edb2ca6287bb", "created": "2026-01-02T12:38:53.503Z", "modified": "2026-01-02T12:38:53.503Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'firstbytedns.net']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.503Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--09bead34-f270-434f-ab92-5e80c6fbe6b1", "created": "2026-01-02T12:38:53.503Z", "modified": "2026-01-02T12:38:53.503Z", "relationship_type": "based-on", "source_ref": "indicator--edb44467-5e82-4605-8b13-edb2ca6287bb", "target_ref": "domain-name--7844e0ef-9f49-431b-a795-4292e4798d4f" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c16767d5-d767-4fc5-bfd4-aa0c22fcbd62", "created": "2026-01-02T12:38:53.515Z", "modified": "2026-01-02T12:38:53.515Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'seanricketts.yahoo.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.515Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ba0f3473-d4e7-408f-96d5-c3755b9c5007", "created": "2026-01-02T12:38:53.515Z", "modified": "2026-01-02T12:38:53.515Z", "relationship_type": "based-on", "source_ref": "indicator--c16767d5-d767-4fc5-bfd4-aa0c22fcbd62", "target_ref": "domain-name--ba4a7349-9dc9-4d74-95ce-e72aeed97806" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--203897dc-29fb-4ccd-9aa7-2abb91c1025a", "created": "2026-01-02T12:38:53.525Z", "modified": "2026-01-02T12:38:53.525Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'cit106account.ml']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.525Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2e2b0231-e356-4941-8c3d-7aad950980d3", "created": "2026-01-02T12:38:53.525Z", "modified": "2026-01-02T12:38:53.525Z", "relationship_type": "based-on", "source_ref": "indicator--203897dc-29fb-4ccd-9aa7-2abb91c1025a", "target_ref": "domain-name--249cd7f1-cc79-46ce-b4eb-9c7323544377" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b0e03d8-9cf8-4025-ad2d-edb7056a5b58", "created": "2026-01-02T12:38:53.535Z", "modified": "2026-01-02T12:38:53.535Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'emiratestarianae.gmail.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.535Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--90a1d571-950b-4f2a-a430-0c4190f5174c", "created": "2026-01-02T12:38:53.535Z", "modified": "2026-01-02T12:38:53.535Z", "relationship_type": "based-on", "source_ref": "indicator--5b0e03d8-9cf8-4025-ad2d-edb7056a5b58", "target_ref": "domain-name--592be6f9-fee6-4a1f-8559-f06989c2e2b5" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--66988d65-506c-445f-b5ee-40331e805722", "created": "2026-01-02T12:38:53.544Z", "modified": "2026-01-02T12:38:53.544Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'zyzhxmedical.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.544Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5560c51b-cf9a-4c26-825e-585b5f0d2a24", "created": "2026-01-02T12:38:53.544Z", "modified": "2026-01-02T12:38:53.544Z", "relationship_type": "based-on", "source_ref": "indicator--66988d65-506c-445f-b5ee-40331e805722", "target_ref": "domain-name--6fdcab22-2def-48e1-a8c0-51965446cedb" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a2daa877-18af-429a-aab5-a3b9db4c6f57", "created": "2026-01-02T12:38:53.553Z", "modified": "2026-01-02T12:38:53.553Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'webdisk.stl-invest.us']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.553Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--977c7147-2436-4531-bc84-5ef5c9241f4b", "created": "2026-01-02T12:38:53.553Z", "modified": "2026-01-02T12:38:53.553Z", "relationship_type": "based-on", "source_ref": "indicator--a2daa877-18af-429a-aab5-a3b9db4c6f57", "target_ref": "domain-name--752d79e5-63e1-4c6a-916e-cd69fbdda636" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e640f940-ac64-4169-9540-f6f0ee48468c", "created": "2026-01-02T12:38:53.566Z", "modified": "2026-01-02T12:38:53.566Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'cpcalendars.flourine.web4africa.net']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.566Z", "labels": [ "malicious-activity" ], "confidence": 80 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a46f3d40-146f-4344-a47e-881b96a7a975", "created": "2026-01-02T12:38:53.566Z", "modified": "2026-01-02T12:38:53.566Z", "relationship_type": "based-on", "source_ref": "indicator--e640f940-ac64-4169-9540-f6f0ee48468c", "target_ref": "domain-name--f13433ce-a320-469e-aa8a-88fab05fd581" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0990d0c1-8c99-45ee-9dad-a5135805d401", "created": "2026-01-02T12:38:53.577Z", "modified": "2026-01-02T12:38:53.577Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'www.vipwhatsapp.online']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.577Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6f1db20d-dcd0-4adc-a08f-c40abd2a005d", "created": "2026-01-02T12:38:53.577Z", "modified": "2026-01-02T12:38:53.577Z", "relationship_type": "based-on", "source_ref": "indicator--0990d0c1-8c99-45ee-9dad-a5135805d401", "target_ref": "domain-name--f0c9f53f-c9bb-4852-bfb9-e03287c69e49" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1a18b5e2-c1a9-47eb-85d4-71fa184f88d2", "created": "2026-01-02T12:38:53.586Z", "modified": "2026-01-02T12:38:53.586Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'vlaanderen-site.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.586Z", "labels": [ "malicious-activity" ], "confidence": 70 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e516de2a-6b45-4617-aefb-35327862c530", "created": "2026-01-02T12:38:53.586Z", "modified": "2026-01-02T12:38:53.586Z", "relationship_type": "based-on", "source_ref": "indicator--1a18b5e2-c1a9-47eb-85d4-71fa184f88d2", "target_ref": "domain-name--6291c0ee-ac03-4da4-97f0-63f3f4c352c7" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6bd2278e-c3a2-4d41-9450-65b53e78aacd", "created": "2026-01-02T12:38:53.596Z", "modified": "2026-01-02T12:38:53.596Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'bigpapimuller.outlook.com']", "pattern_type": "stix", "valid_from": "2026-01-02T12:38:53.596Z", "labels": [ "malicious-activity" ], "confidence": 75 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ff39fdb6-6193-4ad9-ad92-9d40230692b3", "created": "2026-01-02T12:38:53.596Z", "modified": "2026-01-02T12:38:53.596Z", "relationship_type": "based-on", "source_ref": "indicator--6bd2278e-c3a2-4d41-9450-65b53e78aacd", "target_ref": "domain-name--a77cca0e-3498-4000-b6f9-d42d27ea9900" } ] }

Playbook for the Secure Enterprise

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

MEDIUM SEVERITY ITEMS

EXECUTIVE INSIGHTS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.