Cybersecurity Latest Rundown

Threat Rundown

Industry Watch

🚨 Hospitality & Healthcare (GDPR/HIPAA) CRITICAL

Targeted Malware Campaigns

Key threat: PHALT#BLYX actors using fake Booking.com lures to deploy DCRat...

Action: Review Fake Booking.com lures and BSoD scams spread DCRat in European hospitality sector

Technology & Infrastructure (SOX) ELEVATED

Legacy Hardware Exploitation

Key threat: Active RCE exploitation in D-Link and TOTOLINK devices...

Action: Review Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers, Unpatched Firmware Flaw Exposes TOTOLINK EX200

CyberSecurity Latest Rundown

Heroes, your curated look at the current cybersecurity landscape for Jan 7, 2026.

CRITICAL ITEMS

Phishing actors exploit complex routing and misconfigurations to spoof domains
Date & Time: 2026-01-06T18:00:00

Threat actors are leveraging complex email routing scenarios and gaps in spoofing protection to send phishing emails that appear to originate from legitimate internal domains. This technique bypasses standard authentication checks, making phishing attempts highly convincing to employees.

Business impact

Successful spoofing of internal domains dramatically increases the success rate of Business Email Compromise (BEC) attacks. This can lead to authorized fraudulent wire transfers, credential theft, and significant financial loss.

Recommended action

Ask your security team: Have we verified our email authentication configurations (SPF, DKIM, DMARC) specifically against complex routing scenarios to prevent internal domain spoofing?

CVE: n/a | Compliance: HIPAA, FISMA | Source: Microsoft ↗
Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers
Date & Time: 2026-01-07T04:31:00

Attackers are actively exploiting a critical command injection flaw in legacy D-Link DSL gateway routers to execute arbitrary code. This vulnerability allows unauthorized remote actors to take full control of the device via the configuration endpoint.

Business impact

Compromised routers serve as a gateway for attackers to intercept sensitive network traffic or launch attacks against internal systems. This creates immediate operational risk and potential data exposure liability, particularly for organizations with remote workforce infrastructure.

Recommended action

Ask your IT team: Do we have any legacy D-Link DSL routers in our inventory or remote employee setups? If so, have they been isolated or replaced immediately?

CVE: CVE-2026-0625 | Compliance: SOX | Source: The Hacker News ↗
Micropatches Released for CredSSP Elevation of Privilege Vulnerability
Date & Time: 2026-01-06T14:11:00

A privilege escalation vulnerability in the Windows Credential Security Support Provider (CredSSP) allows local attackers to execute code as the Local System user. Micropatches have been released to address this flaw where official updates may be pending or insufficient for legacy systems.

Business impact

If an attacker gains a foothold on a low-privileged account (e.g., via phishing), this vulnerability allows them to gain total control over the machine. This facilitates lateral movement across the network and deeper data exfiltration.

Recommended action

Ask your IT team: Have we applied the July 2025 Windows updates or the 0patch micropatch for CredSSP to prevent local privilege escalation?

CVE: CVE-2025-47987 | Compliance: SOX | Source: 0patch ↗

HIGH SEVERITY ITEMS

Fake Booking.com lures and BSoD scams spread DCRat in European hospitality sector
Date & Time: 2026-01-07T07:31:01

A campaign dubbed PHALT#BLYX is targeting the European hospitality industry with fake Booking.com emails and "Blue Screen of Death" lures to trick staff into installing the DCRat remote access trojan. The malware grants attackers remote control over infected systems.

Business impact

For hospitality and retail, this directly threatens guest data and payment processing systems. A successful infection could lead to a major data breach, regulatory fines under GDPR, and severe reputational damage.

Recommended action

Ask your security team: Are we blocking the specific indicators for DCRat (such as 'staxs.exe') and have we warned staff about fake Booking.com emails?

CVE: n/a | Compliance: GDPR, HIPAA | Source: Security Affairs ↗
Unpatched Firmware Flaw Exposes TOTOLINK EX200 to Full Remote Device Takeover
Date & Time: 2026-01-06T15:47:00

The CERT Coordination Center has disclosed an unpatched vulnerability in TOTOLINK EX200 wireless extenders that allows remote authenticated attackers to gain full control of the device. No patch is currently available.

Business impact

Unpatched network devices provide a persistent backdoor for attackers to monitor traffic and launch further attacks. Using vulnerable hardware with no remediation path violates compliance standards and security best practices.

Recommended action

Ask your network team: Do we use TOTOLINK EX200 extenders? If so, they must be decommissioned immediately as no patch exists.

CVE: CVE-2025-65606 | Compliance: SOX | Source: The Hacker News ↗
RondoDox Botnet Operators Set React2Shell Flaw in Their Sights
Date & Time: 2026-01-06T20:06:20

Operators of the RondoDox botnet are now targeting Next.js servers vulnerable to the React2Shell flaw. This expansion demonstrates the botnet's adaptability in compromising web infrastructure for illicit resource usage.

Business impact

Compromised servers suffer from performance degradation and may be blacklisted for participating in malicious activities. This can cause application downtime and loss of customer trust.

Recommended action

Ask your DevOps team: Are our Next.js servers patched against the React2Shell vulnerability to prevent recruitment into the RondoDox botnet?

CVE: n/a | Compliance: CMMC, SOX | Source: Security Boulevard ↗

MEDIUM SEVERITY ITEMS

VU#420440: Vulnerable Python version used in Forcepoint One DLP Client
Date & Time: 2026-01-06T14:38:37

The Forcepoint One DLP Client contains a vulnerability allowing bypass of Python restrictions, potentially enabling arbitrary code execution. Attackers can reconstruct the environment to restore restricted functions.

CVE: n/a | Compliance: SOX, SOC 2 | Source: CERT ↗
NDSS 2025 – HADES Attack: Understanding And Evaluating Manipulation Risks Of Email Blocklists
Date & Time: 2026-01-06T16:00:00

Researchers have identified manipulation risks in email blocklists (HADES attack), which could allow attackers to evade detection or disrupt legitimate email communications. This highlights the fragility of relying solely on static blocklists.

CVE: n/a | Compliance: SOX, SOC 2 | Source: Security Boulevard ↗

EXECUTIVE INSIGHTS

12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review
Date & Time: 2026-01-06T16:00:19

SentinelLABS reviews the major threat shifts of 2025, noting changes in operational approaches by threat actors, including North Korean monitoring of cyber threat intelligence platforms. This retrospective provides strategic context for 2026 defense planning.

Source: SentinelOne ↗
Introducing the Microsoft Defender Experts Suite: Elevate your security with expert-led services
Date & Time: 2026-01-06T17:00:00

Microsoft has launched the Defender Experts Suite to address the skills gap in cybersecurity. This managed service offering aims to support organizations facing AI-powered attacks with expert-led detection and response capabilities.

Source: Microsoft ↗
Dec Recap: New AWS Privileged Permissions and Services
Date & Time: 2026-01-06T11:36:39

A review of new AWS permissions released in December 2025 highlights the continued expansion of cloud privilege across identity, AI, and infrastructure services. This underscores the need for continuous cloud entitlement management.

Source: Sonrai Security ↗

VENDOR SPOTLIGHT

Spotlight Rationale: The current threat landscape features aggressive endpoint threats like the PHALT#BLYX (DCRat) campaign and the **RondoDox** botnet. These threats rely on execution on local endpoints and servers, making robust Endpoint Detection and Response (EDR) critical for stopping infection chains before data exfiltration occurs.

Threat Context: Fake Booking.com lures and BSoD scams spread DCRat

Platform Focus: CrowdStrike Falcon

CrowdStrike Falcon utilizes cloud-scale AI and behavioral analysis to detect threats that bypass traditional signature-based defenses. For campaigns like PHALT#BLYX, which use social engineering to trick users into executing malware (e.g., `staxs.exe`), Falcon's ability to identify and block malicious process trees and command-line arguments is essential for preventing the deployment of remote access trojans.

Actionable Platform Guidance: Ensure Falcon sensors are configured to "Block" on detection of known malware indicators and enable "Overwatch" for human threat hunting to catch novel variants of DCRat.

Source: CrowdStrike ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - CrowdStrike Falcon

# CROWDSTRIKE FALCON ACTIONABLE GUIDANCE
# Status: SUCCESS (Confidence: 0.8)

# IMMEDIATE ACTIONS:
1. Verify Prevention Policies: Ensure 'Next-Gen Antivirus' prevention sliders are set to 'Aggressive' for Cloud Machine Learning and Sensor Machine Learning to catch DCRat variants.
2. Enable Script Control: Set Script-Based Execution Monitoring to 'Block' to prevent initial loader scripts often used in PHALT campaigns.
3. Review IOA Exclusions: Audit current exclusions to ensure paths like 'AppData\Roaming' (common DCRat drop location) are not whitelisted.

# VERIFICATION STEPS:
1. Run a 'Sensor Health' report to confirm all endpoints are checking in and running the latest agent version.
2. Use the 'Investigate' tab to search for recent executions of 'MSBuild.exe' launching from user profile directories, a common DCRat behavior.

2. YARA Rule for PHALT#BLYX / DCRat

rule PHALT_DCRat_Detection {
meta:
description = "Detects artifacts associated with PHALT#BLYX campaign delivering DCRat"
author = "Threat Rundown"
date = "2026-01-07"
reference = "https://securityaffairs.com/?p=186606"
severity = "high"
tlp = "white"
strings:
$s1 = "staxs.exe" ascii wide
$s2 = "MSBuild.exe" ascii wide
$s3 = "DCRat" ascii wide
$s4 = "PHALT" ascii wide
condition:
uint16(0) == 0x5A4D and
any of ($s*)
}

3. SIEM Query — D-Link Router Exploitation Attempt

index=security sourcetype="web_server_logs" OR sourcetype="firewall"
uri="*dnscfg.cgi*" OR uri="*command_injection*"
| eval risk_score=case(
match(uri, "dnscfg\\.cgi"), 100,
match(dest_port, "80") OR match(dest_port, "443"), 50,
1==1, 25)
| where risk_score >= 50
| table _time, src_ip, dest_ip, uri, user_agent, risk_score
| sort -_time

4. PowerShell Script — Check for DCRat Artifacts

$computers = "localhost", "SERVER01", "WKSTN01"
$indicators = @("staxs.exe")

foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer for DCRat artifacts..."
foreach ($ind in $indicators) {
# Check common persistence locations in User profiles
$found = Invoke-Command -ComputerName $computer -ScriptBlock {
param($file) Get-ChildItem -Path "C:\Users\*\AppData\Roaming" -Filter $file -Recurse -ErrorAction SilentlyContinue
} -ArgumentList $ind

if ($found) {
Write-Warning "ALERT: Found $ind on $computer at $($found.FullName)"
}
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--7f60aa98-7b95-4801-af56-5c52ca048bd3", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--71d876ca-7203-4534-bb60-ddf228b15b6d", "created": "2026-01-07T11:09:06.922Z", "modified": "2026-01-07T11:09:06.922Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--af3b9841-9bdd-48dc-9af1-1d1810b380d4", "created": "2026-01-07T11:09:06.922Z", "modified": "2026-01-07T11:09:06.922Z", "name": "Threat Intelligence Report - 2026-01-07", "description": "Threat Intelligence Report - 2026-01-07\n\nThis report consolidates actionable cybersecurity intelligence from 86 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Fake Booking.com lures and BSoD scams spread DCRat in European hospitality sector (Score: 100)\n• Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers (Score: 100)\n• CERT/CC warns of critical, unfixed vulnerability in TOTOLINK EX200 (Score: 100)\n• RondoDox Botnet Operators Set React2Shell Flaw in Their Sights (Score: 100)\n• Phishing actors exploit complex routing and misconfigurations to spoof domains (Score: 100)\n\nEXTRACTED ENTITIES:\n• 34 Attack Pattern(s)\n• 12 File:Hashes.Md5(s)\n• 8 File:Hashes.Sha 1(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 35 Relationship(s)\n• 5 Tool(s)\n• 6 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2026-01-07T11:09:06.922Z", "object_refs": [ "identity--71d876ca-7203-4534-bb60-ddf228b15b6d", "identity--91e4f85a-d9b4-4262-82ee-85b29bb6ba1c", "vulnerability--2c52f963-abfe-4465-a581-7ef4776df799", "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "vulnerability--d95868d7-4f07-4d84-b742-07ee4cf4adbf", "identity--d6d78394-a68a-4742-9c28-bc2485e0a1b5", "vulnerability--14a890fd-5d24-46d2-99f9-36f5a2ad8bda", "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "tool--426bfb17-cff4-4d72-9a99-c94bd6712777", "identity--562e37e9-4a8b-4e03-bfb5-df3d48cdbac2", "vulnerability--767e17cd-6df9-4135-8c74-6e68d953a523", "identity--0f9dfab5-c9f5-4fef-b687-02b16bd9cd44", "identity--06b70d7b-8838-4176-9d1c-742c3c4155df", "identity--62522ca0-5df7-4a7f-b817-a969c39fad76", "vulnerability--b92231d2-d9b1-4177-ab65-401adc9a2c6d", "identity--cd5564af-2686-480b-9eca-798b85290b2b", "identity--e579f0b6-29fc-4f87-be26-0870951a61da", "vulnerability--917ec850-bbc9-485e-8c36-ae607a316032", "identity--2c215d10-edfc-4a4e-936f-40f93d0e2263", "tool--a9a2e871-880d-473a-93fd-4d14bc987a4b", "tool--08695f19-30d4-438f-a3fa-319d941fdcd5", "identity--7a9e545a-d22b-4107-8f1d-ca070a62a509", "tool--f99825c0-d4cc-40fa-af04-d1baab3de3dc", "tool--f9d3fdc3-b825-4a3f-b385-d6afc1d5ac3a", "identity--dd67e397-5b64-4c83-b664-7ebedce5c6cc", "identity--1efe2cc2-37e0-4de4-b1b0-6c81a9204c74", "identity--ef4d43e0-0814-4d13-84ac-caf32ed7ac67", "identity--79accbe4-46c4-48a4-a94d-19abddfa67ff", "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96", "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee", "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1", "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "attack-pattern--239957f5-5ae1-4977-a451-144fae4a6361", "attack-pattern--a29578ca-547d-4c9a-acfd-6742cfae2f22", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--08294e9d-c1e2-46dc-9760-a3537ae37209", "attack-pattern--48a7a9f8-a5c6-444a-8cfb-bd9602d2d34e", "attack-pattern--5aff02b0-8030-4a6a-bc0c-3ddc61680683", "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "attack-pattern--b863fbfb-5683-4f21-8c51-9323c0303278", "attack-pattern--3785d15d-1c0c-4464-9200-10b744888e29", "attack-pattern--92b3199d-f7ae-4a4b-8699-1d01a6761923", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716", "relationship--887c49a5-ebcf-4a8a-bbf4-d82f3c91fafb", "relationship--d9cf5587-d06e-41cb-8415-4ca9e926ab50", "relationship--bf97826d-8df2-4f78-9303-fe1e101bc8e3", "relationship--bdb4daf3-3330-4b1c-8e72-404e7cb9805e", "relationship--4942e91e-559c-4190-aa1e-f0913f242643", "relationship--98c0ba71-eaf7-4dda-8345-d5aea335cc90", "relationship--8d70a3f6-3583-43a2-844b-705e9bf84dc1", "relationship--89f75b54-e16a-41ae-9139-4f084f782aa6", "relationship--2422d700-3f67-4526-84ee-8f22e54b6e32", "relationship--48d965a9-faf9-430c-a19f-bf540085ee3a", "relationship--b346a880-2a1a-4502-8d33-bd78cae93df4", "relationship--8fcf03a4-2f0b-4d62-a19e-9471c7b46c95", "relationship--178cd0be-a46a-462f-ae47-a1dd552d302d", "relationship--c1b12d1e-7373-4438-b97e-928fb0e7c058", "relationship--1c65448a-8373-47d8-a897-ad59350a8202", "relationship--8c3bc180-793d-4960-95d1-80cc13181125", "relationship--4806ee8f-066a-4e4c-9495-51caca1f88bf", "relationship--043786ed-e41e-4cb1-9ef8-edcaa9309890", "relationship--af530012-5528-41e6-9215-7526c495ecf2", "relationship--b4e1cbcf-58aa-4a2f-9ec9-87323a7ee0fe", "relationship--a2f98cf3-a66d-4d35-85c2-6030f19d31a6", "relationship--d577df13-5c3a-4b63-ac47-9c968f699e5f", "relationship--3eeec31d-20cc-4f8d-ba8c-87c94f1c6a1d", "relationship--2ebac32d-16bb-4a42-8b25-ba5eaee7c979", "relationship--c0009343-74d7-414d-bf02-9de5c9db5795", "relationship--19a437dd-54b4-4ed9-9b9c-5747545039ef", "relationship--ec0fb0f4-ed48-4030-8eff-59a26cbe9e3d", "relationship--92bbad10-a6b2-482c-b416-fc9599c5af5d", "relationship--f3dbca97-00d6-4876-80e1-c6ed91fe706e", "relationship--1ebfd8a3-daf8-429a-9dbd-118f7f4ff52e", "relationship--329ed469-54e2-4a60-9160-88147271178c", "relationship--f23bdfdb-88db-4dc0-be71-dab5a6a44473", "relationship--f71639a1-e14c-4bd3-a37a-9c48152de04e", "relationship--f68a8965-fd95-403c-932a-76ca37088a82", "relationship--29e82579-4230-47c7-b678-f58cd0d102c6", "file:hashes.MD5--f390af8e-8a66-45f6-84b9-53042002cb27", "file:hashes.MD5--1859ff23-bade-47b5-ba4a-e5889c82a992", "file:hashes.MD5--20844f47-ee03-4e40-8458-b280f7681558", "file:hashes.MD5--a7e3edad-ebcd-4494-a50d-89a5669d36bd", "file:hashes.MD5--41a60aa4-7297-4022-a61c-9e0dc75199c1", "file:hashes.MD5--f62f10e0-0999-47f7-89bf-1e1a50fe9afb", "file:hashes.MD5--55066777-62d8-4d12-8dcf-4c0a0095fd34", "file:hashes.MD5--d4f7ab1d-fe76-4c62-8f4b-f5cf569dc76a", "file:hashes.MD5--ee5aa231-c902-440b-afeb-ed03bc95ad77", "file:hashes.MD5--55b3edbc-b897-4979-ad69-e24fbbb67c26", "file:hashes.MD5--86e08c8e-05be-4cc6-8d97-f4c14dcc74a7", "file:hashes.MD5--c1997959-0927-4fb6-b158-3d6d8e571000", "file:hashes.SHA-1--f5864eda-3286-403d-a96e-c9fa7985bc73", "file:hashes.SHA-1--c30c8089-ccb0-4b29-9150-ed0f2c1cf31a", "file:hashes.SHA-1--8ea8b2bf-0e59-4904-9900-0b969a9fe5bd", "file:hashes.SHA-1--e480ab39-395f-499d-9713-933d86406775", "file:hashes.SHA-1--3aa5c7dd-3de0-4d65-a4c1-ce320ba65448", "file:hashes.SHA-1--35ec1933-14e8-486e-93d7-ed4fafa31950", "file:hashes.SHA-1--018ea5e7-7b4e-456b-966e-1d31e1bf11b5", "file:hashes.SHA-1--231fd76b-c0c2-4ae8-862b-49a8d510bc44" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--71d876ca-7203-4534-bb60-ddf228b15b6d", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.916Z", "modified": "2026-01-07T11:09:06.916Z", "confidence": 95, "type": "identity", "id": "identity--91e4f85a-d9b4-4262-82ee-85b29bb6ba1c", "name": "CERT/CC", "identity_class": "unknown", "labels": [ "identity" ], "description": "Computer Emergency Response Team Coordination Center", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 75, "type": "vulnerability", "id": "vulnerability--2c52f963-abfe-4465-a581-7ef4776df799", "name": "CVE-2025-65606", "description": "The flaw, CVE-2025-65606 (CVSS score: N/A), has been characterized as a fla...", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-65606", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-65606" }, { "source_name": "nvd", "external_id": "CVE-2025-65606", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65606" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "malware", "id": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "name": "RondoDox", "is_family": true, "malware_types": [ "bot" ], "labels": [ "malicious-activity" ], "description": "A botnet exploiting a vulnerability", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 89, "type": "vulnerability", "id": "vulnerability--d95868d7-4f07-4d84-b742-07ee4cf4adbf", "name": "React2Shell", "description": "React2Shell is a vulnerability in React Server Components that could lead to denial-of-service attacks or the exposure of source code. It is one of several recently discovered flaws in React Server Components, including CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. React2Shell is considered a dangerous vulnerability that requires immediate attention from security teams to prevent exploitation by threat actors.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "identity", "id": "identity--d6d78394-a68a-4742-9c28-bc2485e0a1b5", "name": "the World Economic Forum", "identity_class": "unknown", "labels": [ "identity" ], "description": "International organization focused on global economic issues", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 80, "type": "vulnerability", "id": "vulnerability--14a890fd-5d24-46d2-99f9-36f5a2ad8bda", "name": "EX200", "description": "A wireless range extender model affected by a security flaw.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "identity", "id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "name": "Google", "identity_class": "organization", "labels": [ "identity" ], "description": "Google is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "tool", "id": "tool--426bfb17-cff4-4d72-9a99-c94bd6712777", "name": "Trusted Google Notifications Used", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "A phishing campaign that abuses Google notifications.", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "identity", "id": "identity--562e37e9-4a8b-4e03-bfb5-df3d48cdbac2", "name": "TechRepublic", "identity_class": "unknown", "labels": [ "identity" ], "description": "Technology news website", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--767e17cd-6df9-4135-8c74-6e68d953a523", "name": "CVE-2025-47987", "description": "Heap-based buffer overflow in Windows Cred SSProvider Protocol allows an authorized attacker to elevate privileges locally.. CVSS Score: 7.8 (HIGH). EPSS: 0.1% exploitation probability", "x_cvss_score": 7.8, "x_cvss_severity": "HIGH", "x_kev_status": false, "x_epss_score": 0.00078, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-47987", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47987" }, { "source_name": "nvd", "external_id": "CVE-2025-47987", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47987" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "identity", "id": "identity--0f9dfab5-c9f5-4fef-b687-02b16bd9cd44", "name": "Cybercrime Magazine", "identity_class": "unknown", "labels": [ "identity" ], "description": "Cybersecurity news and information website", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "identity", "id": "identity--06b70d7b-8838-4176-9d1c-742c3c4155df", "name": "Sausalito", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cybersecurity-focused online publication", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "identity", "id": "identity--62522ca0-5df7-4a7f-b817-a969c39fad76", "name": "Non-Human Identities", "identity_class": "unknown", "labels": [ "identity" ], "description": "A cybersecurity news website", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 87, "type": "vulnerability", "id": "vulnerability--b92231d2-d9b1-4177-ab65-401adc9a2c6d", "name": "SecurityWeek", "description": "A vulnerability in MongoDB", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "identity", "id": "identity--cd5564af-2686-480b-9eca-798b85290b2b", "name": "D3 Security", "identity_class": "organization", "labels": [ "identity" ], "description": "D3 Security is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.917Z", "confidence": 95, "type": "identity", "id": "identity--e579f0b6-29fc-4f87-be26-0870951a61da", "name": "Android", "identity_class": "unknown", "labels": [ "identity" ], "description": "Android is a company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.917Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--917ec850-bbc9-485e-8c36-ae607a316032", "name": "CVE-2026-0625", "description": "Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants o. EPSS: 1.3% exploitation probability", "x_kev_status": false, "x_epss_score": 0.01348, "external_references": [ { "source_name": "cve", "external_id": "CVE-2026-0625", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0625" }, { "source_name": "nvd", "external_id": "CVE-2026-0625", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0625" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 95, "type": "identity", "id": "identity--2c215d10-edfc-4a4e-936f-40f93d0e2263", "name": "Koi Security", "identity_class": "organization", "labels": [ "identity" ], "description": "Koi Security is a cybersecurity company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 95, "type": "tool", "id": "tool--a9a2e871-880d-473a-93fd-4d14bc987a4b", "name": "Windows Updates", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Windows Updates is a software component", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 95, "type": "tool", "id": "tool--08695f19-30d4-438f-a3fa-319d941fdcd5", "name": "Windows Credential Security Support Provider", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "Windows Credential Security Support Provider is a software component", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 95, "type": "identity", "id": "identity--7a9e545a-d22b-4107-8f1d-ca070a62a509", "name": "CloudWatch", "identity_class": "unknown", "labels": [ "identity" ], "description": "Sonrai is a cybersecurity company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 95, "type": "tool", "id": "tool--f99825c0-d4cc-40fa-af04-d1baab3de3dc", "name": "CloudFront", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "CloudWatch is a cloud infrastructure service", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 95, "type": "tool", "id": "tool--f9d3fdc3-b825-4a3f-b385-d6afc1d5ac3a", "name": "Creators & Presenters", "tool_types": [ "unknown" ], "labels": [ "tool" ], "description": "CloudFront is a cloud infrastructure service", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 90, "type": "identity", "id": "identity--dd67e397-5b64-4c83-b664-7ebedce5c6cc", "name": "Daniel Weber", "identity_class": "unknown", "labels": [ "identity" ], "description": "Leon Trampert is an individual", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 90, "type": "identity", "id": "identity--1efe2cc2-37e0-4de4-b1b0-6c81a9204c74", "name": "Lukas Gerlach", "identity_class": "unknown", "labels": [ "identity" ], "description": "Daniel Weber is an individual", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 90, "type": "identity", "id": "identity--ef4d43e0-0814-4d13-84ac-caf32ed7ac67", "name": "Christian Rossow", "identity_class": "unknown", "labels": [ "identity" ], "description": "Lukas Gerlach is an individual", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 90, "type": "identity", "id": "identity--79accbe4-46c4-48a4-a94d-19abddfa67ff", "name": "Guardrails Make AI-Assisted Development Safer By Design", "identity_class": "unknown", "labels": [ "identity" ], "description": "Christian Rossow is an individual", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "name": "Remote Services", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1021", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1021/", "external_id": "T1021" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.918Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.918Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "name": "Abuse Elevation Control Mechanism", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1548", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1548/", "external_id": "T1548" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "name": "Access Token Manipulation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1134", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1134/", "external_id": "T1134" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c", "name": "Lateral Tool Transfer", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1570", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1570/", "external_id": "T1570" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "name": "Compromise Software Supply Chain", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/002/", "external_id": "T1195.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96", "name": "System Information Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1082", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1082/", "external_id": "T1082" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee", "name": "File and Directory Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1083", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1083/", "external_id": "T1083" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1", "name": "Process Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1057", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1057/", "external_id": "T1057" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "name": "Botnet", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1584.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1584/005/", "external_id": "T1584.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "name": "LSA Secrets", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_id": "T1003.004", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1003/004/", "external_id": "T1003.004" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "name": "Cloud Secrets Management Stores", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_id": "T1555.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1555/006/", "external_id": "T1555.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "name": "Browser Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1176.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1176/001/", "external_id": "T1176.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--239957f5-5ae1-4977-a451-144fae4a6361", "name": "Software Extensions", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1176", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1176/", "external_id": "T1176" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--a29578ca-547d-4c9a-acfd-6742cfae2f22", "name": "Trap", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1546.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1546/005/", "external_id": "T1546.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--08294e9d-c1e2-46dc-9760-a3537ae37209", "name": "Local Email Collection", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1114.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1114/001/", "external_id": "T1114.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--48a7a9f8-a5c6-444a-8cfb-bd9602d2d34e", "name": "Outlook Rules", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1137.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1137/005/", "external_id": "T1137.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--5aff02b0-8030-4a6a-bc0c-3ddc61680683", "name": "Outlook Forms", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1137.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1137/003/", "external_id": "T1137.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "name": "Outlook Home Page", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1137.004", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1137/004/", "external_id": "T1137.004" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 84, "type": "attack-pattern", "id": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "name": "Search Threat Vendor Data", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_id": "T1681", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1681/", "external_id": "T1681" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 83, "type": "attack-pattern", "id": "attack-pattern--b863fbfb-5683-4f21-8c51-9323c0303278", "name": "Exclusive Control", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1668", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1668/", "external_id": "T1668" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 74, "type": "attack-pattern", "id": "attack-pattern--3785d15d-1c0c-4464-9200-10b744888e29", "name": "Python Startup Hooks", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1546.018", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1546/018/", "external_id": "T1546.018" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--92b3199d-f7ae-4a4b-8699-1d01a6761923", "name": "Office Application Startup", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1137", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1137/", "external_id": "T1137" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2026-01-07T11:09:06.919Z", "modified": "2026-01-07T11:09:06.919Z", "confidence": 69, "type": "attack-pattern", "id": "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716", "name": "Python", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/006/", "external_id": "T1059.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--887c49a5-ebcf-4a8a-bbf4-d82f3c91fafb", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "confidence": 55, "description": "Co-occurrence: RondoDox and Remote Services (T1021) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d9cf5587-d06e-41cb-8415-4ca9e926ab50", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "confidence": 55, "description": "Co-occurrence: RondoDox and Exploit Public-Facing Application (T1190) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bf97826d-8df2-4f78-9303-fe1e101bc8e3", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "confidence": 55, "description": "Co-occurrence: RondoDox and Exploitation for Client Execution (T1203) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bdb4daf3-3330-4b1c-8e72-404e7cb9805e", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 55, "description": "Co-occurrence: RondoDox and Spearphishing Attachment (T1566.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4942e91e-559c-4190-aa1e-f0913f242643", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "confidence": 55, "description": "Co-occurrence: RondoDox and Spearphishing Link (T1566.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--98c0ba71-eaf7-4dda-8345-d5aea335cc90", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "confidence": 55, "description": "Co-occurrence: RondoDox and Spearphishing via Service (T1566.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8d70a3f6-3583-43a2-844b-705e9bf84dc1", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 55, "description": "Co-occurrence: RondoDox and Command and Scripting Interpreter (T1059) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--89f75b54-e16a-41ae-9139-4f084f782aa6", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "confidence": 55, "description": "Co-occurrence: RondoDox and Abuse Elevation Control Mechanism (T1548) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2422d700-3f67-4526-84ee-8f22e54b6e32", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "confidence": 55, "description": "Co-occurrence: RondoDox and Access Token Manipulation (T1134) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--48d965a9-faf9-430c-a19f-bf540085ee3a", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--2c821981-fda2-4cb8-926c-6edd4905d65c", "confidence": 55, "description": "Co-occurrence: RondoDox and Lateral Tool Transfer (T1570) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b346a880-2a1a-4502-8d33-bd78cae93df4", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "confidence": 55, "description": "Co-occurrence: RondoDox and Supply Chain Compromise (T1195) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8fcf03a4-2f0b-4d62-a19e-9471c7b46c95", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "confidence": 55, "description": "Co-occurrence: RondoDox and Compromise Software Supply Chain (T1195.002) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--178cd0be-a46a-462f-ae47-a1dd552d302d", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--06cf8802-38e4-4421-a699-33a0bae74d96", "confidence": 55, "description": "Co-occurrence: RondoDox and System Information Discovery (T1082) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c1b12d1e-7373-4438-b97e-928fb0e7c058", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--2e52cc86-c2ef-43d7-9f1e-2fc59c4845ee", "confidence": 55, "description": "Co-occurrence: RondoDox and File and Directory Discovery (T1083) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1c65448a-8373-47d8-a897-ad59350a8202", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--943edc6f-c0f9-48f1-b8d4-4666aa0abae1", "confidence": 55, "description": "Co-occurrence: RondoDox and Process Discovery (T1057) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8c3bc180-793d-4960-95d1-80cc13181125", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: RondoDox and Botnet (T1584.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4806ee8f-066a-4e4c-9495-51caca1f88bf", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "confidence": 55, "description": "Co-occurrence: RondoDox and Botnet (T1583.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--043786ed-e41e-4cb1-9ef8-edcaa9309890", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--88428b3c-f02f-45b8-a38a-0541b2287509", "confidence": 55, "description": "Co-occurrence: RondoDox and LSA Secrets (T1003.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--af530012-5528-41e6-9215-7526c495ecf2", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b", "confidence": 55, "description": "Co-occurrence: RondoDox and Cloud Secrets Management Stores (T1555.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b4e1cbcf-58aa-4a2f-9ec9-87323a7ee0fe", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--172f3845-7870-4c1c-80bd-251e10ce9f1e", "confidence": 55, "description": "Co-occurrence: RondoDox and Browser Extensions (T1176.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a2f98cf3-a66d-4d35-85c2-6030f19d31a6", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--239957f5-5ae1-4977-a451-144fae4a6361", "confidence": 55, "description": "Co-occurrence: RondoDox and Software Extensions (T1176) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d577df13-5c3a-4b63-ac47-9c968f699e5f", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--a29578ca-547d-4c9a-acfd-6742cfae2f22", "confidence": 55, "description": "Co-occurrence: RondoDox and Trap (T1546.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3eeec31d-20cc-4f8d-ba8c-87c94f1c6a1d", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "confidence": 55, "description": "Co-occurrence: RondoDox and Vulnerabilities (T1588.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2ebac32d-16bb-4a42-8b25-ba5eaee7c979", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--08294e9d-c1e2-46dc-9760-a3537ae37209", "confidence": 55, "description": "Co-occurrence: RondoDox and Local Email Collection (T1114.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c0009343-74d7-414d-bf02-9de5c9db5795", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--48a7a9f8-a5c6-444a-8cfb-bd9602d2d34e", "confidence": 55, "description": "Co-occurrence: RondoDox and Outlook Rules (T1137.005) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--19a437dd-54b4-4ed9-9b9c-5747545039ef", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--5aff02b0-8030-4a6a-bc0c-3ddc61680683", "confidence": 55, "description": "Co-occurrence: RondoDox and Outlook Forms (T1137.003) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ec0fb0f4-ed48-4030-8eff-59a26cbe9e3d", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--26d99677-799b-44ed-bc54-5fef76cbc72c", "confidence": 55, "description": "Co-occurrence: RondoDox and Outlook Home Page (T1137.004) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--92bbad10-a6b2-482c-b416-fc9599c5af5d", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--4e2f5b9a-cf3a-4ab7-9169-8362c52dd57d", "confidence": 55, "description": "Co-occurrence: RondoDox and Search Threat Vendor Data (T1681) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f3dbca97-00d6-4876-80e1-c6ed91fe706e", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--b863fbfb-5683-4f21-8c51-9323c0303278", "confidence": 55, "description": "Co-occurrence: RondoDox and Exclusive Control (T1668) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1ebfd8a3-daf8-429a-9dbd-118f7f4ff52e", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--3785d15d-1c0c-4464-9200-10b744888e29", "confidence": 55, "description": "Co-occurrence: RondoDox and Python Startup Hooks (T1546.018) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--329ed469-54e2-4a60-9160-88147271178c", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--92b3199d-f7ae-4a4b-8699-1d01a6761923", "confidence": 55, "description": "Co-occurrence: RondoDox and Office Application Startup (T1137) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f23bdfdb-88db-4dc0-be71-dab5a6a44473", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "confidence": 55, "description": "Co-occurrence: RondoDox and Archive via Utility (T1560.001) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f71639a1-e14c-4bd3-a37a-9c48152de04e", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "confidence": 55, "description": "Co-occurrence: RondoDox and Screen Capture (T1113) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f68a8965-fd95-403c-932a-76ca37088a82", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "confidence": 55, "description": "Co-occurrence: RondoDox and Adversary-in-the-Middle (T1557) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--29e82579-4230-47c7-b678-f58cd0d102c6", "created": "2026-01-07T11:09:06.920Z", "modified": "2026-01-07T11:09:06.920Z", "relationship_type": "uses", "source_ref": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322", "target_ref": "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716", "confidence": 55, "description": "Co-occurrence: RondoDox and Python (T1059.006) in same intelligence", "x_validation_method": "mitre-cooccurrence" }, { "type": "file:hashes.MD5", "value": "210600be82239d3cc845b993ef7713e2", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--f390af8e-8a66-45f6-84b9-53042002cb27" }, { "type": "file:hashes.MD5", "value": "242bc60a43eabeed6410fdb3e2428a3a", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--1859ff23-bade-47b5-ba4a-e5889c82a992" }, { "type": "file:hashes.MD5", "value": "297bec80a7bee340d10d4ea429909796", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--20844f47-ee03-4e40-8458-b280f7681558" }, { "type": "file:hashes.MD5", "value": "3ba7a49934b2f5fdb01e5ba157a66c98", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--a7e3edad-ebcd-4494-a50d-89a5669d36bd" }, { "type": "file:hashes.MD5", "value": "50608632718649bc00ab1edf5724a9af", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--41a60aa4-7297-4022-a61c-9e0dc75199c1" }, { "type": "file:hashes.MD5", "value": "6536ebe330f403aa8d574f45cb8e72cb", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--f62f10e0-0999-47f7-89bf-1e1a50fe9afb" }, { "type": "file:hashes.MD5", "value": "73a19307b88c0e9468b49ee3135be5f4", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--55066777-62d8-4d12-8dcf-4c0a0095fd34" }, { "type": "file:hashes.MD5", "value": "7a0c180b3fdc7fe574aaf9f6502d8496", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--d4f7ab1d-fe76-4c62-8f4b-f5cf569dc76a" }, { "type": "file:hashes.MD5", "value": "a98f4242a2281e1f32e51f0cfed391b0", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--ee5aa231-c902-440b-afeb-ed03bc95ad77" }, { "type": "file:hashes.MD5", "value": "b9719cea1bf4f95c7632975b82876f96", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--55b3edbc-b897-4979-ad69-e24fbbb67c26" }, { "type": "file:hashes.MD5", "value": "c0df8197455bae7b8a6ca2e835867a6a", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--86e08c8e-05be-4cc6-8d97-f4c14dcc74a7" }, { "type": "file:hashes.MD5", "value": "f022baae5f1873b46aaf2c5cc03e1e21", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.MD5--c1997959-0927-4fb6-b158-3d6d8e571000" }, { "type": "file:hashes.SHA-1", "value": "0287d785d44bb1cab51a6c3278a90c84de5f6a02", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.SHA-1--f5864eda-3286-403d-a96e-c9fa7985bc73" }, { "type": "file:hashes.SHA-1", "value": "0ba9196a71259d3a2ca0b5b92dba196d82fde0fc", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.SHA-1--c30c8089-ccb0-4b29-9150-ed0f2c1cf31a" }, { "type": "file:hashes.SHA-1", "value": "10a96be58694716d36b3f18835aa24dc2e964967", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.SHA-1--8ea8b2bf-0e59-4904-9900-0b969a9fe5bd" }, { "type": "file:hashes.SHA-1", "value": "2f42087269ba4138acddbab8537c9d80c4f8bea8", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.SHA-1--e480ab39-395f-499d-9713-933d86406775" }, { "type": "file:hashes.SHA-1", "value": "4b19500185e82a7454a046caba1c20678b2f6fad", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.SHA-1--3aa5c7dd-3de0-4d65-a4c1-ce320ba65448" }, { "type": "file:hashes.SHA-1", "value": "b8f3ff1cb8c1eb350767d07e2d88e329e5ff0807", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.SHA-1--35ec1933-14e8-486e-93d7-ed4fafa31950" }, { "type": "file:hashes.SHA-1", "value": "bd289ef73d5604939e6f157fba4a3f601ac22a93", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.SHA-1--018ea5e7-7b4e-456b-966e-1d31e1bf11b5" }, { "type": "file:hashes.SHA-1", "value": "c1cb2cb474cd2b5b9054e1fcfb6996a9d156e49e", "source": "OTX", "malware_families": [ "RondoDox" ], "pulse_names": [ "RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs" ], "id": "file:hashes.SHA-1--231fd76b-c0c2-4ae8-862b-49a8d510bc44" } ] }

Playbook for the Secure Enterprise

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

MEDIUM SEVERITY ITEMS

EXECUTIVE INSIGHTS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.