diff --git a/clusters/tidal-campaigns.json b/clusters/tidal-campaigns.json index 6375c9e..996d30a 100644 --- a/clusters/tidal-campaigns.json +++ b/clusters/tidal-campaigns.json @@ -15,7 +15,10 @@ "campaign_attack_id": "C0028", "first_seen": "2015-12-01T05:00:00Z", "last_seen": "2016-01-01T05:00:00Z", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "96e367d0-a744-5b63-85ec-595f505248a3", @@ -27,7 +30,10 @@ "campaign_attack_id": "C0025", "first_seen": "2016-12-01T05:00:00Z", "last_seen": "2016-12-01T05:00:00Z", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "06197e03-e1c1-56af-ba98-5071f98f91f1", @@ -39,7 +45,10 @@ "campaign_attack_id": "C0034", "first_seen": "2022-06-01T04:00:00Z", "last_seen": "2022-10-01T04:00:00Z", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "a79e06d1-df08-5c72-9180-2c373274f889", @@ -103,6 +112,110 @@ "uuid": "d25f0485-fdf3-4b85-b2ec-53e98e215d0b", "value": "2023 Zoho ManageEngine APT Exploits" }, + { + "description": "AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]", + "meta": { + "campaign_attack_id": "C5031", + "first_seen": "2022-05-01T00:00:00Z", + "last_seen": "2023-03-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "cf42d51a-8002-4f04-a930-21c15115769f", + "value": "AMBERSQUID" + }, + { + "description": "In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]", + "meta": { + "campaign_attack_id": "C5048", + "first_seen": "2021-03-01T00:00:00Z", + "last_seen": "2024-05-30T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "4f4744b0-8401-423c-9ed0-3cb2985d9fd3", + "ddfaecd0-bd3e-41ac-85c7-ca2156684343", + "0dbed83d-af67-4ce0-a1ee-16f1165fdc0f", + "6422a882-7606-4aa3-b994-f917f53c2ada", + "c1b123d2-ce58-4345-8482-d1da27b3c053", + "f166e59e-9877-4102-a39b-fae38df4b790", + "6a82d685-3f77-498d-91c3-a759292ec2da", + "a32a757a-9d6b-43ca-ac4b-5f695dd0f110", + "ac70560d-c3e7-4b40-a4d6-a3287e3d952b", + "75f62312-a7ee-4534-8c8a-e3b7366a3a4b", + "887d1cfe-d0c5-431c-8dce-0e1b9a2505aa", + "96eec53f-355c-406c-87ba-18c3be4c69a1", + "54fafdbe-1ea0-4f48-99ad-757c8fe50df2", + "35b334ec-4169-4898-ab90-487eea7feb69", + "4ac4e1b9-2192-47ac-a4d1-3a31aa0f2140", + "936a56f5-a4f1-42d8-83b7-c44399ead661", + "0d19ceed-28f6-4258-b365-f6e6f296121d", + "037cc75c-9683-49db-aaa8-c8142763bb87", + "ff71ed89-8355-4abc-9da4-eb4768a38c9c", + "6fade0a3-0c26-4a11-b81e-25d20e38bdd3", + "3b54d8a5-580f-43bf-a12d-8e011f953bad", + "0f6e72e1-ba8f-4d1d-920d-d8945a4fee59", + "7bbc5366-897a-4505-bc68-3a18e3d4cf44", + "4cd85398-c33a-4374-9a76-2bbf297cca63", + "5ec8231e-70e9-4675-b922-368bcb9e914a", + "21c64d34-e52a-42ba-a8c7-85aa82dc0b3f", + "cd9ab9e7-248f-4097-b120-a42834ce0f89", + "91ddbeac-b587-4978-a80d-543a5d96cb77", + "b8448700-7ed0-48b8-85f5-ed23e0d9ab97", + "12b074b9-6748-4ad7-880f-836cb80587e1", + "45f92502-0775-4fc6-8fcd-97b325ea49a9", + "cddb4563-fe90-4c72-be81-6256d175a698", + "69f278d7-194f-42d0-8f83-11de9f861264", + "f0c58aa3-5d21-4ade-95a0-b775dde7e8a3", + "5f9b1c23-81f8-4aa3-8d97-235302e77eec", + "d842c7ff-e3d3-4534-9ed7-283752f4bbe2", + "ecd84106-2a5b-4d25-854e-b8d1f57f6b75", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "532b7819-d407-41e9-9733-0d716b69eb17", + "e401022a-36ac-486d-8503-dd531410a927", + "173e1480-8d9b-49c5-854d-594dde9740d6", + "7551097a-dfdd-426f-aaa2-a2916dd9b873", + "c475ad68-3fdc-4725-8abc-784c56125e96", + "08809fa0-61b6-4394-b103-1c4d19a5be16", + "4ac8dcde-2665-4066-9ad9-b5572d5f0d28", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ] + }, + "related": [], + "uuid": "458dc371-5dc2-4e6c-8157-3a872dd29726", + "value": "Andariel Espionage Activity" + }, + { + "description": "Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]", + "meta": { + "campaign_attack_id": "C5038", + "first_seen": "2024-04-01T00:00:00Z", + "last_seen": "2024-04-30T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "2b869157-0b66-42fc-8ead-171160412660", + "value": "April 2024 FIN7 Malvertising Campaign" + }, { "description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]", "meta": { @@ -178,6 +291,54 @@ "uuid": "80ae546a-70e5-4427-be1d-e74efc428ffd", "value": "APT29 TeamCity Exploits" }, + { + "description": "On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]", + "meta": { + "campaign_attack_id": "C5047", + "first_seen": "2022-04-01T00:00:00Z", + "last_seen": "2022-09-30T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "a46c422c-5dad-49fc-a4ac-169a075a4d9a", + "2eeef0b4-08b5-4d25-84f7-25d41fe6305b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "b20e7912-6a8d-46e3-8e13-9a3fc4813852" + ] + }, + "related": [], + "uuid": "3db5682a-0b99-4653-b487-bd0d30292a19", + "value": "APT40 Recent Tradecraft" + }, + { + "description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]", + "meta": { + "campaign_attack_id": "C5049", + "first_seen": "2023-03-21T00:00:00Z", + "last_seen": "2024-07-16T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "ea6266fd-50a7-4223-ade3-e60c3467f540", + "value": "APT41 2023-2024 Persistence & Exfiltration Activity" + }, { "description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", "meta": { @@ -201,6 +362,102 @@ "uuid": "ccc6401a-b79f-424b-8617-3c2d55475584", "value": "ArcaneDoor" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]", + "meta": { + "campaign_attack_id": "C5035", + "first_seen": "2024-01-01T00:00:00Z", + "last_seen": "2024-01-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "9779935d-e316-4482-bec8-3d0704a26dc0", + "value": "AWS Data Theft & Ransom Attack" + }, + { + "description": "Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]", + "meta": { + "campaign_attack_id": "C5032", + "first_seen": "2023-12-01T00:00:00Z", + "last_seen": "2024-01-19T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "a94a5919-953e-4607-aaa4-dfccf6d938b5", + "value": "AWS Fargate Cryptojacking Activity" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]", + "meta": { + "campaign_attack_id": "C5033", + "first_seen": "2022-05-20T00:00:00Z", + "last_seen": "2022-05-20T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "64bddb9e-8bb4-481e-851a-0ddd7ba34615", + "value": "AWS Lambda Credential Theft & Phishing Attack" + }, + { + "description": "Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)][[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", + "meta": { + "campaign_attack_id": "C5037", + "first_seen": "2024-04-15T00:00:00Z", + "last_seen": "2024-05-15T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "b6ce227e-7240-4591-a8b9-641822c1f9f4", + "value": "Black Basta Operator Social Engineering Campaign" + }, + { + "description": "This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.", + "meta": { + "campaign_attack_id": "C5029", + "first_seen": "2023-03-01T00:00:00Z", + "last_seen": "2024-02-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "0e3a0fa7-78eb-4820-9881-d62b04fe6f92", + "value": "Bumblebee Distribution Campaigns 2023-24" + }, { "description": "[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]", "meta": { @@ -350,6 +607,24 @@ "uuid": "f20c935b-e0c5-4941-b710-73cf06dd2b4a", "value": "Clop MOVEit Transfer Vulnerability Exploitation" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5026", + "first_seen": "2023-11-14T00:00:00Z", + "last_seen": "2023-11-24T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4", + "value": "Cloudflare Thanksgiving 2023 security incident" + }, { "description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]", "meta": { @@ -370,6 +645,7 @@ "last_seen": "2024-02-01T05:00:00Z", "source": "MITRE", "tags": [ + "fe984a01-910d-4e39-9c49-179aa03f75ab", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", @@ -385,6 +661,24 @@ "uuid": "4e605e33-57fe-5bb2-b0ad-ec146aac041b", "value": "Cutting Edge" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]", + "meta": { + "campaign_attack_id": "C5034", + "first_seen": "2024-01-01T00:00:00Z", + "last_seen": "2024-01-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "8ee9d9f1-9906-4f0d-a4a7-0e6ed1aa4069", + "value": "DangerDev AWS Attack" + }, { "description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]", "meta": { @@ -412,6 +706,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "2743d495-7728-4a75-9e5f-b64854039792", "ecd84106-2a5b-4d25-854e-b8d1f57f6b75", "a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530", @@ -447,6 +742,41 @@ "uuid": "94587edf-0292-445b-8c66-b16629597f1e", "value": "FunnyDream" }, + { + "description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]", + "meta": { + "campaign_attack_id": "C5042", + "first_seen": "2023-08-01T00:00:00Z", + "last_seen": "2024-06-24T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c" + ] + }, + "related": [], + "uuid": "1610257c-e2fc-4b05-bd63-5c2cbfb2342e", + "value": "Healthcare Social Engineering & Payment Diversion Activity" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5025", + "first_seen": "2023-05-01T00:00:00Z", + "last_seen": "2023-12-12T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "d1244338-85dd-4650-989a-9df8020860b9", + "value": "HPE Midnight Blizzard Office 365 Email Exfiltration" + }, { "description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]\n\n**Related Vulnerabilities**: CVE-2021-44228[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]", "meta": { @@ -486,6 +816,9 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "3ed2343c-a29c-42e2-8259-410381164c6a", + "375983b3-6e87-4281-99e2-1561519dd17b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -505,7 +838,7 @@ "value": "Iranian IRGC Data Extortion Operations" }, { - "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Cutting Edge\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nThis object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.", "meta": { "campaign_attack_id": "C5017", "first_seen": "2023-12-01T00:00:00Z", @@ -527,7 +860,24 @@ }, "related": [], "uuid": "c2544d1d-3c99-4601-86fe-8b62020aaffc", - "value": "Ivanti Gateway Vulnerability Exploits" + "value": "Ivanti Gateway Vulnerability Exploits (Deprecated)" + }, + { + "description": "JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.[[elastic.co 6 21 2023](/references/42c40ec8-f46a-48fa-bd97-818e3d3d320e)]", + "meta": { + "campaign_attack_id": "C5036", + "first_seen": "2023-05-31T00:00:00Z", + "last_seen": "2023-06-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "c44d9a29-3025-40b3-8c12-45390597cc0f", + "value": "JOKERSPY Intrusion" }, { "description": "In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]\n\n**Related Vulnerabilities**: CVE-2023-3519[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]", @@ -567,6 +917,75 @@ "uuid": "f4225d6a-8734-401f-aa2a-1a73c23b16e6", "value": "LockBit Affiliate Citrix Bleed Exploits" }, + { + "description": "The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", + "meta": { + "campaign_attack_id": "C5021", + "first_seen": "2023-05-01T00:00:00Z", + "last_seen": "2023-05-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "f74885c3-c39b-4db4-ab4f-2990929450a2", + "value": "May 2023 Exfiltration & Wiper Activity (Truebot + FlawedGrace + MBR Killer)" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5027", + "first_seen": "2023-11-30T00:00:00Z", + "last_seen": "2024-01-12T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "4c01ad48-6a09-462a-abf4-24ba0a4cea56", + "value": "Microsoft Midnight Blizzard Breach" + }, + { + "description": "Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.[[Zscaler Molerats Campaign](/references/3b39e73e-229f-4ff4-bec3-d83e6364a66e)]", + "meta": { + "campaign_attack_id": "C5022", + "first_seen": "2021-07-01T00:00:00Z", + "last_seen": "2021-12-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "f1922702-2c16-496e-9d21-f32fc9c6daee", + "value": "Molerats 2021 Backdoor Delivery Campaign" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", + "meta": { + "campaign_attack_id": "C5039", + "first_seen": "2023-08-01T00:00:00Z", + "last_seen": "2024-05-28T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "6e63729b-6483-4a87-923c-2de179a32f17", + "value": "Moonstone Sleet Operations" + }, { "description": "[Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]", "meta": { @@ -579,6 +998,24 @@ "uuid": "85f136b3-d5a3-4c4c-a37c-40e4418dc989", "value": "Night Dragon" }, + { + "description": "According to details published by Okta Security, threat actors gained unauthorized access to Okta’s customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.\n\nAfter gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers’ names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.[[Okta HAR Files Incident Notice](/references/14855034-494e-477d-8c91-fc534fd7790d)][[Okta HAR Files RCA](/references/742d095c-9bd1-4f4a-8bc6-16db6d15a9f4)][[Okta HAR Files Incident Update](/references/5e09ab9c-8cb2-49f5-b65f-fd5447e71ef4)]", + "meta": { + "campaign_attack_id": "C5023", + "first_seen": "2023-09-28T00:00:00Z", + "last_seen": "2023-10-17T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "a11d1575-5487-41cd-83b5-1601aa9d5487", + "value": "Okta Customer Support Security Incident" + }, { "description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]", "meta": { @@ -586,7 +1023,11 @@ "first_seen": "2022-03-01T00:00:00Z", "last_seen": "2022-04-01T00:00:00Z", "owner": "TidalCyberIan", - "source": "Tidal Cyber" + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] }, "related": [], "uuid": "0496e076-1813-4f51-86e6-8f551983e8f8", @@ -652,6 +1093,23 @@ "uuid": "f741ed36-2d52-40ae-bbdc-70722f4071c7", "value": "Operation Honeybee" }, + { + "description": "Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.[[SentinelOne 9 26 2022](/references/973a110c-f1cd-46cd-b92b-5c7d8e7492b1)]", + "meta": { + "campaign_attack_id": "C5040", + "first_seen": "2019-12-01T00:00:00Z", + "last_seen": "2022-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "9637ff1e-803e-47f7-b808-f4d1ef6fd500", + "value": "Operation In(ter)ception" + }, { "description": "[Operation Sharpshooter](https://app.tidalcyber.com/campaigns/57e858c8-fd0b-4382-a178-0165d03aa8a9) was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) operations, including fake job recruitment lures and shared malware code.[[McAfee Sharpshooter December 2018](https://app.tidalcyber.com/references/96b6d012-8620-4ef5-bf9a-5f88e465a495)][[Bleeping Computer Op Sharpshooter March 2019](https://app.tidalcyber.com/references/84430646-6568-4288-8710-2827692a8862)][[Threatpost New Op Sharpshooter Data March 2019](https://app.tidalcyber.com/references/2361b5b1-3a01-4d77-99c6-261f444a498e)] ", "meta": { @@ -725,6 +1183,100 @@ "uuid": "71f6d3b1-c45e-421c-99cb-3b695647cf0b", "value": "Pikabot Distribution Campaigns 2023" }, + { + "description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)][[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]", + "meta": { + "campaign_attack_id": "C5045", + "first_seen": "2024-03-01T00:00:00Z", + "last_seen": "2024-06-07T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "9864ed5a-0633-4c04-85f1-728d3ff37e82", + "value": "PowerShell User Execution Social Engineering Campaign (TA571, ClearFake, ClickFix)" + }, + { + "description": "A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.[[K7 QakBot Returns January 4 2024](/references/5cb5e645-b77b-4bd1-a742-c8f53f234713)]", + "meta": { + "campaign_attack_id": "C5024", + "first_seen": "2023-12-11T00:00:00Z", + "last_seen": "2024-01-04T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "e809d252-12cc-494d-94f5-954c49eb87ce", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "6292123a-3d7e-4e8e-8ff0-daa7868433b7", + "value": "QakBot January 2024 Campaign" + }, + { + "description": "Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as \"one of the fastest ransomware cases\" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.[[The DFIR Report April 25 2022](/references/2e28c754-911a-4f08-a7bd-4580f5283571)]", + "meta": { + "campaign_attack_id": "C5043", + "first_seen": "2022-04-01T00:00:00Z", + "last_seen": "2022-04-25T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "a9bef150-04e6-41f2-9f94-069f9912f5e3", + "value": "Quantum Ransomware Compromise" + }, + { + "description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).", + "meta": { + "campaign_attack_id": "C5041", + "first_seen": "2023-08-13T00:00:00Z", + "last_seen": "2024-06-13T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "43f29c00-437f-43f3-8d69-052a06f1a2eb", + "value": "Scattered Spider TTP Evolution - SaaS Targeting" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka \"SlashAndGrab\"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.\n\nFurther background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5028", + "first_seen": "2024-02-19T00:00:00Z", + "last_seen": "2024-02-23T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", + "d431939f-2dc0-410b-83f7-86c458125444", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "e727eaa6-ef41-4965-b93a-8ad0c51d0236", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "365150b8-94ed-4d43-895e-fb07d0a8a7cd", + "value": "ScreenConnect Vulnerability Exploit Attacks" + }, { "description": "The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)][[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)][[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)][[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)][[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)][[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)][[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)][[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)] \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)][[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)][[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)] ", "meta": { @@ -733,6 +1285,7 @@ "last_seen": "2021-01-01T06:00:00Z", "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ] }, @@ -740,17 +1293,95 @@ "uuid": "8bde8146-0656-5800-82e6-e24e008e4f4a", "value": "SolarWinds Compromise" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5030", + "first_seen": "2024-02-26T00:00:00Z", + "last_seen": "2024-02-27T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "55fe6e08-96df-41a0-bfa9-555c6b4ce623", + "value": "TA577 NTLM Credential Theft Attacks" + }, { "description": "[Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b) was a campaign employed by [TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) which leveraged the [Triton](https://app.tidalcyber.com/software/) malware framework against a petrochemical organization.[[Triton-EENews-2017](https://app.tidalcyber.com/references/5cc54d85-ee53-579d-a8fb-9b54b3540dc0)] The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.[[FireEye TRITON 2018](https://app.tidalcyber.com/references/bfa5886a-a7f4-40d1-98d0-c3358abcf265)] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[[FireEye TRITON 2017](https://app.tidalcyber.com/references/597a4d8b-ffb2-4551-86db-b319f5a5b707)]\n", "meta": { "campaign_attack_id": "C0030", "first_seen": "2017-06-01T04:00:00Z", "last_seen": "2017-08-01T04:00:00Z", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b", "value": "Triton Safety Instrumented System Attack" + }, + { + "description": "Researchers observed suspected \"China-nexus\" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute \"previously unknown custom malware\" on the devices' operating systems. Researchers first observed \"zero-day\" exploit activity in the wild at an undisclosed point \"during the past year\", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.\n\nThe vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.[[The Hacker News Velvet Ant Cisco July 2 2024](/references/e3949201-c949-4126-9e02-34bfad4713c0)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]", + "meta": { + "campaign_attack_id": "C5046", + "first_seen": "2023-07-01T00:00:00Z", + "last_seen": "2024-07-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "72bc70fa-3979-4d3b-a0e9-b9ebebcf2a38", + "a98d7a43-f227-478e-81de-e7299639a355", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "bcf6bb5b-443f-4adb-ab6b-f864ea27614d", + "value": "Velvet Ant Cisco Network Switches Exploit Activity (CVE-2024-20399)" + }, + { + "description": "This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected \"China-nexus\" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network – residing and remaining active there for around three years – notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[BleepingComputer Velvet Ant June 17 2024](/references/70235e47-f8bb-4d16-9933-9f4923f08f5d)]", + "meta": { + "campaign_attack_id": "C5044", + "first_seen": "2020-12-01T00:00:00Z", + "last_seen": "2023-12-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a159c91c-5258-49ea-af7d-e803008d97d3", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7", + "value": "Velvet Ant F5 BIG-IP Espionage Activity" + }, + { + "description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]", + "meta": { + "campaign_attack_id": "C5020", + "first_seen": "2020-10-01T00:00:00Z", + "last_seen": "2022-04-13T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "ebec1bf0-e06c-48b2-adeb-fc0669306bc8", + "39357cc1-dbb1-49e4-9fe0-ff24032b94d5", + "e7681e16-9106-4d0a-a915-9958989161a3", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "396e073e-76d7-4fcf-97b4-9343d0a0b819", + "value": "Zloader & Ursnif Affiliate Campaign 2020-22" } ], "version": 1 diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json index 5aeb492..b3b4666 100644 --- a/clusters/tidal-groups.json +++ b/clusters/tidal-groups.json @@ -9,6 +9,37 @@ "type": "groups", "uuid": "877cdc4b-3392-4353-a7d4-2e46d40e5936", "values": [ + { + "description": "This object represents the behaviors associated with operators of 8Base ransomware, who may or may not operate as a cohesive unit. Behaviors associated with samples of 8Base ransomware are represented in the \"8Base Ransomware\" Software object.\n \nThe 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[[VMWare 8Base June 28 2023](/references/573e9520-6181-4535-9ed3-2338688a8e9f)][[Acronis 8Base July 17 2023](/references/c9822477-1578-4068-9882-41e4d6eaee3f)]", + "meta": { + "group_attack_id": "G5030", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Automotive", + "Construction", + "Financial Services", + "Healthcare", + "Hospitality Leisure", + "Manufacturing", + "Non Profit", + "Technology" + ] + }, + "related": [], + "uuid": "00b45c13-d165-44d0-ad6b-99787d2a7ce3", + "value": "8Base Ransomware Actors" + }, { "description": "[admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://app.tidalcyber.com/software/1d87a695-7989-49ae-ac1a-b6601db565c3), as well as some non-public backdoors. [[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]", "meta": { @@ -23,7 +54,12 @@ "Financial Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", + "type": "similar" + } + ], "uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "value": "admin@338" }, @@ -100,7 +136,7 @@ "value": "Akira" }, { - "description": "This Group object reflects the tools & TTPs used by threat actors known to deploy Akira, a ransomware family that researchers believe has been used since at least March 2023.[[TrendMicro Akira October 5 2023](/references/8f45fb21-c6ad-4b97-b459-da96eb643069)] Researchers assess that the Akira operation relates to and possibly derives from the Conti ransomware operation (by way of the Royal ransomware operation).[[GitHub ransomware_map](/references/d995f4b2-3262-4c37-855a-61aef7d7b8a8)]\n\nTTPs associated with the Akria ransomware binary itself can be found in the separate \"Akira Ransomware\" Software object.", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Akira\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nThis Group object reflects the tools & TTPs used by threat actors known to deploy Akira, a ransomware family that researchers believe has been used since at least March 2023.[[TrendMicro Akira October 5 2023](/references/8f45fb21-c6ad-4b97-b459-da96eb643069)] Researchers assess that the Akira operation relates to and possibly derives from the Conti ransomware operation (by way of the Royal ransomware operation).[[GitHub ransomware_map](/references/d995f4b2-3262-4c37-855a-61aef7d7b8a8)]\n\nTTPs associated with the Akria ransomware binary itself can be found in the separate \"Akira Ransomware\" Software object.", "meta": { "group_attack_id": "G5021", "observed_countries": [ @@ -155,7 +191,7 @@ }, "related": [], "uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", - "value": "Akira Ransomware Actors" + "value": "Akira Ransomware Actors (Deprecated)" }, { "description": "[Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[[FSI Andariel Campaign Rifle July 2017](https://app.tidalcyber.com/references/bde61ee9-16f9-4bd9-a847-5cc9df21335c)][[IssueMakersLab Andariel GoldenAxe May 2017](https://app.tidalcyber.com/references/10a21964-d31f-40af-bf32-5ccd7d8c99a2)][[AhnLab Andariel Subgroup of Lazarus June 2018](https://app.tidalcyber.com/references/bbc66e9f-98f9-4e34-b568-2833ea536f2e)][[TrendMicro New Andariel Tactics July 2018](https://app.tidalcyber.com/references/b667eb44-8c2f-4319-bc93-f03610214b8b)][[CrowdStrike Silent Chollima Adversary September 2021](https://app.tidalcyber.com/references/835283b5-af3b-4baf-805e-da8ebbe8b5d2)]\n\n[Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) is considered a sub-set of [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08), and has been attributed to North Korea's Reconnaissance General Bureau.[[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", @@ -166,37 +202,105 @@ "BR", "CA", "CN", + "FR", "DE", "IN", "IL", "JP", "KR", + "NG", "NO", "PH", "RO", "RU", "SE", + "GB", "US", "VN" ], "observed_motivations": [ "Cyber Espionage", - "Destruction" + "Destruction", + "Financial Gain" ], "source": "MITRE", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "4f4744b0-8401-423c-9ed0-3cb2985d9fd3", + "ddfaecd0-bd3e-41ac-85c7-ca2156684343", + "0dbed83d-af67-4ce0-a1ee-16f1165fdc0f", + "6422a882-7606-4aa3-b994-f917f53c2ada", + "c1b123d2-ce58-4345-8482-d1da27b3c053", + "f166e59e-9877-4102-a39b-fae38df4b790", + "6a82d685-3f77-498d-91c3-a759292ec2da", + "a32a757a-9d6b-43ca-ac4b-5f695dd0f110", + "ac70560d-c3e7-4b40-a4d6-a3287e3d952b", + "75f62312-a7ee-4534-8c8a-e3b7366a3a4b", + "887d1cfe-d0c5-431c-8dce-0e1b9a2505aa", + "96eec53f-355c-406c-87ba-18c3be4c69a1", + "54fafdbe-1ea0-4f48-99ad-757c8fe50df2", + "35b334ec-4169-4898-ab90-487eea7feb69", + "4ac4e1b9-2192-47ac-a4d1-3a31aa0f2140", + "936a56f5-a4f1-42d8-83b7-c44399ead661", + "0d19ceed-28f6-4258-b365-f6e6f296121d", + "037cc75c-9683-49db-aaa8-c8142763bb87", + "ff71ed89-8355-4abc-9da4-eb4768a38c9c", + "6fade0a3-0c26-4a11-b81e-25d20e38bdd3", + "3b54d8a5-580f-43bf-a12d-8e011f953bad", + "0f6e72e1-ba8f-4d1d-920d-d8945a4fee59", + "7bbc5366-897a-4505-bc68-3a18e3d4cf44", + "4cd85398-c33a-4374-9a76-2bbf297cca63", + "5ec8231e-70e9-4675-b922-368bcb9e914a", + "21c64d34-e52a-42ba-a8c7-85aa82dc0b3f", + "cd9ab9e7-248f-4097-b120-a42834ce0f89", + "91ddbeac-b587-4978-a80d-543a5d96cb77", + "b8448700-7ed0-48b8-85f5-ed23e0d9ab97", + "12b074b9-6748-4ad7-880f-836cb80587e1", + "45f92502-0775-4fc6-8fcd-97b325ea49a9", + "cddb4563-fe90-4c72-be81-6256d175a698", + "69f278d7-194f-42d0-8f83-11de9f861264", + "f0c58aa3-5d21-4ade-95a0-b775dde7e8a3", + "5f9b1c23-81f8-4aa3-8d97-235302e77eec", + "d842c7ff-e3d3-4534-9ed7-283752f4bbe2", + "ecd84106-2a5b-4d25-854e-b8d1f57f6b75", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "532b7819-d407-41e9-9733-0d716b69eb17", + "e401022a-36ac-486d-8503-dd531410a927", + "173e1480-8d9b-49c5-854d-594dde9740d6", + "7551097a-dfdd-426f-aaa2-a2916dd9b873", + "c475ad68-3fdc-4725-8abc-784c56125e96", + "08809fa0-61b6-4394-b103-1c4d19a5be16", + "4ac8dcde-2665-4066-9ad9-b5572d5f0d28", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], "target_categories": [ "Aerospace", "Agriculture", "Casinos Gambling", + "Chemical", "Defense", + "Education", "Energy", "Financial Services", "Government", "Healthcare", + "Insurance", + "Legal", "Media", + "Nuclear", "Pharmaceuticals", + "Retail", "Technology", - "Travel Services" + "Telecommunications", + "Transportation", + "Travel Services", + "Utilities" ] }, "related": [], @@ -237,6 +341,7 @@ "LV", "NL", "SE", + "UA", "AE", "US" ], @@ -314,7 +419,12 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", + "type": "similar" + } + ], "uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "value": "APT1" }, @@ -356,7 +466,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", + "type": "similar" + } + ], "uuid": "06a05175-0812-44f5-a529-30eba07d1762", "value": "APT16" }, @@ -388,7 +503,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "type": "similar" + } + ], "uuid": "5f083251-f5dc-459a-abfc-47a1aa7f5094", "value": "APT17" }, @@ -406,7 +526,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", + "type": "similar" + } + ], "uuid": "a0c31021-b281-4c41-9855-436768299fe7", "value": "APT18" }, @@ -432,7 +557,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", + "type": "similar" + } + ], "uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "value": "APT19" }, @@ -545,6 +675,7 @@ ], "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", @@ -574,7 +705,12 @@ "Utilities" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", + "type": "similar" + } + ], "uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "value": "APT28" }, @@ -664,7 +800,12 @@ "Video Games" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "type": "similar" + } + ], "uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "value": "APT29" }, @@ -723,7 +864,12 @@ "Media" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", + "type": "similar" + } + ], "uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "value": "APT30" }, @@ -761,7 +907,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", + "type": "similar" + } + ], "uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "value": "APT32" }, @@ -783,12 +934,21 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "c9c73000-30a5-4a16-8c8b-79169f9c24aa", + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ], "target_categories": [ "Aerospace", "Energy" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", + "type": "similar" + } + ], "uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "value": "APT33" }, @@ -823,7 +983,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", + "type": "similar" + } + ], "uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "value": "APT37" }, @@ -889,7 +1054,12 @@ "Media" ] }, - "related": [], + "related": [ + { + "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", + "type": "similar" + } + ], "uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "value": "APT38" }, @@ -916,7 +1086,12 @@ "Travel Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", + "type": "similar" + } + ], "uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "value": "APT39" }, @@ -952,6 +1127,7 @@ "SA", "SG", "ZA", + "ES", "SE", "CH", "TW", @@ -968,6 +1144,7 @@ ], "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55", "a98d7a43-f227-478e-81de-e7299639a355" ], @@ -976,21 +1153,77 @@ "Automotive", "Education", "Energy", + "Entertainment", "Financial Services", "Healthcare", "High Tech", "Media", "Pharmaceuticals", "Retail", + "Technology", "Telecommunications", + "Transportation", "Travel Services", "Video Games" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", + "type": "similar" + } + ], "uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "value": "APT41" }, + { + "description": "APT42 is an Iranian state-sponsored espionage group believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO). APT42 primarily focuses on collecting information on and surveilling its targets, mainly individuals and organizations with strategic significance to Iran's government. The group's operations are characterized by targeted spear-phishing attacks and surveillance activity. Mandiant researchers acknowledged overlaps between APT42 and APT35, which both likely operate on behalf of the IRGC, but noted that the groups display \"substantial differences\" in targeting patterns and TTPs.[[Mandiant Crooked Charms August 12 2022](/references/53bab956-be5b-4d8d-b553-9926bc5d9fee)]", + "meta": { + "country": "IR", + "group_attack_id": "G5051", + "observed_countries": [ + "AU", + "BG", + "DE", + "IR", + "IL", + "IT", + "MY", + "NO", + "UA", + "AE", + "GB", + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Defense", + "Education", + "Energy", + "Financial Services", + "Government", + "Healthcare", + "Human Rights", + "Legal", + "Manufacturing", + "Media", + "NGOs", + "Pharmaceuticals" + ] + }, + "related": [], + "uuid": "ce126445-6984-45bb-9737-35448f06f27b", + "value": "APT42" + }, { "description": "[APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[[NSA APT5 Citrix Threat Hunting December 2022](https://app.tidalcyber.com/references/916e2137-46e6-53c2-a917-5b5b5c4bae3a)][[Microsoft East Asia Threats September 2023](https://app.tidalcyber.com/references/31f2c61e-cefe-5df7-9c2b-780bf03c88ec)][[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)][[Mandiant Pulse Secure Update May 2021](https://app.tidalcyber.com/references/5620adaf-c2a7-5f0f-ae70-554ce720426e)][[FireEye Southeast Asia Threat Landscape March 2015](https://app.tidalcyber.com/references/59658f8b-af24-5df5-8f7d-cb6b9cf7579e)][[Mandiant Advanced Persistent Threats](https://app.tidalcyber.com/references/2d16615b-09fc-5925-8f59-6d20f334d236)] ", "meta": { @@ -1094,7 +1327,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "type": "similar" + } + ], "uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "value": "Axiom" }, @@ -1152,6 +1390,9 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "d713747c-2d53-487e-9dac-259230f04460", @@ -1185,6 +1426,9 @@ "description": "[BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)][[Forcepoint BITTER Pakistan Oct 2016](https://app.tidalcyber.com/references/9fc54fb0-b7d9-49dc-b6dd-ab4cb2cd34fa)]", "meta": { "group_attack_id": "G1002", + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE" }, "related": [], @@ -1245,6 +1489,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -1327,6 +1572,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "c475ad68-3fdc-4725-8abc-784c56125e96", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "e499005b-adba-45bb-85e3-07043fd9edf9", "8b1cb0dc-dd3e-44ba-828c-55c040e93b93", @@ -1393,10 +1639,68 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec", + "type": "similar" + } + ], "uuid": "428dc121-a593-4981-9127-f958ae0a0fdd", "value": "BlackOasis" }, + { + "description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy BlackSuit, a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[[HC3 Analyst Note BlackSuit Ransomware November 2023](/references/d956f0c6-d90e-49e8-a64c-a46bfc177cc6)] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\nATT&CK Techniques associated with the BlackSuit ransomware binary are tracked in a separate \"BlackSuit Ransomware\" Software object.", + "meta": { + "group_attack_id": "G5048", + "observed_countries": [ + "AU", + "BR", + "CA", + "CN", + "DE", + "IL", + "IT", + "JM", + "JP", + "KR", + "NL", + "NG", + "ZA", + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "a2e000da-8181-4327-bacd-32013dbd3654", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Automotive", + "Construction", + "Education", + "Financial Services", + "Government", + "Healthcare", + "Hospitality Leisure", + "Mining", + "Non Profit", + "Pharmaceuticals", + "Technology", + "Telecommunications", + "Transportation" + ] + }, + "related": [], + "uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "value": "BlackSuit Ransomware Actors" + }, { "description": "[BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)][[Symantec Palmerworm Sep 2020](https://app.tidalcyber.com/references/84ecd475-8d3f-4e7c-afa8-2dff6078bed5)][[Reuters Taiwan BlackTech August 2020](https://app.tidalcyber.com/references/77293f88-e336-4786-b042-7f0080bbff32)]", "meta": { @@ -1427,7 +1731,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", + "type": "similar" + } + ], "uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "value": "BlackTech" }, @@ -1471,10 +1780,63 @@ "Manufacturing" ] }, - "related": [], + "related": [ + { + "dest-uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8", + "type": "similar" + } + ], "uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "value": "BRONZE BUTLER" }, + { + "description": "This Group object reflects the tools & TTPs observed in use by threat actors known to deploy CACTUS, a ransomware that researchers believe has been used since at least March 2023.[[Kroll CACTUS Ransomware May 10 2023](/references/f50de2f6-465f-4cae-a79c-cc135ebfee4f)] Specific pre- and post-exploit behaviors may vary among intrusions carried out by distinct actors or actor clusters. TTPs associated with the CACTUS ransomware binary itself can be found in the separate dedicated Software object.", + "meta": { + "group_attack_id": "G5035", + "observed_countries": [ + "AU", + "BE", + "CA", + "DK", + "FR", + "DE", + "IT", + "MX", + "RO", + "ES", + "SE", + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "3b615816-3403-46a4-bd7e-f7a723fc56da", + "a2e000da-8181-4327-bacd-32013dbd3654", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Automotive", + "Construction", + "Healthcare", + "Hospitality Leisure", + "Media", + "Mining", + "Retail", + "Technology" + ] + }, + "related": [], + "uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", + "value": "CACTUS Ransomware Actors" + }, { "description": "[Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de) is a cybercriminal group that has used [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) malware to target financial institutions since at least 2013. [Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de) may be linked to groups tracked separately as [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) and [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) that have also used [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) malware.[[Kaspersky Carbanak](https://app.tidalcyber.com/references/2f7e77db-fe39-4004-9945-3c8943708494)][[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)][[Europol Cobalt Mar 2018](https://app.tidalcyber.com/references/f9d1f2ab-9e75-48ce-bcdf-b7119687feef)][[Secureworks GOLD NIAGARA Threat Profile](https://app.tidalcyber.com/references/b11276cb-f6dd-4e91-90cd-9c287fb3e6b1)][[Secureworks GOLD KINGSWOOD Threat Profile](https://app.tidalcyber.com/references/36035bbb-1609-4461-be27-ef4a920b814c)]", "meta": { @@ -1515,7 +1877,12 @@ "Financial Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", + "type": "similar" + } + ], "uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "value": "Carbanak" }, @@ -1585,7 +1952,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "type": "similar" + } + ], "uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "value": "Cleaver" }, @@ -1621,7 +1993,12 @@ "Financial Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe", + "type": "similar" + } + ], "uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "value": "Cobalt Group" }, @@ -1669,10 +2046,36 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae", + "type": "similar" + } + ], "uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "value": "CopyKittens" }, + { + "description": "A Group object to represent actors that deploy Cuba Ransomware in victim environments.[[U.S. CISA Cuba Ransomware October 2022](/references/d6ed5172-a319-45b0-b1cb-d270a2a48fa3)]", + "meta": { + "group_attack_id": "G5026", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "5216ac81-da4c-4b87-86ce-b90a651f1048", + "value": "Cuba Ransomware Actors" + }, { "description": "[CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[[Microsoft Iranian Threat Actor Trends November 2021](https://app.tidalcyber.com/references/78d39ee7-1cd5-5cb8-844a-1c3649e367a1)]", "meta": { @@ -1683,6 +2086,40 @@ "uuid": "ab15a328-c41e-5701-993f-3cab29ac4544", "value": "CURIUM" }, + { + "description": "The Cyber Army of Russia is a threat group that appears to carry out cyber attacks in line with Russian strategic interests. The group has claimed many distributed denial of service (DDoS) attacks against a variety of targets perceived as opposed to Russian interests. More recently, it has claimed disruptive industrial software-based attacks against water utilities in the United States, France, and Poland. Researchers link the Cyber Army of Russia to APT44 / Sandworm Team, although it remains unclear what level of direct support, if any, is provided by the latter group.[[Wired Cyber Army of Russia April 17 2024](/references/53583baf-4e09-4d19-9348-6110206b88be)][[Mandiant APT44 April 17 2024](/references/a64f689e-2bb4-4253-86cd-545e7f633a7e)]", + "meta": { + "country": "RU", + "group_attack_id": "G5038", + "observed_countries": [ + "FR", + "PL", + "UA", + "US" + ], + "observed_motivations": [ + "Destruction" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Aerospace", + "Government", + "Media", + "Nuclear", + "Utilities", + "Water" + ] + }, + "related": [], + "uuid": "411e005e-95a4-4805-8296-0accf902d08d", + "value": "Cyber Army of Russia" + }, { "description": "CyberAv3ngers is a cyber actor group that has claimed responsibility for numerous disruption-focused attacks against critical infrastructure organizations, including an oil refinery and electric utility in Israel and water/wastewater utilities in the United States. According to a joint advisory released by U.S. & Israeli cybersecurity authorities in December 2023, CyberAv3ngers (aka Cyber Av3ngers or Cyber Avengers) is a “cyber persona” of advanced persistent threat actors affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The advisory detailed how suspected CyberAv3ngers actors compromised programmable logic controller (PLC) devices that were exposed to the internet and used the vendor's default passwords and ports, leaving defacement images and possibly rendering the devices inoperable. The defacement messages suggested that the group or affiliates might carry out attacks against other technological equipment produced in or associated with Israel.[[U.S. CISA IRGC-Affiliated PLC Activity December 2023](/references/51a18523-5276-4a67-8644-2bc6997d043c)]", "meta": { @@ -1698,18 +2135,49 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "841ce707-a678-4bcf-86ff-7feeacd37e55", "15787198-6c8b-4f79-bf50-258d55072fee" ], "target_categories": [ "Energy", - "Utilities" + "Utilities", + "Water" ] }, "related": [], "uuid": "44a9c8ac-c287-45d2-9ebc-2c8a7d0a1f57", "value": "CyberAv3ngers" }, + { + "description": "Cyber Toufan is an apparently politically motivated, destruction-focused threat actor group that has predominantly targeted organizations based in or perceived to be aligned with Israel. Cyber Toufan publicizes many of their cyber operations and in some cases has leaked victim data allegedly exfiltrated during their attacks.[[SOCRadar Cyber Toufan Profile](/references/a9aa6361-8c4d-4456-bb3f-c64ca5260695)] Check Point researchers labeled Cyber Toufan as an \"Iranian-affiliated\", \"hacktivist proxy\" group.[[Check Point Iranian Proxies December 4 2023](/references/60432d84-8f46-4934-951f-df8e0f297ff0)]", + "meta": { + "group_attack_id": "G5049", + "observed_countries": [ + "IL", + "GB", + "US" + ], + "observed_motivations": [ + "Destruction" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "target_categories": [ + "Automotive", + "Government", + "High Tech", + "Manufacturing", + "Retail", + "Technology", + "Utilities", + "Water" + ] + }, + "related": [], + "uuid": "42a7c134-c574-430b-8105-bf7a00e742ae", + "value": "Cyber Toufan" + }, { "description": "Daixin Team is a ransomware- and data extortion-focused threat group first observed in mid-2022. Daixin Team is known to publicly extort its victims to pressure them into paying a ransom. It has used ransomware (believed to be based on the leaked source code for Babuk Locker) to encrypt victim data and has also exfiltrated sensitive data from victim environments and threatened to publicly leak that data.\n\nMany of Daixin Team’s victims belong to critical infrastructure sectors, especially the Healthcare and Public Health (“HPH”) sector. An October 2022 joint Cybersecurity Advisory noted Daixin Team attacks on multiple U.S. HPH organizations.[[U.S. CISA Daixin Team October 2022](/references/cbf5ecfb-de79-41cc-8250-01790ff6e89b)] Alleged victims referenced on the threat group’s extortion website belong to the healthcare, utilities, transportation (airline), automobile manufacturing, information technology, retail, and media sectors in the United States, Europe, and Asia.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { @@ -1780,7 +2248,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94", + "type": "similar" + } + ], "uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "value": "Dark Caracal" }, @@ -1814,7 +2287,12 @@ "Non Profit" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", + "type": "similar" + } + ], "uuid": "efa1d922-8f48-43a6-89fe-237e1f3812c8", "value": "Darkhotel" }, @@ -1828,7 +2306,12 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9", + "type": "similar" + } + ], "uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "value": "DarkHydrus" }, @@ -1879,7 +2362,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", + "type": "similar" + } + ], "uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "value": "Deep Panda" }, @@ -1910,6 +2398,7 @@ ], "source": "MITRE", "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], "target_categories": [ @@ -1918,7 +2407,12 @@ "Travel Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", + "type": "similar" + } + ], "uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "value": "Dragonfly" }, @@ -1939,7 +2433,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", + "type": "similar" + } + ], "uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", "value": "DragonOK" }, @@ -1980,10 +2479,41 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "da754aeb-a86d-4874-b388-d1d2028a56be", + "type": "similar" + } + ], "uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "value": "Elderwood" }, + { + "description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy Eldorado, a ransomware-as-a-service (\"RaaS\") first advertised for sale on cybercrime forums in March 2024. Researchers assess that Eldorado is a \"unique\" ransomware strain that is likely not derived from previously leaked ransomware source code.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)]\n\nWindows and Linux-focused versions of the ransomware are known to exist. (ATT&CK Techniques associated with these malware binaries are tracked in a separate \"Eldorado Ransomware\" Software object.)", + "meta": { + "group_attack_id": "G5046", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", + "5e7433ad-a894-4489-93bc-41e90da90019", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Healthcare" + ] + }, + "related": [], + "uuid": "26e1c52e-0c48-4cd0-bdc5-9cf981a6e714", + "value": "Eldorado Ransomware Operators" + }, { "description": "[Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) likely conducted the [WhisperGate](https://app.tidalcyber.com/software/791f0afd-c2c4-4e23-8aee-1d14462667f5) destructive wiper attacks against Ukraine in early 2022.[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)][[Mandiant UNC2589 March 2022](https://app.tidalcyber.com/references/63d89139-9dd4-4ed6-bf6e-8cd872c5d034)][[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)] ", "meta": { @@ -2046,7 +2576,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840", + "type": "similar" + } + ], "uuid": "a4704485-65b5-49ec-bebe-5cc932362dd2", "value": "Equation" }, @@ -2116,10 +2651,48 @@ "Mining" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", + "type": "similar" + } + ], "uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "value": "FIN10" }, + { + "description": "FIN11 is a financially motivated adversary identified by Mandiant in 2020. Originally known for high-volume phishing campaigns leading to ransomware and data theft, the group more recently is known for carrying out wide-ranging exploitation of multiple vulnerabilities in 2023, including vulnerabilities affecting PaperCut print management software and MOVEit Transfer file transfer software to deliver Clop ransomware and for more general data theft, respectively, as well as GoAnywhere file transfer software exploits.[[Microsoft Threat Intelligence Tweet April 26 2023](/references/3b5a2349-e10c-422b-91e3-20e9033fdb60)][[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]. Microsoft Threat Intelligence reports overlaps between FIN11 and Lace Tempest (DEV-0950), which it identifies as a Clop ransomware affiliate. The DFIR Report researchers attributed a May 2023 data theft and wiper campaign to FIN11 and Lace Tempest.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", + "meta": { + "group_attack_id": "G5028", + "observed_countries": [ + "CA", + "IN", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "173e1480-8d9b-49c5-854d-594dde9740d6", + "1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0", + "992bdd33-4a47-495d-883a-58010a2f0efb", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Financial Services", + "Hospitality Leisure", + "Retail" + ] + }, + "related": [], + "uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", + "value": "FIN11" + }, { "description": "FIN12 is a financially motivated threat actor group believed to be responsible for multiple high-profile ransomware attacks since 2018. The group has attacked victims in various sectors and locations, including multiple attacks on healthcare entities. An October 2021 Mandiant assessment indicated 85% of the group's victims were U.S.-based, and the large majority of them were large enterprises with more than $300 million in annual revenue. The report also assessed that initial access brokers partnering with FIN12 target a wider range of organizations and allow FIN12 actors to select victims for further malicious activity.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)]\n\nFIN12's toolset has reportedly shifted over time. Cobalt Strike has been observed in most intrusions. While TrickBot and Empire were common post-exploitation tools historically, French authorities observed the group using SystemBC alongside Cobalt Strike during a March 2023 hospital center intrusion. Ryuk, and to a lesser degree Conti, were traditionally used ransomware payloads, with the former used in a series of attacks on U.S. healthcare entities in 2020. However, a French CERT assessment published in 2023 linked the group to multiple more recent incidents it investigated and analyzed, which featured deployment of various ransomware families, including Hive, Nokoyawa, Play, Royal, and BlackCat, along with Emotet and BazarLoader malware for initial footholds.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)][[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", "meta": { @@ -2144,6 +2717,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "2743d495-7728-4a75-9e5f-b64854039792", "ecd84106-2a5b-4d25-854e-b8d1f57f6b75", "a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530", @@ -2199,7 +2773,12 @@ "Pharmaceuticals" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", + "type": "similar" + } + ], "uuid": "4b6531dc-5b29-4577-8b54-fa99229ab0ca", "value": "FIN4" }, @@ -2216,7 +2795,12 @@ "Hospitality Leisure" ] }, - "related": [], + "related": [ + { + "dest-uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", + "type": "similar" + } + ], "uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "value": "FIN5" }, @@ -2237,7 +2821,12 @@ "Retail" ] }, - "related": [], + "related": [ + { + "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", + "type": "similar" + } + ], "uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "value": "FIN6" }, @@ -2291,7 +2880,12 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", + "type": "similar" + } + ], "uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "value": "FIN7" }, @@ -2321,10 +2915,43 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", + "type": "similar" + } + ], "uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "value": "FIN8" }, + { + "description": "Researchers assess that Flax Typhoon is a nation-state-sponsored espionage group based in China that has targeted government, education, manufacturing, and IT organizations in Taiwan, elsewhere in Southeast Asia, North America, and Africa. Flax Typhoon is believed to overlap with the ETHEREAL PANDA group and has been active since mid-2021. Flax Typhoon has been seen establishing persistence, moving laterally, and accessing victim credentials after achieving network access, but to date, researchers have not observed the actors acting on final objectives during intrusions. Microsoft researchers assess that Flax Typhoon's techniques, which lean on legitimate, often built-in tools & utilities, could be used in attacks on victims in other regions.[[Microsoft Flax Typhoon August 24 2023](/references/ec962b72-7b7f-4f7e-b6d6-7c5380b07201)]", + "meta": { + "country": "CN", + "group_attack_id": "G5031", + "observed_countries": [ + "TW" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Government", + "Manufacturing", + "Technology" + ] + }, + "related": [], + "uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "value": "Flax Typhoon" + }, { "description": "[Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[[ClearkSky Fox Kitten February 2020](https://app.tidalcyber.com/references/a5ad6321-897a-4adc-9cdd-034a2538e3d6)][[CrowdStrike PIONEER KITTEN August 2020](https://app.tidalcyber.com/references/4fce29cc-ddab-4b96-b295-83c282a87564)][[Dragos PARISITE ](https://app.tidalcyber.com/references/15e974db-51a9-4ec1-9725-cff8bb9bc2fa)][[ClearSky Pay2Kitten December 2020](https://app.tidalcyber.com/references/6e09bc1a-8a5d-4512-9176-40eed91af358)]", "meta": { @@ -2350,10 +2977,16 @@ "US" ], "observed_motivations": [ - "Cyber Espionage" + "Cyber Espionage", + "Financial Gain" ], "source": "MITRE", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "9768aada-9d63-4d46-ab9f-d41b8c8e4010", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", "291c006e-f77a-4c9c-ae7e-084974c0e1eb" ], "target_categories": [ @@ -2468,7 +3101,12 @@ "Non Profit" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", + "type": "similar" + } + ], "uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "value": "Gamaredon Group" }, @@ -2484,7 +3122,12 @@ "Financial Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0", + "type": "similar" + } + ], "uuid": "dbc85db0-937d-47d7-9002-7364d41be48a", "value": "GCMAN" }, @@ -2523,20 +3166,72 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131", + "type": "similar" + } + ], "uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "value": "Gorgon Group" }, + { + "description": "GreenMwizi is assessed to be an actor based in Nairobi, Kenya that has carried out scam campaigns involving social media bots. A campaign observed in May 2023 appeared to target customers of a major online travel/hospitality booking brand.[[GreenMwizi - Kenyan scamming campaign using Twitter bots](/references/3b09696a-1345-4283-a59b-e9a13124ef59)]", + "meta": { + "group_attack_id": "G5024", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Hospitality Leisure", + "Travel Services" + ] + }, + "related": [], + "uuid": "7d17fa48-e897-4a0c-8aa5-c7f2b6cd96a0", + "value": "GreenMwizi" + }, { "description": "[Group5](https://app.tidalcyber.com/groups/fcc6d937-8cd6-4f2c-adb8-48caedbde70a) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://app.tidalcyber.com/groups/fcc6d937-8cd6-4f2c-adb8-48caedbde70a) has used two commonly available remote access tools (RATs), [njRAT](https://app.tidalcyber.com/software/82996f6f-0575-45cd-8f7c-ba1b063d5b9f) and [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), as well as an Android RAT, DroidJack. [[Citizen Lab Group5](https://app.tidalcyber.com/references/ffbec5e8-947a-4363-b7e1-812dfd79935a)]", "meta": { "group_attack_id": "G0043", "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af", + "type": "similar" + } + ], "uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "value": "Group5" }, + { + "description": "H0lyGh0st is a North Korea-based ransomware-focused threat actor group.[[H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware](/references/3f66ef62-ac0d-4ece-9a4b-917ae70f1617)]", + "meta": { + "group_attack_id": "G5025", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "cd83ecfb-8e42-4b55-8d1e-fd4dbe4b68cd", + "value": "H0lyGh0st Ransomware Group" + }, { "description": "[HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[[Microsoft HAFNIUM March 2020](https://app.tidalcyber.com/references/6a986c46-79a3-49c6-94d2-d9b1f5db08f3)][[Volexity Exchange Marauder March 2021](https://app.tidalcyber.com/references/ef0626e9-281c-4770-b145-ffe36e18e369)]", "meta": { @@ -2557,7 +3252,12 @@ "Think Tanks" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", + "type": "similar" + } + ], "uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "value": "HAFNIUM" }, @@ -2565,7 +3265,10 @@ "description": "[HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735)'s TTPs appear similar to [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) and [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) but due to differences in victims and tools it is tracked as a separate entity.[[Dragos Hexane](https://app.tidalcyber.com/references/11838e67-5032-4352-ad1f-81ba0398a14f)][[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)][[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)][[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]", "meta": { "group_attack_id": "G1001", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "eecf7289-294f-48dd-a747-7705820f4735", @@ -2592,6 +3295,49 @@ "uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "value": "Higaisa" }, + { + "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Hive, a ransomware-as-a-service (RaaS) variant first observed in June 2021.[[U.S. CISA Hive November 25 2022](/references/fce322e6-5e23-404a-acf8-cd003f00c79d)] Specific pre- and post-compromise behaviors may vary among intrusions carried out by different Hive affiliates.\n\nHive actors have targeted victims in a wide range of verticals, including the government, communications, manufacturing, information technology, financial services, education, and especially the healthcare sectors. In January 2023, international authorities announced they disrupted Hive ransomware operations, seizing control of servers and websites used for communication among Hive actors and capturing Hive decryption keys.[[U.S. Justice Department Hive January 2023](/references/81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0)]", + "meta": { + "group_attack_id": "G5042", + "observed_countries": [ + "DE", + "NL", + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "5e9581be-dea3-42b2-a92a-4c307cedec2c", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "375983b3-6e87-4281-99e2-1561519dd17b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "1423b5a8-cff3-48d5-a0a2-09b3afc9f195", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Construction", + "Education", + "Financial Services", + "Government", + "Healthcare", + "High Tech", + "Manufacturing", + "Telecommunications" + ] + }, + "related": [], + "uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "value": "Hive Ransomware Actors" + }, { "description": "[Inception](https://app.tidalcyber.com/groups/d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.[[Unit 42 Inception November 2018](https://app.tidalcyber.com/references/5cb98fce-f386-4878-b69c-5c6440ad689c)][[Symantec Inception Framework March 2018](https://app.tidalcyber.com/references/166f5c44-7d8c-45d5-8d9f-3b8bd21a2af3)][[Kaspersky Cloud Atlas December 2014](https://app.tidalcyber.com/references/41a9b3e3-0953-4bde-9e1d-c2f51de1120e)]", "meta": { @@ -2628,7 +3374,12 @@ "Media" ] }, - "related": [], + "related": [ + { + "dest-uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", + "type": "similar" + } + ], "uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "value": "Inception" }, @@ -2742,7 +3493,12 @@ "NGOs" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", + "type": "similar" + } + ], "uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "value": "Ke3chang" }, @@ -2820,6 +3576,7 @@ "group_attack_id": "G1004", "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "2e5f6e4a-4579-46f7-9997-6923180815dd", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "a2e000da-8181-4327-bacd-32013dbd3654", @@ -2850,6 +3607,7 @@ ], "source": "MITRE", "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], "target_categories": [ @@ -2862,7 +3620,12 @@ "Infrastructure" ] }, - "related": [], + "related": [ + { + "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", + "type": "similar" + } + ], "uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "value": "Lazarus Group" }, @@ -2933,8 +3696,29 @@ "GB", "US" ], + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE", "tags": [ + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "ee3188ce-20e9-4e8e-bbfd-cdc527d5a2b2", + "a10eccee-317c-40f7-988f-f79517cf42e8", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "a46c422c-5dad-49fc-a4ac-169a075a4d9a", + "2eeef0b4-08b5-4d25-84f7-25d41fe6305b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "931d2342-5165-41cf-a5a9-8308d9c9f7ed" ], "target_categories": [ @@ -2948,7 +3732,12 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", + "type": "similar" + } + ], "uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "value": "Leviathan" }, @@ -3004,6 +3793,10 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "793f4441-3916-4b3d-a3fd-686a59dc3de2", "1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0", @@ -3082,7 +3875,12 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", + "type": "similar" + } + ], "uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "value": "Lotus Blossom" }, @@ -3096,6 +3894,29 @@ "uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", "value": "LuminousMoth" }, + { + "description": "Luna Moth (aka Silent Ransom Group) is a financially-motivated, extortion-focused adversary active since at least March 2022 and through at least June 2023. The group is known for carrying out \"callback phishing\" attacks, where actors entice victims to call an actor-controlled number, for example by sending a fraudulent email that claims the victim recently registered for a popular subscription service. Once connected, actors would convince victims to join a live, actor-connected sessions with legitimate remote access tools provided via a link in a subsequent email, then install other legitimate remote administration software used to support further discovery and exfiltration activity.[[Sygnia Luna Moth July 1 2022](/references/115590b2-ab57-432c-900e-000627464a11)][[FBI Ransomware Tools November 7 2023](/references/e096e1f4-6b62-4756-8811-f263cf1dcecc)]", + "meta": { + "group_attack_id": "G5043", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Legal", + "Retail" + ] + }, + "related": [], + "uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "value": "Luna Moth" + }, { "description": "[Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.[[Cylance Machete Mar 2017](https://app.tidalcyber.com/references/92a9a311-1e0b-4819-9856-2dfc8dbfc08d)][[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)][[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)][[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]", "meta": { @@ -3137,7 +3958,12 @@ "Utilities" ] }, - "related": [], + "related": [ + { + "dest-uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", + "type": "similar" + } + ], "uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "value": "Machete" }, @@ -3183,7 +4009,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", + "type": "similar" + } + ], "uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "value": "Magic Hound" }, @@ -3265,6 +4096,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], @@ -3348,7 +4180,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", + "type": "similar" + } + ], "uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "value": "menuPass" }, @@ -3382,7 +4219,12 @@ "Manufacturing" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", + "type": "similar" + } + ], "uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", "value": "Moafee" }, @@ -3440,10 +4282,41 @@ "NGOs" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde", + "type": "similar" + } + ], "uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "value": "Molerats" }, + { + "description": "Moonstone Sleet is a North Korea state-aligned threat actor group that has targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, for both financial gain and espionage purposes. The group is believed to be well-resourced, capable of conducting multiple distinct campaigns simultaneously. Microsoft security researchers assess that Moonstone Sleet has expanded its capabilities, with possible goals of enabling disruptive operations and/or software supply chain attacks.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", + "meta": { + "country": "KP", + "group_attack_id": "G5040", + "observed_motivations": [ + "Cyber Espionage", + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Aerospace", + "Defense", + "Education", + "Technology" + ] + }, + "related": [], + "uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", + "value": "Moonstone Sleet" + }, { "description": "[Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[[Checkpoint MosesStaff Nov 2021](https://app.tidalcyber.com/references/d6da2849-cff0-408a-9f09-81a33fc88a56)] \n\nSecurity researchers assess [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[[Cybereason StrifeWater Feb 2022](https://app.tidalcyber.com/references/30c911b2-9a5e-4510-a78c-c65e84398c7e)]", "meta": { @@ -3536,6 +4409,9 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "992bdd33-4a47-495d-883a-58010a2f0efb" + ], "target_categories": [ "Education", "Energy", @@ -3544,7 +4420,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", + "type": "similar" + } + ], "uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "value": "MuddyWater" }, @@ -3638,7 +4519,12 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", + "type": "similar" + } + ], "uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "value": "Naikon" }, @@ -3654,7 +4540,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", + "type": "similar" + } + ], "uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "value": "NEODYMIUM" }, @@ -3695,6 +4586,9 @@ "US" ], "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ], "target_categories": [ "Banks", "Chemical", @@ -3705,7 +4599,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", + "type": "similar" + } + ], "uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "value": "OilRig" }, @@ -3773,7 +4672,12 @@ "Think Tanks" ] }, - "related": [], + "related": [ + { + "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", + "type": "similar" + } + ], "uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "value": "Patchwork" }, @@ -3823,7 +4727,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", + "type": "similar" + } + ], "uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "value": "PittyTiger" }, @@ -3847,7 +4756,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", + "type": "similar" + } + ], "uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "value": "PLATINUM" }, @@ -3877,6 +4791,9 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "17864218-bc4f-4564-8abf-97c988eea9f7", "b6458e46-650e-4e96-8e68-8a9d70bcf045", @@ -3936,7 +4853,12 @@ "Utilities" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d", + "type": "similar" + } + ], "uuid": "553e2b7b-170c-4eb5-812b-ea33fe1dd4a0", "value": "Poseidon Group" }, @@ -3952,7 +4874,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650", + "type": "similar" + } + ], "uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "value": "PROMETHIUM" }, @@ -3974,10 +4901,36 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", + "type": "similar" + } + ], "uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "value": "Putter Panda" }, + { + "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Quantum ransomware (aka Quantum Locker, which derives from the MountLocker, AstroLocker, and XingLocker ransomware families). The Quantum group is known to publicly extort its victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)] Researchers indicate the group is a rebranding of the \"Conti Team Two\" that formed after the fragmenting of the Ryuk/Conti ransom group in early 2022.[[AdvIntel Bazar Call August 10 2022](/references/5d3dff70-28c2-42a5-bf58-211fe6491fd2)]", + "meta": { + "group_attack_id": "G5044", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "value": "Quantum Ransomware Actors" + }, { "description": "[Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c) uses politically-motivated lures to entice victims to open malicious documents. [[Rancor Unit42 June 2018](https://app.tidalcyber.com/references/45098a85-a61f-491a-a549-f62b02dc2ecd)]", "meta": { @@ -3991,10 +4944,35 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", + "type": "similar" + } + ], "uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "value": "Rancor" }, + { + "description": "RansomHub is an extortion group that regularly republicizes victim data allegedly stolen in other ransomware groups' attacks, but it is also believed to have developed an original ransomware payload.[[BroadcomSW June 5 2024](/references/3fa49490-cb22-4362-bf48-eaba9e83e6f5)][[The Record RansomHub June 3 2024](/references/1e474240-bd12-4472-8e69-1631b0e4c102)] This object reflects the ATT&CK Techniques and/or associated Software & Campaigns linked to attacks by actors deploying RansomHub ransomware.", + "meta": { + "group_attack_id": "G5050", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "value": "RansomHub Ransomware Actors" + }, { "description": "This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service (\"RaaS\") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]", "meta": { @@ -4079,6 +5057,8 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "a2e000da-8181-4327-bacd-32013dbd3654", "d63754b9-0267-4a70-82a3-212ef32fa796", "15787198-6c8b-4f79-bf50-258d55072fee", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -4122,7 +5102,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305", + "type": "similar" + } + ], "uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "value": "RTM" }, @@ -4153,6 +5138,7 @@ ], "source": "MITRE", "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], @@ -4165,10 +5151,34 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", + "type": "similar" + } + ], "uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "value": "Sandworm Team" }, + { + "description": "SCARLETEEL is a threat actor known to leverage various cloud-based technologies in order to steal proprietary software and other data from victim environments.[[Sysdig Scarleteel February 28 2023](/references/18931f81-51bf-44af-9573-512ccb66c238)]", + "meta": { + "group_attack_id": "G5036", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "efa33611-88a5-40ba-9bc4-3d85c6c8819b", + "4fa6f8e1-b0d5-4169-8038-33e355c08bde", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", + "value": "SCARLETEEL" + }, { "description": "[Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) and [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c), it has not been concluded that the groups are the same. [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]", "meta": { @@ -4181,7 +5191,12 @@ "Human Rights" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e", + "type": "similar" + } + ], "uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "value": "Scarlet Mimic" }, @@ -4210,6 +5225,7 @@ ], "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "15f2277a-a17e-4d85-8acd-480bf84f16b4", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -4219,6 +5235,7 @@ ], "target_categories": [ "Aerospace", + "Banks", "Casinos Gambling", "Commercial", "Construction", @@ -4227,6 +5244,7 @@ "Entertainment", "Financial Services", "Hospitality Leisure", + "Insurance", "Legal", "Media", "Pharmaceuticals", @@ -4387,10 +5405,33 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5", + "type": "similar" + } + ], "uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "value": "Sowbug" }, + { + "description": "Spandex Tempest is a financially motivated adversary group associated with Dudear campaigns, which deliver the FlawedGrace remote access Trojan for information theft purposes.[[Microsoft Threat Actor Naming](/references/de9cda86-0b23-4bc8-b524-e74fecf99448)] The group has evolved initial access techniques observed during these campaigns to evade defenses.[[Microsoft Threat Intelligence Tweet June 17 2020](/references/98fc7485-9424-412f-8162-a69d6c10c243)]", + "meta": { + "group_attack_id": "G5029", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "eb10ed9e-ea8d-4b61-bfc3-5994d30970df", + "value": "Spandex Tempest" + }, { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nStar Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.[[U.S. CISA Star Blizzard December 2023](/references/3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b)]", "meta": { @@ -4405,6 +5446,11 @@ ], "owner": "TidalCyberIan", "source": "Tidal Cyber", + "tags": [ + "82009876-294a-4e06-8cfc-3236a429bda4", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "fe28cf32-a15c-44cf-892c-faa0360d6109" + ], "target_categories": [ "Defense", "Education", @@ -4430,10 +5476,57 @@ "Human Rights" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0", + "type": "similar" + } + ], "uuid": "ca3016f3-642a-4ae0-86bc-7258475d6937", "value": "Stealth Falcon" }, + { + "description": "Storm-0844 is a threat actor originally known for distributing Akira ransomware, and more recently, for distributing Fog ransomware. The actor gains initial access likely by abusing valid accounts, then uses freely available tools for discovery, lateral movement, and exfiltration prior to ransomware deployment.[[Microsoft Threat Intelligence LinkedIn July 15 2024](/references/0e7ea8d0-bdb8-48a6-9718-703f64d16460)]", + "meta": { + "group_attack_id": "G5047", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "value": "Storm-0844" + }, + { + "description": "According to Microsoft security researchers, Storm-1811 is a \"financially motivated cybercriminal group known to deploy Black Basta ransomware\".[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", + "meta": { + "group_attack_id": "G5039", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "value": "Storm-1811" + }, { "description": "[Strider](https://app.tidalcyber.com/groups/deb573c6-071a-4b50-9e92-4aa648d8bdc1) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[[Symantec Strider Blog](https://app.tidalcyber.com/references/664eac41-257f-4d4d-aba5-5d2e8e2117a7)][[Kaspersky ProjectSauron Blog](https://app.tidalcyber.com/references/baeaa632-3fa5-4d2b-9537-ccc7674fd7d6)]", "meta": { @@ -4458,7 +5551,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", + "type": "similar" + } + ], "uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "value": "Strider" }, @@ -4475,7 +5573,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76", + "type": "similar" + } + ], "uuid": "06549082-ff70-43bf-985e-88c695c7113c", "value": "Suckfly" }, @@ -4513,7 +5616,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314", + "type": "similar" + } + ], "uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "value": "TA459" }, @@ -4538,7 +5646,12 @@ "a98d7a43-f227-478e-81de-e7299639a355" ] }, - "related": [], + "related": [ + { + "dest-uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", + "type": "similar" + } + ], "uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "value": "TA505" }, @@ -4551,7 +5664,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", + "type": "similar" + } + ], "uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "value": "TA551" }, @@ -4563,7 +5681,11 @@ "Financial Gain" ], "owner": "TidalCyberIan", - "source": "Tidal Cyber" + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ] }, "related": [], "uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", @@ -4598,11 +5720,19 @@ "US" ], "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ], "target_categories": [ "Infrastructure" ] }, - "related": [], + "related": [ + { + "dest-uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", + "type": "similar" + } + ], "uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "value": "TEMP.Veles" }, @@ -4680,7 +5810,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", + "type": "similar" + } + ], "uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "value": "Threat Group-3390" }, @@ -4700,7 +5835,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", + "type": "similar" + } + ], "uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "value": "Thrip" }, @@ -4740,7 +5880,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", + "type": "similar" + } + ], "uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "value": "Tonto Team" }, @@ -4813,7 +5958,12 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", + "type": "similar" + } + ], "uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "value": "Tropic Trooper" }, @@ -4911,7 +6061,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", + "type": "similar" + } + ], "uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "value": "Turla" }, @@ -4939,6 +6094,111 @@ "uuid": "f69c7e2f-b616-4782-b2f3-28e9b6702eb4", "value": "UAT4356" }, + { + "description": "UNC3966 is a threat actor group tracked by Mandiant. In an intrusion documented in March 2023, UNC3966 received access to a victim network initially compromised by the group UNC961. UNC3966 primary motivations remain unclear. During the intrusion, the group was observed collecting and exfiltrating victim data. While a ransom note was also discovered, UNC3966 did not appear to deploy ransomware encryption software and did not appear to demand a ransom payment.[[Mandiant UNC961 March 23 2023](/references/cef19ceb-179f-4d49-acba-5ce40ab9f65e)]", + "meta": { + "group_attack_id": "G5034", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", + "value": "UNC3966" + }, + { + "description": "UNC5537 is a threat actor believed to be responsible for compromising a large number of database instances belonging to customers of Snowflake, a multi-cloud data warehousing platform, in Q2 2024. Initial access was largely achieved using stolen customer credentials compromised previously via infostealer malware. Actors sought to monetize their access by selling victim data on underground forums and by extorting victims. Researchers believe UNC5537 is comprised of members based in North America and at least one member in Turkey, and it has targeted hundreds of organizations globally.[[Google Cloud June 10 2024](/references/0afe3662-b55c-4189-9c9a-2be55a9b6a70)]", + "meta": { + "group_attack_id": "G5041", + "observed_countries": [ + "ES", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "291c006e-f77a-4c9c-ae7e-084974c0e1eb", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Automotive", + "Banks", + "Entertainment", + "Financial Services", + "Retail", + "Technology" + ] + }, + "related": [], + "uuid": "809c288d-2dec-4c34-8ac1-f91d227ddfbd", + "value": "UNC5537" + }, + { + "description": "UNC961 is a financially motivated group active since at least 2018. It traditionally targeted retail and \"business services\" organizations based in North America, until expanding its targeting in 2020 to also include victims in a range of additional sectors in Northern Europe and Western Asia. In all known intrusions, UNC961 gained initial access by exploiting web-facing applications.[[Mandiant Log4Shell March 28 2022](/references/62d4d685-09c4-47b6-865c-4a6096e551cd)]", + "meta": { + "group_attack_id": "G5033", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "b1944c88-95cf-41db-b11c-d9284e733bf2", + "2eeef0b4-08b5-4d25-84f7-25d41fe6305b", + "f8b11afb-0876-4cd2-af74-9b305ff1b311", + "51287d7b-2674-4842-a880-c192d886eac3", + "ab64f2d8-8da3-48de-ac66-0fd91d634b22", + "8e05f5f0-6e25-448d-b08f-4c7627124fbd", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Commercial", + "Education", + "Energy", + "Financial Services", + "Government", + "Healthcare", + "High Tech", + "Media", + "Retail", + "Transportation" + ] + }, + "related": [], + "uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", + "value": "UNC961" + }, + { + "description": "Velvet Ant is a suspected \"China-nexus\" espionage group that has notably targeted network devices as part of its operations. In one case involving an unspecified victim located in East Asia, the group was seen abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as a command-and-control mechanism, managing to maintain network persistence for a period of three years. As part of the broader investigation into the group, researchers also observed cases of zero-day exploitation of CVE-2024-20399 in Cisco Nexus network switch devices, which allowed actors to upload and execute previously unknown, custom malware. The researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\".[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]", + "meta": { + "country": "CN", + "group_attack_id": "G5045", + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a98d7a43-f227-478e-81de-e7299639a355", + "72bc70fa-3979-4d3b-a0e9-b9ebebcf2a38", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "9327f7c0-2187-4b98-9c33-8d89849be0bc", + "value": "Velvet Ant" + }, { "description": "Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the group’s victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.[[U.S. CISA Vice Society September 2022](/references/0a754513-5f20-44a0-8cea-c5d9519106c8)]\n\n**Related Vulnerabilities**: CVE-2021-1675[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)], CVE-2021-34527[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]", "meta": { @@ -5010,6 +6270,35 @@ "uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "value": "Vice Society" }, + { + "description": "Void Rabisu is a threat actor believed be responsible for distributing Cuba ransomware.[[Unit 42 Cuba August 9 2022](/references/06f668d9-9a68-4d2f-b9a0-b92beb3b75d6)] Trend Micro researchers assess that, since October 2022, Void Rabisu's use of the RomCom backdoor during attacks could suggest a shift in its motivation towards more geopolitically motivated activity.[[Trend Micro Void Rabisu May 30 2023](/references/5fd628ca-f366-4f0d-b493-8be19fa4dd4e)]", + "meta": { + "group_attack_id": "G5027", + "observed_countries": [ + "UA", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Defense", + "Government", + "Utilities" + ] + }, + "related": [], + "uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", + "value": "Void Rabisu" + }, { "description": "[Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937) has been operating since 2012 and is motivated by political and ideological interests.[[CheckPoint Volatile Cedar March 2015](https://app.tidalcyber.com/references/a26344a2-63ca-422e-8cf9-0cf22a5bee72)][[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)]", "meta": { @@ -5028,6 +6317,10 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], "target_categories": [ "Defense", "Education", @@ -5041,7 +6334,46 @@ "value": "Volatile Cedar" }, { - "description": "Volt Typhoon is a China state-backed threat actor that has targeted critical infrastructure organizations in a range of specific sectors in Guam and elsewhere in the United States since mid-2021. Its activities primarily focus on espionage and information gathering. Researchers indicate the group is focused on maintaining stealth and persistence in victim networks for as long as possible, leveraging a large number of living-off-the-land techniques to accomplish these goals. Researchers assessed with moderate confidence that Volt Typhoon's activities are focused on developing capabilities that could disrupt communications infrastructure between the United States and entities in Asia in the event of a potential geopolitical crisis.[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]\n\n**Related Vulnerabilities**: CVE-2021-40539, CVE-2021-27860[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]", + "description": "[Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[[Microsoft Volt Typhoon May 2023](https://app.tidalcyber.com/references/8b74f0b7-9719-598c-b3ee-61d734393e6f)][[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)][[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]", + "meta": { + "country": "CN", + "group_attack_id": "G1017", + "observed_countries": [ + "GU", + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "source": "MITRE", + "tags": [ + "758c3085-2f79-40a8-ab95-f8a684737927", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "15787198-6c8b-4f79-bf50-258d55072fee", + "97cc0c9b-3625-42c3-824a-646a91702977", + "53331b05-782f-45fc-b925-27c9598dde80" + ], + "target_categories": [ + "Construction", + "Education", + "Government", + "Manufacturing", + "Maritime", + "Technology", + "Telecommunications", + "Transportation", + "Utilities", + "Water" + ] + }, + "related": [], + "uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "value": "Volt Typhoon" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Volt Typhoon\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nVolt Typhoon is a China state-backed threat actor that has targeted critical infrastructure organizations in a range of specific sectors in Guam and elsewhere in the United States since mid-2021. Its activities primarily focus on espionage and information gathering. Researchers indicate the group is focused on maintaining stealth and persistence in victim networks for as long as possible, leveraging a large number of living-off-the-land techniques to accomplish these goals. Researchers assessed with moderate confidence that Volt Typhoon's activities are focused on developing capabilities that could disrupt communications infrastructure between the United States and entities in Asia in the event of a potential geopolitical crisis.[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]\n\n**Related Vulnerabilities**: CVE-2021-40539, CVE-2021-27860[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]", "meta": { "country": "CN", "group_attack_id": "G5001", @@ -5079,44 +6411,6 @@ "uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "value": "Volt Typhoon - Tidal" }, - { - "description": "[Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[[Microsoft Volt Typhoon May 2023](https://app.tidalcyber.com/references/8b74f0b7-9719-598c-b3ee-61d734393e6f)][[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)][[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]", - "meta": { - "country": "CN", - "group_attack_id": "G1017", - "observed_countries": [ - "GU", - "US" - ], - "observed_motivations": [ - "Cyber Espionage" - ], - "source": "MITRE", - "tags": [ - "758c3085-2f79-40a8-ab95-f8a684737927", - "af5e9be5-b86e-47af-91dd-966a5e34a186", - "35e694ec-5133-46e3-b7e1-5831867c3b55", - "1dc8fd1e-0737-405a-98a1-111dd557f1b5", - "15787198-6c8b-4f79-bf50-258d55072fee", - "97cc0c9b-3625-42c3-824a-646a91702977", - "53331b05-782f-45fc-b925-27c9598dde80" - ], - "target_categories": [ - "Construction", - "Education", - "Government", - "Manufacturing", - "Maritime", - "Technology", - "Telecommunications", - "Transportation", - "Utilities" - ] - }, - "related": [], - "uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "value": "Volt Typhoon" - }, { "description": "[Whitefly](https://app.tidalcyber.com/groups/f0943620-7bbb-4239-8ed3-c541c36baaa1) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[[Symantec Whitefly March 2019](https://app.tidalcyber.com/references/d0e48356-36d9-4b4c-b621-e3c4404378d2)]", "meta": { @@ -5192,7 +6486,12 @@ "Entertainment" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", + "type": "similar" + } + ], "uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "value": "Winnti Group" }, @@ -5275,6 +6574,36 @@ "uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "value": "Wizard Spider" }, + { + "description": "Yellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm) is a threat actor group based in Iran that is believed to be aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). Researchers have observed the group targeting victims in a range of sectors in the United States, Europe, the Middle East and Mediterranean, and South Asia.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", + "meta": { + "country": "IR", + "group_attack_id": "G5032", + "observed_countries": [ + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Aerospace", + "Automotive", + "Defense", + "Energy", + "Maritime", + "Technology" + ] + }, + "related": [], + "uuid": "9e8620c4-a560-4081-aefc-118c7ec3fc22", + "value": "Yellow Liderc" + }, { "description": "[ZIRCONIUM](https://app.tidalcyber.com/groups/5e34409e-2f55-4384-b519-80747d02394c) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[[Microsoft Targeting Elections September 2020](https://app.tidalcyber.com/references/1d7070fd-01be-4776-bb21-13368a6173b1)][[Check Point APT31 February 2021](https://app.tidalcyber.com/references/84ac99ef-106f-44e9-97f0-3eda90570932)]", "meta": { @@ -5313,6 +6642,74 @@ "related": [], "uuid": "5e34409e-2f55-4384-b519-80747d02394c", "value": "ZIRCONIUM" + }, + { + "description": "This object reflects the TTPs used by threat actors to distribute and deploy the Zloader trojan malware. Researchers have observed actors distributing Zloader in campaigns without attributing the activity to named adversaries, such as the operations described by ESET researchers cited in the References.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]\n\nTTPs associated with Zloader binaries themselves can be found in the separate \"Zloader\" Software object.", + "meta": { + "group_attack_id": "G5037", + "observed_countries": [ + "AF", + "AR", + "AU", + "AT", + "BE", + "BR", + "CA", + "CL", + "CN", + "CO", + "HR", + "CZ", + "EC", + "FI", + "FR", + "GF", + "DE", + "GH", + "GR", + "HU", + "IN", + "ID", + "IE", + "IL", + "IT", + "JP", + "KR", + "KW", + "MX", + "NL", + "NG", + "PK", + "PE", + "PL", + "RU", + "RW", + "SA", + "SL", + "SK", + "ZA", + "ES", + "SE", + "CH", + "TH", + "UA", + "AE", + "GB", + "US", + "YE" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "39357cc1-dbb1-49e4-9fe0-ff24032b94d5", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "d2fd3da1-e49c-4273-9add-3d15afc3b837", + "value": "Zloader Threat Actors" } ], "version": 1 diff --git a/clusters/tidal-references.json b/clusters/tidal-references.json index be4099a..115d356 100644 --- a/clusters/tidal-references.json +++ b/clusters/tidal-references.json @@ -248,6 +248,22 @@ "uuid": "0f154aa6-8c9d-5bfc-a3c4-5f3e1420f55f", "value": "RC PowerShell" }, + { + "description": "Australian Signals Directorate. (2023, January 24). 2023-01: ASD's ACSC Ransomware Profile - Royal. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2023-01-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cyber.gov.au/about-us/advisories/2023-01-asdacsc-ransomware-profile-royal" + ], + "source": "Tidal Cyber", + "title": "2023-01: ASD's ACSC Ransomware Profile - Royal" + }, + "related": [], + "uuid": "514b704c-8668-4b61-8411-5b682e3b8471", + "value": "ASD Royal Ransomware January 24 2023" + }, { "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.", "meta": { @@ -3453,21 +3469,6 @@ "uuid": "03eb080d-0b83-5cbb-9317-c50b35996c9b", "value": "SecureList Fileless" }, - { - "description": "M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", - "meta": { - "date_accessed": "2019-04-19T00:00:00Z", - "date_published": "2014-02-21T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" - ], - "source": "MITRE", - "title": "An In-depth Analysis of Linux/Ebury" - }, - "related": [], - "uuid": "eb6d4f77-ac63-4cb8-8487-20f9e709334b", - "value": "ESET Ebury Feb 2014" - }, { "description": "M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.", "meta": { @@ -3483,6 +3484,21 @@ "uuid": "39384c7a-3032-4b45-a5eb-8ebe7de22aa2", "value": "Welivesecurity Ebury SSH" }, + { + "description": "M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", + "meta": { + "date_accessed": "2019-04-19T00:00:00Z", + "date_published": "2014-02-21T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" + ], + "source": "MITRE", + "title": "An In-depth Analysis of Linux/Ebury" + }, + "related": [], + "uuid": "eb6d4f77-ac63-4cb8-8487-20f9e709334b", + "value": "ESET Ebury Feb 2014" + }, { "description": "Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.", "meta": { @@ -4381,21 +4397,6 @@ "uuid": "3dd67aae-7feb-4b07-a985-ccadc1b16f1d", "value": "Bitdefender APT28 Dec 2015" }, - { - "description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.", - "meta": { - "date_accessed": "2017-03-27T00:00:00Z", - "date_published": "2017-03-27T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" - ], - "source": "MITRE", - "title": "APT29 Domain Fronting With TOR" - }, - "related": [], - "uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9", - "value": "FireEye APT29 Domain Fronting" - }, { "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", "meta": { @@ -4411,6 +4412,21 @@ "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8", "value": "FireEye APT29 Domain Fronting With TOR March 2017" }, + { + "description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.", + "meta": { + "date_accessed": "2017-03-27T00:00:00Z", + "date_published": "2017-03-27T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + ], + "source": "MITRE", + "title": "APT29 Domain Fronting With TOR" + }, + "related": [], + "uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9", + "value": "FireEye APT29 Domain Fronting" + }, { "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "meta": { @@ -4606,6 +4622,22 @@ "uuid": "8a44368f-3348-4817-aca7-81bfaca5ae6d", "value": "FireEye APT40 March 2019" }, + { + "description": "Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved August 2, 2024.", + "meta": { + "date_accessed": "2024-08-02T00:00:00Z", + "date_published": "2024-07-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" + ], + "source": "Tidal Cyber", + "title": "APT41 Has Arisen From the DUST" + }, + "related": [], + "uuid": "34ee3a7c-27c0-492f-a3c6-a5a3e86915f0", + "value": "Mandiant APT41 July 18 2024" + }, { "description": "Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.", "meta": { @@ -4635,6 +4667,38 @@ "uuid": "10b3e476-a0c5-41fd-8cb8-5bfb245b118f", "value": "Mandiant APT42" }, + { + "description": "Mandiant. (2022, August 12). APT42: Crooked Charms, Cons and Compromises. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2022-08-12T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.mandiant.com/sites/default/files/2022-09/apt42-report-mandiant.pdf" + ], + "source": "Tidal Cyber", + "title": "APT42: Crooked Charms, Cons and Compromises" + }, + "related": [], + "uuid": "53bab956-be5b-4d8d-b553-9926bc5d9fee", + "value": "Mandiant Crooked Charms August 12 2022" + }, + { + "description": "Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart. (2024, July 25). APT45: North Korea’s Digital Military Machine. Retrieved July 26, 2024.", + "meta": { + "date_accessed": "2024-07-26T00:00:00Z", + "date_published": "2024-07-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine" + ], + "source": "Tidal Cyber", + "title": "APT45: North Korea’s Digital Military Machine" + }, + "related": [], + "uuid": "a9673491-7493-4b85-b5fc-595e91bc7fdc", + "value": "Mandiant APT45 July 25 2024" + }, { "description": "National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.", "meta": { @@ -5539,21 +5603,6 @@ "uuid": "d4ca3351-eeb8-5342-8c85-806614e22c48", "value": "FireEye TRITON Dec 2017" }, - { - "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.", - "meta": { - "date_accessed": "2020-10-19T00:00:00Z", - "date_published": "2014-01-14T00:00:00Z", - "refs": [ - "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196" - ], - "source": "MITRE", - "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency" - }, - "related": [], - "uuid": "303f8801-bdd6-4a0c-a90a-37867898c99c", - "value": "Forbes GitHub Creds" - }, { "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.", "meta": { @@ -5569,6 +5618,21 @@ "uuid": "d2186b8c-10c9-493b-8e25-7d69fce006e4", "value": "GitHub Cloud Service Credentials" }, + { + "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.", + "meta": { + "date_accessed": "2020-10-19T00:00:00Z", + "date_published": "2014-01-14T00:00:00Z", + "refs": [ + "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196" + ], + "source": "MITRE", + "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency" + }, + "related": [], + "uuid": "303f8801-bdd6-4a0c-a90a-37867898c99c", + "value": "Forbes GitHub Creds" + }, { "description": "Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.", "meta": { @@ -5794,6 +5858,22 @@ "uuid": "2b4dcb27-f32e-50f0-83e0-350659e49f0b", "value": "Obfuscated scripts" }, + { + "description": "Andreas Klopsch. (2024, August 27). Attack tool update impairs Windows computers. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-08-27T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/" + ], + "source": "Tidal Cyber", + "title": "Attack tool update impairs Windows computers" + }, + "related": [], + "uuid": "af1dfc7b-fdc2-448f-a4bf-34f8ee7d55bc", + "value": "Sophos News August 27 2024" + }, { "description": "Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.", "meta": { @@ -7404,6 +7484,22 @@ "uuid": "53e12ade-99ed-51ee-b5c8-32180f144658", "value": "BATLOADER: The Evasive Downloader Malware" }, + { + "description": "AdvIntel. (2022, August 10). “BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-08-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://web.archive.org/web/20220810223007/https://www.advintel.io/post/bazarcall-advisory-the-essential-guide-to-call-back-phishing-attacks-that-revolutionized-the-data" + ], + "source": "Tidal Cyber", + "title": "“BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches" + }, + "related": [], + "uuid": "5d3dff70-28c2-42a5-bf58-211fe6491fd2", + "value": "AdvIntel Bazar Call August 10 2022" + }, { "description": "Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.", "meta": { @@ -8220,21 +8316,6 @@ "uuid": "481a0106-d5b6-532c-8f5b-6c0c477185f4", "value": "Sophos BlackCat Jul 2022" }, - { - "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", - "meta": { - "date_accessed": "2016-05-18T00:00:00Z", - "date_published": "2016-01-03T00:00:00Z", - "refs": [ - "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - ], - "source": "MITRE", - "title": "BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry" - }, - "related": [], - "uuid": "4d626eb9-3722-4aa4-b95e-1650cc2865c2", - "value": "ESEST Black Energy Jan 2016" - }, { "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.", "meta": { @@ -8250,6 +8331,21 @@ "uuid": "a0103079-c966-46b6-8871-c01f7f0eea4c", "value": "ESET BlackEnergy Jan 2016" }, + { + "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", + "meta": { + "date_accessed": "2016-05-18T00:00:00Z", + "date_published": "2016-01-03T00:00:00Z", + "refs": [ + "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + ], + "source": "MITRE", + "title": "BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry" + }, + "related": [], + "uuid": "4d626eb9-3722-4aa4-b95e-1650cc2865c2", + "value": "ESEST Black Energy Jan 2016" + }, { "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "meta": { @@ -8478,21 +8574,6 @@ "uuid": "e90b4941-5dff-4f38-b4dd-af3426fd621e", "value": "GitHub Bloodhound" }, - { - "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", - "meta": { - "date_accessed": "2019-11-21T00:00:00Z", - "date_published": "2018-10-14T00:00:00Z", - "refs": [ - "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" - ], - "source": "MITRE", - "title": "Blue Cloud of Death: Red Teaming Azure" - }, - "related": [], - "uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b", - "value": "Blue Cloud of Death Video" - }, { "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", "meta": { @@ -8508,6 +8589,21 @@ "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c", "value": "Blue Cloud of Death" }, + { + "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", + "meta": { + "date_accessed": "2019-11-21T00:00:00Z", + "date_published": "2018-10-14T00:00:00Z", + "refs": [ + "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" + ], + "source": "MITRE", + "title": "Blue Cloud of Death: Red Teaming Azure" + }, + "related": [], + "uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b", + "value": "Blue Cloud of Death Video" + }, { "description": "SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.", "meta": { @@ -8836,21 +8932,6 @@ "uuid": "60fac434-2815-4568-b951-4bde55c2e3af", "value": "PaloAlto Preventing Opportunistic Attacks Apr 2016" }, - { - "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.", - "meta": { - "date_accessed": "2021-10-04T00:00:00Z", - "date_published": "2018-06-18T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" - ], - "source": "MITRE", - "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique" - }, - "related": [], - "uuid": "445efe8b-659a-4023-afc7-aa7cd21ee5a1", - "value": "Mandiant BYOL" - }, { "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.", "meta": { @@ -8866,6 +8947,21 @@ "uuid": "104a1c1c-0899-4ff9-a5c4-73de702c467d", "value": "Mandiant BYOL 2018" }, + { + "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.", + "meta": { + "date_accessed": "2021-10-04T00:00:00Z", + "date_published": "2018-06-18T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" + ], + "source": "MITRE", + "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique" + }, + "related": [], + "uuid": "445efe8b-659a-4023-afc7-aa7cd21ee5a1", + "value": "Mandiant BYOL" + }, { "description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020.", "meta": { @@ -9574,21 +9670,6 @@ "uuid": "7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b", "value": "Cadet Blizzard emerges as novel threat actor" }, - { - "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", - "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "date_published": "2022-04-06T00:00:00Z", - "refs": [ - "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" - ], - "source": "MITRE", - "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" - }, - "related": [], - "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", - "value": "Cado Security Denonia" - }, { "description": "jbowen. (2022, April 3). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved April 11, 2024.", "meta": { @@ -9605,6 +9686,21 @@ "uuid": "b276c28d-1488-4a21-86d1-7acdfd77794b", "value": "Cado Denonia April 3 2022" }, + { + "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "date_published": "2022-04-06T00:00:00Z", + "refs": [ + "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" + ], + "source": "MITRE", + "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" + }, + "related": [], + "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", + "value": "Cado Security Denonia" + }, { "description": "William Turton. (2023, September 13). Caesars Entertainment Paid Millions to Hackers in Attack. Retrieved September 14, 2023.", "meta": { @@ -10371,6 +10467,22 @@ "uuid": "657b43aa-ead2-41d3-911a-d714d9b28e19", "value": "JPCERT ChChes Feb 2017" }, + { + "description": "Check Point Research. (2023, December 4). Check Point Research Report: Iranian Hacktivist Proxies Escalate Activities Beyond Israel. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2023-12-04T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.checkpoint.com/research/check-point-research-report-shift-in-cyber-warfare-tactics-iranian-hacktivist-proxies-extend-activities-beyond-israel/" + ], + "source": "Tidal Cyber", + "title": "Check Point Research Report: Iranian Hacktivist Proxies Escalate Activities Beyond Israel" + }, + "related": [], + "uuid": "60432d84-8f46-4934-951f-df8e0f297ff0", + "value": "Check Point Iranian Proxies December 4 2023" + }, { "description": "Howard Oakley. (2020, November 16). Checks on executable code in Catalina and Big Sur: a first draft. Retrieved September 21, 2022.", "meta": { @@ -10461,6 +10573,38 @@ "uuid": "6da7eb8a-aab4-41ea-a0b7-5313d88cbe91", "value": "Recorded Future RedEcho Feb 2021" }, + { + "description": "Sygnia Team. (2024, June 17). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/" + ], + "source": "Tidal Cyber", + "title": "China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence" + }, + "related": [], + "uuid": "5c313af4-61a8-449d-a6c7-f7ead6c72e19", + "value": "Sygnia Velvet Ant June 17 2024" + }, + { + "description": "Sygnia. (2024, July 1). China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices. Retrieved July 3, 2024.", + "meta": { + "date_accessed": "2024-07-03T00:00:00Z", + "date_published": "2024-07-01T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/" + ], + "source": "Tidal Cyber", + "title": "China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices" + }, + "related": [], + "uuid": "a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b", + "value": "Sygnia Velvet Ant July 1 2024" + }, { "description": "Budington, B. (2015, April 2). China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack. Retrieved September 1, 2023.", "meta": { @@ -10521,6 +10665,22 @@ "uuid": "de78446a-cb46-4422-820b-9ddf07557b1a", "value": "Hacker News LuckyMouse June 2018" }, + { + "description": "Newsroom. (2024, July 2). Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware. Retrieved July 3, 2024.", + "meta": { + "date_accessed": "2024-07-03T00:00:00Z", + "date_published": "2024-07-02T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://thehackernews.com/2024/07/chinese-hackers-exploiting-cisco.html" + ], + "source": "Tidal Cyber", + "title": "Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware" + }, + "related": [], + "uuid": "e3949201-c949-4126-9e02-34bfad4713c0", + "value": "The Hacker News Velvet Ant Cisco July 2 2024" + }, { "description": "Catalin Cimpanu. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved April 25, 2024.", "meta": { @@ -12180,21 +12340,6 @@ "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73", "value": "Microsoft Configure LSA" }, - { - "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", - "meta": { - "date_accessed": "2017-11-27T00:00:00Z", - "date_published": "2014-03-12T00:00:00Z", - "refs": [ - "https://technet.microsoft.com/library/dn408187.aspx" - ], - "source": "MITRE", - "title": "Configuring Additional LSA Protection" - }, - "related": [], - "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", - "value": "Microsoft LSA Protection Mar 2014" - }, { "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.", "meta": { @@ -12210,6 +12355,21 @@ "uuid": "3ad49746-4e42-4663-a49e-ae64152b9463", "value": "Microsoft LSA" }, + { + "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", + "meta": { + "date_accessed": "2017-11-27T00:00:00Z", + "date_published": "2014-03-12T00:00:00Z", + "refs": [ + "https://technet.microsoft.com/library/dn408187.aspx" + ], + "source": "MITRE", + "title": "Configuring Additional LSA Protection" + }, + "related": [], + "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", + "value": "Microsoft LSA Protection Mar 2014" + }, { "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.", "meta": { @@ -13670,21 +13830,6 @@ "uuid": "be233077-7bb4-48be-aecf-03258931527d", "value": "Microsoft Subkey" }, - { - "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", - "meta": { - "date_accessed": "2020-12-17T00:00:00Z", - "date_published": "2020-12-13T00:00:00Z", - "refs": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" - ], - "source": "MITRE", - "title": "Customer Guidance on Recent Nation-State Cyber Attacks" - }, - "related": [], - "uuid": "b486ae40-a854-4998-bf1b-aaf6ea2047ed", - "value": "Microsoft SolarWinds Customer Guidance" - }, { "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", "meta": { @@ -13700,6 +13845,21 @@ "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc", "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks" }, + { + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", + "meta": { + "date_accessed": "2020-12-17T00:00:00Z", + "date_published": "2020-12-13T00:00:00Z", + "refs": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + ], + "source": "MITRE", + "title": "Customer Guidance on Recent Nation-State Cyber Attacks" + }, + "related": [], + "uuid": "b486ae40-a854-4998-bf1b-aaf6ea2047ed", + "value": "Microsoft SolarWinds Customer Guidance" + }, { "description": "Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.", "meta": { @@ -14078,6 +14238,22 @@ "uuid": "ebdf09ed-6eec-450f-aaea-067504ec25ca", "value": "Cybereason OSX Pirrit" }, + { + "description": "Cybereason Nocturnus. (2022, May 9). Cybereason vs. Quantum Locker Ransomware. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-05-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware" + ], + "source": "Tidal Cyber", + "title": "Cybereason vs. Quantum Locker Ransomware" + }, + "related": [], + "uuid": "19027620-216a-4921-8d78-f56377778a12", + "value": "Cybereason Quantum Ransomware May 9 2022" + }, { "description": "Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.", "meta": { @@ -14244,6 +14420,22 @@ "uuid": "1f46872c-6255-4ce0-a6c3-2bfa9e767765", "value": "Cyber Threat Profile MALTEIRO – Sciblog" }, + { + "description": "Kevin Beaumont. (2023, December 28). Cyber Toufan goes Oprah mode with free Linux system wipes of over 100 organisations. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2023-12-28T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc" + ], + "source": "Tidal Cyber", + "title": "Cyber Toufan goes Oprah mode with free Linux system wipes of over 100 organisations" + }, + "related": [], + "uuid": "2fc1f6de-e01c-4225-bd29-8d547bf91e9e", + "value": "DoublePulsar Cyber Toufan" + }, { "description": "NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.", "meta": { @@ -14621,6 +14813,38 @@ "uuid": "449e7b5c-7c62-4a63-a676-80026a597fc9", "value": "Prevailion DarkWatchman 2021" }, + { + "description": "SOCRadar Research. (2022, December 12). Dark Web Profile: APT42 – Iranian Cyber Espionage Group. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2022-12-12T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" + ], + "source": "Tidal Cyber", + "title": "Dark Web Profile: APT42 – Iranian Cyber Espionage Group" + }, + "related": [], + "uuid": "6077faed-b162-4850-969a-2abedc842198", + "value": "SOCRadar APT42 December 12 2022" + }, + { + "description": "SOCRadar. (2023, December 20). Dark Web Profile: Cyber Toufan Al-aqsa. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2023-12-20T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/" + ], + "source": "Tidal Cyber", + "title": "Dark Web Profile: Cyber Toufan Al-aqsa" + }, + "related": [], + "uuid": "a9aa6361-8c4d-4456-bb3f-c64ca5260695", + "value": "SOCRadar Cyber Toufan Profile" + }, { "description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.", "meta": { @@ -15596,6 +15820,22 @@ "uuid": "e0c1fcd3-b7a8-42af-8984-873a6f969975", "value": "Microsoft WhisperGate January 2022" }, + { + "description": "S2W. (2024, January 16). Detailed Analysis of DarkGate. Retrieved July 12, 2024.", + "meta": { + "date_accessed": "2024-07-12T00:00:00Z", + "date_published": "2024-01-16T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606" + ], + "source": "Tidal Cyber", + "title": "Detailed Analysis of DarkGate" + }, + "related": [], + "uuid": "62d6a280-06df-4b96-85c8-13174e496256", + "value": "S2W DarkGate January 16 2024" + }, { "description": "Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.", "meta": { @@ -16997,21 +17237,6 @@ "uuid": "a1b987cc-7789-411c-9673-3cf6357b207c", "value": "ASERT Donot March 2018" }, - { - "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", - "meta": { - "date_accessed": "2023-08-04T00:00:00Z", - "date_published": "2023-05-22T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" - ], - "source": "MITRE", - "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" - }, - "related": [], - "uuid": "b63f5934-2ace-5326-89be-7a850469a563", - "value": "Mandiant URL Obfuscation 2023" - }, { "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", "meta": { @@ -17042,6 +17267,21 @@ "uuid": "75b860d9-a48d-57de-ba1e-b0db970abb1b", "value": "Schema-abuse" }, + { + "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", + "meta": { + "date_accessed": "2023-08-04T00:00:00Z", + "date_published": "2023-05-22T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + ], + "source": "MITRE", + "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" + }, + "related": [], + "uuid": "b63f5934-2ace-5326-89be-7a850469a563", + "value": "Mandiant URL Obfuscation 2023" + }, { "description": "TheWover. (2019, May 9). donut. Retrieved March 25, 2022.", "meta": { @@ -17716,21 +17956,6 @@ "uuid": "72458590-ee1b-4447-adb8-ca4f486d1db5", "value": "Microsoft Dynamic-Link Library Redirection" }, - { - "description": "Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", - "meta": { - "date_accessed": "2014-11-30T00:00:00Z", - "date_published": "2018-05-31T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN" - ], - "source": "MITRE", - "title": "Dynamic-Link Library Search Order" - }, - "related": [], - "uuid": "7b1f945b-2547-4bc6-98bf-30248bdf3587", - "value": "Microsoft Dynamic Link Library Search Order" - }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", "meta": { @@ -17746,18 +17971,19 @@ "value": "Microsoft DLL Search" }, { - "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", + "description": "Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", "meta": { - "date_accessed": "2016-07-25T00:00:00Z", + "date_accessed": "2014-11-30T00:00:00Z", + "date_published": "2018-05-31T00:00:00Z", "refs": [ - "https://msdn.microsoft.com/en-us/library/ff919712.aspx" + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN" ], "source": "MITRE", - "title": "Dynamic-Link Library Security" + "title": "Dynamic-Link Library Search Order" }, "related": [], - "uuid": "5d1d1916-cef4-49d1-b8e2-a6d18fb297f6", - "value": "MSDN DLL Security" + "uuid": "7b1f945b-2547-4bc6-98bf-30248bdf3587", + "value": "Microsoft Dynamic Link Library Search Order" }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", @@ -17787,6 +18013,20 @@ "uuid": "e087442a-0a53-4cc8-9fd6-772cbd0295d5", "value": "Microsoft Dynamic-Link Library Security" }, + { + "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", + "meta": { + "date_accessed": "2016-07-25T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/en-us/library/ff919712.aspx" + ], + "source": "MITRE", + "title": "Dynamic-Link Library Security" + }, + "related": [], + "uuid": "5d1d1916-cef4-49d1-b8e2-a6d18fb297f6", + "value": "MSDN DLL Security" + }, { "description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.", "meta": { @@ -17982,6 +18222,38 @@ "uuid": "c8a018c5-caa3-4af1-b210-b65bbf94c8b2", "value": "Dragos EKANS" }, + { + "description": "Nathan Eddy; Contributing Writer. (2024, July 9). Eldorado Ransomware Cruises Onto the Scene to Target VMware ESXi. Retrieved July 15, 2024.", + "meta": { + "date_accessed": "2024-07-15T00:00:00Z", + "date_published": "2024-07-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.darkreading.com/endpoint-security/eldorado-ransomware-target-vmware-esxi" + ], + "source": "Tidal Cyber", + "title": "Eldorado Ransomware Cruises Onto the Scene to Target VMware ESXi" + }, + "related": [], + "uuid": "cec05996-84a1-4c07-86eb-d72f8c6d9362", + "value": "Dark Reading July 9 2024" + }, + { + "description": "Nikolay Kichatov Cyber Intelligence Analyst; Group-IB. (2024, July 3). Eldorado Ransomware The New Golden Empire of Cybercrime . Retrieved July 15, 2024.", + "meta": { + "date_accessed": "2024-07-15T00:00:00Z", + "date_published": "2024-07-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.group-ib.com/blog/eldorado-ransomware/" + ], + "source": "Tidal Cyber", + "title": "Eldorado Ransomware The New Golden Empire of Cybercrime" + }, + "related": [], + "uuid": "50148a85-314c-4b29-bdfc-913ab647dadf", + "value": "Group-IB July 3 2024" + }, { "description": "Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019.", "meta": { @@ -19883,6 +20155,21 @@ "uuid": "186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7", "value": "ThreatPost Social Media Phishing" }, + { + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "date_published": "2021-01-11T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + ], + "source": "MITRE", + "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" + }, + "related": [], + "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", + "value": "Sentinel Labs" + }, { "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", "meta": { @@ -19899,19 +20186,20 @@ "value": "SentinelLabs reversing run-only applescripts 2021" }, { - "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", + "description": "Bill Toulas. (2024, June 17). Fake Google Chrome errors trick you into running malicious PowerShell scripts. Retrieved June 20, 2024.", "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "date_published": "2021-01-11T00:00:00Z", + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + "https://www.bleepingcomputer.com/news/security/fake-google-chrome-errors-trick-you-into-running-malicious-powershell-scripts/" ], - "source": "MITRE", - "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" + "source": "Tidal Cyber", + "title": "Fake Google Chrome errors trick you into running malicious PowerShell scripts" }, "related": [], - "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", - "value": "Sentinel Labs" + "uuid": "6efa70e3-d8eb-4260-b0ab-62335681e6fd", + "value": "BleepingComputer Fake Chrome Errors June 17 2024" }, { "description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.", @@ -20486,6 +20774,21 @@ "uuid": "6ee27fdb-1753-4fdf-af72-3295b072ff10", "value": "FireEye FIN7 April 2017" }, + { + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "meta": { + "date_accessed": "2022-04-05T00:00:00Z", + "date_published": "2022-04-04T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/evolution-of-fin7" + ], + "source": "MITRE", + "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" + }, + "related": [], + "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", + "value": "Mandiant FIN7 Apr 2022" + }, { "description": "Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved May 25, 2023.", "meta": { @@ -20502,21 +20805,6 @@ "uuid": "fbc3ea90-d3d4-440e-964d-6cd2e991df0c", "value": "Mandiant FIN7 April 4 2022" }, - { - "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", - "meta": { - "date_accessed": "2022-04-05T00:00:00Z", - "date_published": "2022-04-04T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/evolution-of-fin7" - ], - "source": "MITRE", - "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" - }, - "related": [], - "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", - "value": "Mandiant FIN7 Apr 2022" - }, { "description": "Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.", "meta": { @@ -20804,21 +21092,6 @@ "uuid": "6ef0b8d8-ba98-49ce-807d-5a85d111b027", "value": "FinFisher Citation" }, - { - "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", - "meta": { - "date_accessed": "2018-07-09T00:00:00Z", - "date_published": "2018-03-01T00:00:00Z", - "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" - ], - "source": "MITRE", - "title": "FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines" - }, - "related": [], - "uuid": "88c97a9a-ef14-4695-bde0-9de2b5f5343b", - "value": "Microsoft FinFisher March 2018" - }, { "description": "Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.", "meta": { @@ -20834,6 +21107,21 @@ "uuid": "b2f4541e-f981-4b25-abf4-1bec92b16faa", "value": "FinFisher exposed" }, + { + "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", + "meta": { + "date_accessed": "2018-07-09T00:00:00Z", + "date_published": "2018-03-01T00:00:00Z", + "refs": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" + ], + "source": "MITRE", + "title": "FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines" + }, + "related": [], + "uuid": "88c97a9a-ef14-4695-bde0-9de2b5f5343b", + "value": "Microsoft FinFisher March 2018" + }, { "description": "LOLBAS. (2021, August 30). Finger.exe. Retrieved December 4, 2023.", "meta": { @@ -21512,6 +21800,22 @@ "uuid": "605b58ea-9544-49b8-b3c8-0a97b2b155dc", "value": "blackmatter_blackcat" }, + { + "description": "Tommy Madjar, Dusty Miller, Selena Larson, The Proofpoint Threat Research Team. (2024, June 17). From Clipboard to Compromise A PowerShell Self-Pwn . Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" + ], + "source": "Tidal Cyber", + "title": "From Clipboard to Compromise A PowerShell Self-Pwn" + }, + "related": [], + "uuid": "a65d7492-04a4-46d4-85ed-134786c6828b", + "value": "Proofpoint June 17 2024" + }, { "description": "Samantha Stallings, Brad Duncan. (2023, December 29). From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence. Retrieved January 11, 2024.", "meta": { @@ -22436,6 +22740,21 @@ "uuid": "eea178f4-80bd-49d1-84b1-f80671e9a3e4", "value": "GitHub evilginx2 - Duplicate" }, + { + "description": "Flangvik. (n.d.). GitHub Flangvik SharpExfiltrate. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/Flangvik/SharpExfiltrate" + ], + "source": "Tidal Cyber", + "title": "GitHub Flangvik SharpExfiltrate" + }, + "related": [], + "uuid": "7f0c0c86-c042-4a69-982a-c8c70ec1199c", + "value": "GitHub Flangvik SharpExfiltrate" + }, { "description": "Mudge, R. (2014, July 14). Github Malleable-C2-Profiles safebrowsing.profile. Retrieved June 18, 2017.", "meta": { @@ -22466,6 +22785,21 @@ "uuid": "7ae0b5c6-c9e5-4922-9e98-6483c81a8b42", "value": "GitHub masscan" }, + { + "description": "meganz. (n.d.). GitHub meganz MEGAcmd. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/meganz/MEGAcmd" + ], + "source": "Tidal Cyber", + "title": "GitHub meganz MEGAcmd" + }, + "related": [], + "uuid": "6e4d67f5-cca1-4298-b21c-d7511aa264ae", + "value": "GitHub meganz MEGAcmd" + }, { "description": "GitHub. (n.d.). GitHub - meganz/MEGAsync: Easy automated syncing between your computers and your MEGA Cloud Drive. Retrieved June 22, 2023.", "meta": { @@ -22629,6 +22963,21 @@ "uuid": "c29a90a7-016f-49b7-a970-334290964f19", "value": "GitHub secretsdump" }, + { + "description": "securesocketfunneling. (n.d.). GitHub securesocketfunneling ssf. Retrieved July 10, 2024.", + "meta": { + "date_accessed": "2024-07-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/securesocketfunneling/ssf" + ], + "source": "Tidal Cyber", + "title": "GitHub securesocketfunneling ssf" + }, + "related": [], + "uuid": "077ab224-9406-4be7-8467-2a6da8dc786d", + "value": "GitHub securesocketfunneling ssf" + }, { "description": "djhohnstein. (n.d.). GitHub SharpChromium. Retrieved December 14, 2023.", "meta": { @@ -23187,6 +23536,22 @@ "uuid": "77624549-e170-5894-9219-a15b4aa31726", "value": "Secureworks BRONZE SILHOUETTE May 2023" }, + { + "description": "Kate Morgan. (2023, October 18). Government-backed actors exploiting WinRAR vulnerability. Retrieved July 10, 2024.", + "meta": { + "date_accessed": "2024-07-10T00:00:00Z", + "date_published": "2023-10-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/" + ], + "source": "Tidal Cyber", + "title": "Government-backed actors exploiting WinRAR vulnerability" + }, + "related": [], + "uuid": "6e8fb629-4bb8-4557-9d42-385060be598f", + "value": "Google TAG CVE-2023-38831 October 18 2023" + }, { "description": "Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.", "meta": { @@ -23860,6 +24225,22 @@ "uuid": "f652524c-7950-4a8a-9860-0e658a9581d8", "value": "PCMag FakeLogin" }, + { + "description": "Bill Toulas. (2024, June 17). Hackers use F5 BIG-IP malware to stealthily steal data for years. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malware-to-stealthily-steal-data-for-years/" + ], + "source": "Tidal Cyber", + "title": "Hackers use F5 BIG-IP malware to stealthily steal data for years" + }, + "related": [], + "uuid": "70235e47-f8bb-4d16-9933-9f4923f08f5d", + "value": "BleepingComputer Velvet Ant June 17 2024" + }, { "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", "meta": { @@ -24160,21 +24541,6 @@ "uuid": "95d6d1ce-ceba-48ee-88c4-0fb30058bd80", "value": "Specter Ops - Cloud Credential Storage" }, - { - "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "date_published": "2019-09-23T00:00:00Z", - "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/" - ], - "source": "MITRE", - "title": "Hello! My name is Dtrack" - }, - "related": [], - "uuid": "a011b68a-30e0-4204-9bf3-fa73f2a238b4", - "value": "Securelist Dtrack2" - }, { "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", "meta": { @@ -24190,6 +24556,21 @@ "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd", "value": "Securelist Dtrack" }, + { + "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "date_published": "2019-09-23T00:00:00Z", + "refs": [ + "https://securelist.com/my-name-is-dtrack/93338/" + ], + "source": "MITRE", + "title": "Hello! My name is Dtrack" + }, + "related": [], + "uuid": "a011b68a-30e0-4204-9bf3-fa73f2a238b4", + "value": "Securelist Dtrack2" + }, { "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", "meta": { @@ -24953,21 +25334,6 @@ "uuid": "561ff84d-17ce-511c-af0c-059310f3c129", "value": "Kaspersky Autofill" }, - { - "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", - "meta": { - "date_accessed": "2023-11-17T00:00:00Z", - "date_published": "2023-07-12T00:00:00Z", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "source": "MITRE", - "title": "How Microsoft names threat actors" - }, - "related": [], - "uuid": "78a8137d-694e-533d-aed3-6bd48fc0cd4a", - "value": "Microsoft Threat Actor Naming July 2023" - }, { "description": "diannegali, schmurky, Dansimp, chrisda, Stacyrch140. (2023, April 20). How Microsoft names threat actors. Retrieved June 22, 2023.", "meta": { @@ -24984,6 +25350,21 @@ "uuid": "de9cda86-0b23-4bc8-b524-e74fecf99448", "value": "Microsoft Threat Actor Naming" }, + { + "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", + "meta": { + "date_accessed": "2023-11-17T00:00:00Z", + "date_published": "2023-07-12T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "source": "MITRE", + "title": "How Microsoft names threat actors" + }, + "related": [], + "uuid": "78a8137d-694e-533d-aed3-6bd48fc0cd4a", + "value": "Microsoft Threat Actor Naming July 2023" + }, { "description": "How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.", "meta": { @@ -27993,20 +28374,6 @@ "uuid": "956b3d80-4e19-4cab-a65f-ad86f233aa12", "value": "GitHub Invoke-Obfuscation" }, - { - "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "refs": [ - "https://github.com/peewpw/Invoke-PSImage" - ], - "source": "MITRE", - "title": "Invoke-PSImage" - }, - "related": [], - "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", - "value": "GitHub PSImage" - }, { "description": "Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.", "meta": { @@ -28022,6 +28389,20 @@ "uuid": "dd210b79-bd5f-4282-9542-4d1ae2f16438", "value": "GitHub Invoke-PSImage" }, + { + "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "refs": [ + "https://github.com/peewpw/Invoke-PSImage" + ], + "source": "MITRE", + "title": "Invoke-PSImage" + }, + "related": [], + "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", + "value": "GitHub PSImage" + }, { "description": "PowerShellMafia. (2016, December 14). Invoke-Shellcode. Retrieved May 25, 2023.", "meta": { @@ -28110,6 +28491,22 @@ "uuid": "0a6166a3-5649-4117-97f4-7b8b5b559929", "value": "Symantec Chafer Dec 2015" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2024, August 28). Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations. Retrieved August 29, 2024.", + "meta": { + "date_accessed": "2024-08-29T00:00:00Z", + "date_published": "2024-08-28T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a" + ], + "source": "Tidal Cyber", + "title": "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations" + }, + "related": [], + "uuid": "783f4aee-84d9-43dc-accc-99fee6b1ff92", + "value": "U.S. CISA Pioneer Kitten August 28 2024" + }, { "description": "CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.", "meta": { @@ -28171,6 +28568,22 @@ "uuid": "a2d79c6a-16d6-4dbd-b8a5-845dcc36212d", "value": "Talos MuddyWater Jan 2022" }, + { + "description": "Google Threat Analysis Group. (2024, August 14). Iranian backed group steps up phishing campaigns against Israel, U.S.. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-08-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/" + ], + "source": "Tidal Cyber", + "title": "Iranian backed group steps up phishing campaigns against Israel, U.S." + }, + "related": [], + "uuid": "669836b5-4069-49af-a919-2cb32bf94d4b", + "value": "Google TAG APT42 August 14 2024" + }, { "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.", "meta": { @@ -29024,21 +29437,6 @@ "uuid": "26a554dc-39c0-4638-902d-7e84fe01b961", "value": "U.S. Justice Department GRU Botnet February 2024" }, - { - "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.", - "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "date_published": "2020-06-13T00:00:00Z", - "refs": [ - "https://o365blog.com/post/just-looking/" - ], - "source": "MITRE", - "title": "Just looking: Azure Active Directory reconnaissance as an outsider" - }, - "related": [], - "uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d", - "value": "Azure Active Directory Reconnaisance" - }, { "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.", "meta": { @@ -29054,6 +29452,21 @@ "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b", "value": "Azure AD Recon" }, + { + "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "date_published": "2020-06-13T00:00:00Z", + "refs": [ + "https://o365blog.com/post/just-looking/" + ], + "source": "MITRE", + "title": "Just looking: Azure Active Directory reconnaissance as an outsider" + }, + "related": [], + "uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d", + "value": "Azure Active Directory Reconnaisance" + }, { "description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.", "meta": { @@ -29560,21 +29973,6 @@ "uuid": "502cc03b-350b-4e2d-9436-364c43a0a203", "value": "Flashpoint Glossary Killnet" }, - { - "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", - "meta": { - "date_accessed": "2021-06-10T00:00:00Z", - "date_published": "2021-06-01T00:00:00Z", - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" - ], - "source": "MITRE, Tidal Cyber", - "title": "Kimsuky APT continues to target South Korean government using AppleSeed backdoor" - }, - "related": [], - "uuid": "9a497c56-f1d3-4889-8c1a-14b013f14668", - "value": "Malwarebytes Kimsuky June 2021" - }, { "description": "Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.", "meta": { @@ -29590,6 +29988,21 @@ "uuid": "8b0dd1d7-dc9c-50d3-a47e-20304591ac40", "value": "Kimsuky Malwarebytes" }, + { + "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", + "meta": { + "date_accessed": "2021-06-10T00:00:00Z", + "date_published": "2021-06-01T00:00:00Z", + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" + ], + "source": "MITRE, Tidal Cyber", + "title": "Kimsuky APT continues to target South Korean government using AppleSeed backdoor" + }, + "related": [], + "uuid": "9a497c56-f1d3-4889-8c1a-14b013f14668", + "value": "Malwarebytes Kimsuky June 2021" + }, { "description": "Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.", "meta": { @@ -30195,8 +30608,8 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", - "value": "Lazarus KillDisk" + "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", + "value": "ESET Lazarus KillDisk April 2018" }, { "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", @@ -30210,8 +30623,24 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", - "value": "ESET Lazarus KillDisk April 2018" + "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", + "value": "Lazarus KillDisk" + }, + { + "description": "Dinesh Devadoss, Phil Stokes. (2022, September 26). Lazarus \"Operation In(ter)ception\" Targets macOS Users Dreaming of Jobs in Crypto. Retrieved March 8, 2024.", + "meta": { + "date_accessed": "2024-03-08T00:00:00Z", + "date_published": "2022-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/" + ], + "source": "Tidal Cyber", + "title": "Lazarus \"Operation In(ter)ception\" Targets macOS Users Dreaming of Jobs in Crypto" + }, + "related": [], + "uuid": "973a110c-f1cd-46cd-b92b-5c7d8e7492b1", + "value": "SentinelOne 9 26 2022" }, { "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", @@ -30243,21 +30672,6 @@ "uuid": "ba6a5fcc-9391-42c0-8b90-57b729525f41", "value": "Kaspersky ThreatNeedle Feb 2021" }, - { - "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", - "meta": { - "date_accessed": "2019-04-17T00:00:00Z", - "date_published": "2017-04-03T00:00:00Z", - "refs": [ - "https://securelist.com/lazarus-under-the-hood/77908/" - ], - "source": "MITRE, Tidal Cyber", - "title": "Lazarus Under the Hood" - }, - "related": [], - "uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0", - "value": "Kaspersky Lazarus Under The Hood Blog 2017" - }, { "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.", "meta": { @@ -30273,6 +30687,21 @@ "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc", "value": "Kaspersky Lazarus Under The Hood APR 2017" }, + { + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", + "meta": { + "date_accessed": "2019-04-17T00:00:00Z", + "date_published": "2017-04-03T00:00:00Z", + "refs": [ + "https://securelist.com/lazarus-under-the-hood/77908/" + ], + "source": "MITRE, Tidal Cyber", + "title": "Lazarus Under the Hood" + }, + "related": [], + "uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0", + "value": "Kaspersky Lazarus Under The Hood Blog 2017" + }, { "description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.", "meta": { @@ -31452,6 +31881,22 @@ "uuid": "6043b34d-dec3-415b-8329-05f698f320e3", "value": "Fidelis DarkComet" }, + { + "description": "Stefan Hostetler, Steven Campbell, Christopher Prest, Connor Belfiore, Markus Neis, Joe Wedderspoon, Rick McQuown, Arctic Wolf Labs Team. (2024, June 4). Lost in the Fog: A New Ransomware Threat. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2024-06-04T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/" + ], + "source": "Tidal Cyber", + "title": "Lost in the Fog: A New Ransomware Threat" + }, + "related": [], + "uuid": "86111971-cd37-4a87-bcaa-3e0f6326da5c", + "value": "Arctic Wolf Fog Ransomware June 4 2024" + }, { "description": "Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017.", "meta": { @@ -31645,6 +32090,22 @@ "uuid": "3e1c2a64-8446-538d-a148-2de87991955a", "value": "sygnia Luna Month" }, + { + "description": "Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (2022, July 1). Luna Moth Ransomware: The Threat Actors Behind Recent False Subscription Scams. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-07-01T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sygnia.co/blog/luna-moth-false-subscription-scams/" + ], + "source": "Tidal Cyber", + "title": "Luna Moth Ransomware: The Threat Actors Behind Recent False Subscription Scams" + }, + "related": [], + "uuid": "115590b2-ab57-432c-900e-000627464a11", + "value": "Sygnia Luna Moth July 1 2022" + }, { "description": "Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.", "meta": { @@ -32200,21 +32661,6 @@ "uuid": "afe89472-ac42-4a0d-b398-5ed6a5dee74f", "value": "NetSPI Startup Stored Procedures" }, - { - "description": "Nathaniel Raymond. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved February 13, 2024.", - "meta": { - "date_accessed": "2024-02-13T00:00:00Z", - "date_published": "2023-08-16T00:00:00Z", - "refs": [ - "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/" - ], - "source": "MITRE", - "title": "Major Energy Company Targeted in Large QR Code Phishing Campaign" - }, - "related": [], - "uuid": "eda8270f-c76f-5d01-b45f-74246945ec50", - "value": "QR-cofense" - }, { "description": "Raymond, Nathaniel. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved January 17, 2024.", "meta": { @@ -32230,6 +32676,21 @@ "uuid": "450da173-3573-5502-ab53-6d6b9955714d", "value": "Cofense-redirect" }, + { + "description": "Nathaniel Raymond. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2023-08-16T00:00:00Z", + "refs": [ + "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/" + ], + "source": "MITRE", + "title": "Major Energy Company Targeted in Large QR Code Phishing Campaign" + }, + "related": [], + "uuid": "eda8270f-c76f-5d01-b45f-74246945ec50", + "value": "QR-cofense" + }, { "description": "LOLBAS. (2018, May 25). Makecab.exe. Retrieved December 4, 2023.", "meta": { @@ -33143,20 +33604,6 @@ "uuid": "8d237948-7b10-5055-b9e6-52e6cab16f32", "value": "Mandiant WMI" }, - { - "description": "Microsoft. (n.d.). Manifests. Retrieved June 3, 2016.", - "meta": { - "date_accessed": "2016-06-03T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/en-us/library/aa375365" - ], - "source": "MITRE", - "title": "Manifests" - }, - "related": [], - "uuid": "a29301fe-0e3c-4c6e-85c5-a30a6bcb9114", - "value": "MSDN Manifests" - }, { "description": "Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.", "meta": { @@ -33171,6 +33618,20 @@ "uuid": "e336dc02-c7bb-4046-93d9-17b9512fb731", "value": "Microsoft Manifests" }, + { + "description": "Microsoft. (n.d.). Manifests. Retrieved June 3, 2016.", + "meta": { + "date_accessed": "2016-06-03T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/en-us/library/aa375365" + ], + "source": "MITRE", + "title": "Manifests" + }, + "related": [], + "uuid": "a29301fe-0e3c-4c6e-85c5-a30a6bcb9114", + "value": "MSDN Manifests" + }, { "description": "Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.", "meta": { @@ -33214,21 +33675,6 @@ "uuid": "33b25966-0ab9-4cc6-9702-62263a23af9c", "value": "Rapid7 MiTM Basics" }, - { - "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.", - "meta": { - "date_accessed": "2021-12-08T00:00:00Z", - "date_published": "2014-08-19T00:00:00Z", - "refs": [ - "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" - ], - "source": "MITRE", - "title": "Man-in-the-Middle TLS Protocol Downgrade Attack" - }, - "related": [], - "uuid": "af907fe1-1e37-4f44-8ad4-fcc3826ee6fb", - "value": "mitm_tls_downgrade_att" - }, { "description": "Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.", "meta": { @@ -33244,6 +33690,21 @@ "uuid": "4375602d-4b5f-476d-82f8-3cef84d3378e", "value": "Praetorian TLS Downgrade Attack 2014" }, + { + "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.", + "meta": { + "date_accessed": "2021-12-08T00:00:00Z", + "date_published": "2014-08-19T00:00:00Z", + "refs": [ + "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" + ], + "source": "MITRE", + "title": "Man-in-the-Middle TLS Protocol Downgrade Attack" + }, + "related": [], + "uuid": "af907fe1-1e37-4f44-8ad4-fcc3826ee6fb", + "value": "mitm_tls_downgrade_att" + }, { "description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.", "meta": { @@ -34234,21 +34695,6 @@ "uuid": "f9daf15d-61ea-4cfa-a4e8-9d33d1acd28f", "value": "Microsoft HTML Help May 2018" }, - { - "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.", - "meta": { - "date_accessed": "2019-09-12T00:00:00Z", - "date_published": "2019-08-29T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" - ], - "source": "MITRE", - "title": "Microsoft identity platform access tokens" - }, - "related": [], - "uuid": "44767d53-8cd7-44dd-a69d-8a7bebc1d87d", - "value": "Microsoft - Azure AD Identity Tokens - Aug 2019" - }, { "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", "meta": { @@ -34264,6 +34710,21 @@ "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338", "value": "Microsoft Identity Platform Access 2019" }, + { + "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.", + "meta": { + "date_accessed": "2019-09-12T00:00:00Z", + "date_published": "2019-08-29T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" + ], + "source": "MITRE", + "title": "Microsoft identity platform access tokens" + }, + "related": [], + "uuid": "44767d53-8cd7-44dd-a69d-8a7bebc1d87d", + "value": "Microsoft - Azure AD Identity Tokens - Aug 2019" + }, { "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", "meta": { @@ -34425,21 +34886,6 @@ "uuid": "86955cd2-5980-44ba-aa7b-4b9f8e347730", "value": "Microsoft WDAC" }, - { - "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", - "meta": { - "date_accessed": "2021-03-16T00:00:00Z", - "date_published": "2020-10-15T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "source": "MITRE", - "title": "Microsoft recommended driver block rules" - }, - "related": [], - "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", - "value": "Microsoft Driver Block Rules" - }, { "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.", "meta": { @@ -34455,6 +34901,21 @@ "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3", "value": "Microsoft driver block rules - Duplicate" }, + { + "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", + "meta": { + "date_accessed": "2021-03-16T00:00:00Z", + "date_published": "2020-10-15T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "source": "MITRE", + "title": "Microsoft recommended driver block rules" + }, + "related": [], + "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", + "value": "Microsoft Driver Block Rules" + }, { "description": "Microsoft. (n.d.). Retrieved January 24, 2020.", "meta": { @@ -34605,6 +35066,22 @@ "uuid": "619b9cf8-7201-45de-9c36-834ccee356a9", "value": "Microsoft SIR Vol 21" }, + { + "description": "Microsoft Threat Intelligence. (2024, July 15). Microsoft Threat Intelligence LinkedIn Q2 2024. Retrieved July 26, 2024.", + "meta": { + "date_accessed": "2024-07-26T00:00:00Z", + "date_published": "2024-07-15T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.linkedin.com/posts/microsoft-threat-intelligence_in-the-second-quarter-of-2024-financially-activity-7218696257739923456-KKy_/" + ], + "source": "Tidal Cyber", + "title": "Microsoft Threat Intelligence LinkedIn Q2 2024" + }, + "related": [], + "uuid": "0e7ea8d0-bdb8-48a6-9718-703f64d16460", + "value": "Microsoft Threat Intelligence LinkedIn July 15 2024" + }, { "description": "MsftSecIntel. (2023, May 26). Microsoft Threat Intelligence Tweet April 26 2023. Retrieved June 16, 2023.", "meta": { @@ -34850,21 +35327,6 @@ "uuid": "07ff57eb-1e23-433b-8da7-80f1caf7543e", "value": "ADSecurity AD Kerberos Attacks" }, - { - "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.", - "meta": { - "date_accessed": "2017-12-04T00:00:00Z", - "date_published": "2015-09-22T00:00:00Z", - "refs": [ - "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/" - ], - "source": "MITRE", - "title": "Mimikatz and DCSync and ExtraSids, Oh My" - }, - "related": [], - "uuid": "2a01a70c-28a8-444e-95a7-00a568d51ce6", - "value": "Harmj0y DCSync Sept 2015" - }, { "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017.", "meta": { @@ -34881,19 +35343,19 @@ "value": "Harmj0y Mimikatz and DCSync" }, { - "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.", + "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.", "meta": { - "date_accessed": "2017-08-07T00:00:00Z", - "date_published": "2015-09-25T00:00:00Z", + "date_accessed": "2017-12-04T00:00:00Z", + "date_published": "2015-09-22T00:00:00Z", "refs": [ - "https://adsecurity.org/?p=1729" + "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/" ], "source": "MITRE", - "title": "Mimikatz DCSync Usage, Exploitation, and Detection" + "title": "Mimikatz and DCSync and ExtraSids, Oh My" }, "related": [], - "uuid": "61b0bb42-2ed6-413d-b331-0a84df12a87d", - "value": "ADSecurity Mimikatz DCSync" + "uuid": "2a01a70c-28a8-444e-95a7-00a568d51ce6", + "value": "Harmj0y DCSync Sept 2015" }, { "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", @@ -34910,6 +35372,21 @@ "uuid": "856ed70b-29b0-4f56-b5ae-a98981a22eaf", "value": "AdSecurity DCSync Sept 2015" }, + { + "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.", + "meta": { + "date_accessed": "2017-08-07T00:00:00Z", + "date_published": "2015-09-25T00:00:00Z", + "refs": [ + "https://adsecurity.org/?p=1729" + ], + "source": "MITRE", + "title": "Mimikatz DCSync Usage, Exploitation, and Detection" + }, + "related": [], + "uuid": "61b0bb42-2ed6-413d-b331-0a84df12a87d", + "value": "ADSecurity Mimikatz DCSync" + }, { "description": "Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.", "meta": { @@ -35030,6 +35507,21 @@ "uuid": "0110500c-bf67-43a5-97cb-16eb6c01040b", "value": "APT15 Intezer June 2018" }, + { + "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2019-11-19T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" + ], + "source": "MITRE", + "title": "Mispadu: Advertisement for a discounted Unhappy Meal" + }, + "related": [], + "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", + "value": "ESET Security Mispadu Facebook Ads 2019" + }, { "description": "ESET Research. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved April 4, 2024.", "meta": { @@ -35046,21 +35538,6 @@ "uuid": "a27753c1-2f7a-40c4-9e28-a37265bce28c", "value": "ESET Mispadu November 2019" }, - { - "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", - "meta": { - "date_accessed": "2024-03-13T00:00:00Z", - "date_published": "2019-11-19T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" - ], - "source": "MITRE", - "title": "Mispadu: Advertisement for a discounted Unhappy Meal" - }, - "related": [], - "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", - "value": "ESET Security Mispadu Facebook Ads 2019" - }, { "description": "Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.", "meta": { @@ -35507,21 +35984,6 @@ "uuid": "6851b3f9-0239-40fc-ba44-34a775e9bd4e", "value": "ESET EvilNum July 2020" }, - { - "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", - "meta": { - "date_accessed": "2014-12-05T00:00:00Z", - "date_published": "2010-08-12T00:00:00Z", - "refs": [ - "https://msrc-blog.microsoft.com/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/" - ], - "source": "MITRE", - "title": "More information about the DLL Preloading remote attack vector" - }, - "related": [], - "uuid": "80289c7b-53c1-4aec-9436-04a43a82f769", - "value": "Microsoft More information about DLL" - }, { "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", "meta": { @@ -35537,6 +35999,21 @@ "uuid": "46aa7075-9f0a-461e-8519-5c4860208678", "value": "Microsoft DLL Preloading" }, + { + "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", + "meta": { + "date_accessed": "2014-12-05T00:00:00Z", + "date_published": "2010-08-12T00:00:00Z", + "refs": [ + "https://msrc-blog.microsoft.com/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/" + ], + "source": "MITRE", + "title": "More information about the DLL Preloading remote attack vector" + }, + "related": [], + "uuid": "80289c7b-53c1-4aec-9436-04a43a82f769", + "value": "Microsoft More information about DLL" + }, { "description": "valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.", "meta": { @@ -35626,21 +36103,6 @@ "uuid": "e9c47d8e-f732-45c9-bceb-26c5d564e781", "value": "CrowdStrike Deep Panda Web Shells" }, - { - "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", - "meta": { - "date_accessed": "2023-09-25T00:00:00Z", - "date_published": "2023-08-10T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" - ], - "source": "MITRE", - "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus" - }, - "related": [], - "uuid": "9070f14b-5d5e-5f6d-bcac-628478e01242", - "value": "MoustachedBouncer ESET August 2023" - }, { "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.", "meta": { @@ -35656,6 +36118,21 @@ "uuid": "6c85e925-d42b-590c-a424-14ebb49812bb", "value": "ESET MoustachedBouncer" }, + { + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "meta": { + "date_accessed": "2023-09-25T00:00:00Z", + "date_published": "2023-08-10T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "source": "MITRE", + "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus" + }, + "related": [], + "uuid": "9070f14b-5d5e-5f6d-bcac-628478e01242", + "value": "MoustachedBouncer ESET August 2023" + }, { "description": "Progress Software. (2023, June 16). MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362). Retrieved July 28, 2023.", "meta": { @@ -35717,21 +36194,6 @@ "uuid": "e208c277-e477-4123-8c3c-313d55cdc1ea", "value": "Volatility Detecting Hooks Sept 2012" }, - { - "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", - "meta": { - "date_accessed": "2017-03-10T00:00:00Z", - "date_published": "2012-11-20T00:00:00Z", - "refs": [ - "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" - ], - "source": "MITRE", - "title": "Mozilla Foundation Security Advisory 2012-98" - }, - "related": [], - "uuid": "920d1607-154e-4c74-b1eb-0d8299be536f", - "value": "Mozilla Firefox Installer DLL Hijack" - }, { "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", "meta": { @@ -35747,6 +36209,21 @@ "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62", "value": "mozilla_sec_adv_2012" }, + { + "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", + "meta": { + "date_accessed": "2017-03-10T00:00:00Z", + "date_published": "2012-11-20T00:00:00Z", + "refs": [ + "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" + ], + "source": "MITRE", + "title": "Mozilla Foundation Security Advisory 2012-98" + }, + "related": [], + "uuid": "920d1607-154e-4c74-b1eb-0d8299be536f", + "value": "Mozilla Firefox Installer DLL Hijack" + }, { "description": "LOLBAS. (2020, March 20). MpCmdRun.exe. Retrieved December 4, 2023.", "meta": { @@ -35793,21 +36270,6 @@ "uuid": "a15fff18-5d3f-4898-9e47-ec6ae7dda749", "value": "SRD GPP" }, - { - "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.", - "meta": { - "date_accessed": "2015-01-28T00:00:00Z", - "date_published": "2014-05-13T00:00:00Z", - "refs": [ - "http://support.microsoft.com/kb/2962486" - ], - "source": "MITRE", - "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege" - }, - "related": [], - "uuid": "dbe32cbd-8c6e-483f-887c-ea2a5102cf65", - "value": "Microsoft MS14-025" - }, { "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.", "meta": { @@ -35823,6 +36285,21 @@ "uuid": "7537c0bb-6f14-4a4a-94cc-98c6ed9e878f", "value": "MS14-025" }, + { + "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.", + "meta": { + "date_accessed": "2015-01-28T00:00:00Z", + "date_published": "2014-05-13T00:00:00Z", + "refs": [ + "http://support.microsoft.com/kb/2962486" + ], + "source": "MITRE", + "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege" + }, + "related": [], + "uuid": "dbe32cbd-8c6e-483f-887c-ea2a5102cf65", + "value": "Microsoft MS14-025" + }, { "description": "Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.", "meta": { @@ -36961,21 +37438,6 @@ "uuid": "b218434e-4233-5963-824e-50ee32d468ed", "value": "Network Provider API" }, - { - "description": "Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.", - "meta": { - "date_accessed": "2023-09-08T00:00:00Z", - "date_published": "2020-04-16T00:00:00Z", - "refs": [ - "https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials" - ], - "source": "MITRE", - "title": "New AgentTesla variant steals WiFi credentials" - }, - "related": [], - "uuid": "b61b7db6-ed0d-546d-b1e0-c2630530975b", - "value": "Malware Bytes New AgentTesla variant steals WiFi credentials" - }, { "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.", "meta": { @@ -36991,6 +37453,21 @@ "uuid": "87f4fe4c-54cd-40a7-938b-6e6f6d2efbea", "value": "Malwarebytes Agent Tesla April 2020" }, + { + "description": "Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.", + "meta": { + "date_accessed": "2023-09-08T00:00:00Z", + "date_published": "2020-04-16T00:00:00Z", + "refs": [ + "https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials" + ], + "source": "MITRE", + "title": "New AgentTesla variant steals WiFi credentials" + }, + "related": [], + "uuid": "b61b7db6-ed0d-546d-b1e0-c2630530975b", + "value": "Malware Bytes New AgentTesla variant steals WiFi credentials" + }, { "description": "Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.", "meta": { @@ -37305,21 +37782,6 @@ "uuid": "1641553f-96e7-4829-8c77-d96388dac5c7", "value": "Avast CCleaner3 2018" }, - { - "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", - "meta": { - "date_accessed": "2018-02-19T00:00:00Z", - "date_published": "2017-04-06T00:00:00Z", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" - ], - "source": "MITRE", - "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" - }, - "related": [], - "uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf", - "value": "amnesia malware" - }, { "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.", "meta": { @@ -37335,6 +37797,21 @@ "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3", "value": "Tsunami" }, + { + "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", + "meta": { + "date_accessed": "2018-02-19T00:00:00Z", + "date_published": "2017-04-06T00:00:00Z", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" + ], + "source": "MITRE", + "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" + }, + "related": [], + "uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf", + "value": "amnesia malware" + }, { "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.", "meta": { @@ -37441,21 +37918,6 @@ "uuid": "b1540c5c-0bbc-4b9d-9185-fae224ba31be", "value": "Gallagher 2015" }, - { - "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", - "meta": { - "date_accessed": "2019-06-05T00:00:00Z", - "date_published": "2017-11-28T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" - ], - "source": "MITRE", - "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" - }, - "related": [], - "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", - "value": "FireEye Ursnif Nov 2017" - }, { "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", "meta": { @@ -37471,6 +37933,21 @@ "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", "value": "FireEye TLS Nov 2017" }, + { + "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", + "meta": { + "date_accessed": "2019-06-05T00:00:00Z", + "date_published": "2017-11-28T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "source": "MITRE", + "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" + }, + "related": [], + "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", + "value": "FireEye Ursnif Nov 2017" + }, { "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", "meta": { @@ -38369,21 +38846,6 @@ "uuid": "65f1bbaa-8ad1-4ad5-b726-660558d27efc", "value": "Nmap: the Network Mapper" }, - { - "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.", - "meta": { - "date_accessed": "2022-01-31T00:00:00Z", - "date_published": "2021-10-25T00:00:00Z", - "refs": [ - "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" - ], - "source": "MITRE", - "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" - }, - "related": [], - "uuid": "aa315293-77a5-4ad9-b024-9af844edff9a", - "value": "Microsoft Nobelium Admin Privileges" - }, { "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.", "meta": { @@ -38399,6 +38861,21 @@ "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373", "value": "MSTIC Nobelium Oct 2021" }, + { + "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.", + "meta": { + "date_accessed": "2022-01-31T00:00:00Z", + "date_published": "2021-10-25T00:00:00Z", + "refs": [ + "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" + ], + "source": "MITRE", + "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" + }, + "related": [], + "uuid": "aa315293-77a5-4ad9-b024-9af844edff9a", + "value": "Microsoft Nobelium Admin Privileges" + }, { "description": "Symantec Threat Hunter Team. (2022, September 22). Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics. Retrieved September 14, 2023.", "meta": { @@ -38594,6 +39071,22 @@ "uuid": "93c89ca5-1863-4ee2-9fff-258f94f655c4", "value": "Cybernews Yanfeng Qilin November 2023" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2024, July 25). North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2024-07-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a" + ], + "source": "Tidal Cyber", + "title": "North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs" + }, + "related": [], + "uuid": "b615953e-3c6c-4201-914c-4b75e45bb9ed", + "value": "U.S. CISA Andariel July 25 2024" + }, { "description": "Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.", "meta": { @@ -38699,21 +39192,6 @@ "uuid": "72d4b682-ed19-4e0f-aeff-faa52b3a0439", "value": "Github NoRunDll" }, - { - "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", - "meta": { - "date_accessed": "2023-06-30T00:00:00Z", - "date_published": "2022-12-02T00:00:00Z", - "refs": [ - "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" - ], - "source": "MITRE", - "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies" - }, - "related": [], - "uuid": "382785e1-4ef3-506e-b74f-cd07df9ae46e", - "value": "Crowdstrike TELCO BPO Campaign December 2022" - }, { "description": "Tim Parisi. (2022, December 22). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved September 14, 2023.", "meta": { @@ -38730,6 +39208,21 @@ "uuid": "e48760ba-2752-4d30-8f99-152c81f63017", "value": "CrowdStrike Scattered Spider SIM Swapping December 22 2022" }, + { + "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", + "meta": { + "date_accessed": "2023-06-30T00:00:00Z", + "date_published": "2022-12-02T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" + ], + "source": "MITRE", + "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies" + }, + "related": [], + "uuid": "382785e1-4ef3-506e-b74f-cd07df9ae46e", + "value": "Crowdstrike TELCO BPO Campaign December 2022" + }, { "description": "Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.", "meta": { @@ -40234,6 +40727,22 @@ "uuid": "fd581c0c-d93e-4396-a372-99cde3cd0c7c", "value": "Operation Hangover May 2013" }, + { + "description": "Dominik Breitenbacher, Kaspars Osis. (2020, June 17). Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2020-06-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/" + ], + "source": "Tidal Cyber", + "title": "Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies" + }, + "related": [], + "uuid": "481ac64d-912b-4c69-97e5-004bb5768b48", + "value": "ESET Operation Interception June 17 2020" + }, { "description": "Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.", "meta": { @@ -40952,21 +41461,6 @@ "uuid": "55ee5bcc-ba56-58ac-9afb-2349aa75fe39", "value": "Kubernetes Cloud Native Security" }, - { - "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", - "meta": { - "date_accessed": "2021-03-24T00:00:00Z", - "date_published": "2012-07-23T00:00:00Z", - "refs": [ - "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" - ], - "source": "MITRE", - "title": "Overview of Dynamic Libraries" - }, - "related": [], - "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", - "value": "Apple Doco Archive Dynamic Libraries" - }, { "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", "meta": { @@ -40982,6 +41476,21 @@ "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab", "value": "Apple Dev Dynamic Libraries" }, + { + "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", + "meta": { + "date_accessed": "2021-03-24T00:00:00Z", + "date_published": "2012-07-23T00:00:00Z", + "refs": [ + "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" + ], + "source": "MITRE", + "title": "Overview of Dynamic Libraries" + }, + "related": [], + "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", + "value": "Apple Doco Archive Dynamic Libraries" + }, { "description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.", "meta": { @@ -41143,6 +41652,22 @@ "uuid": "deba605b-7abc-5794-a820-448a395aab69", "value": "Pacu Detection Disruption Module" }, + { + "description": "Ionut Arghire. (2024, January 3). Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2024-01-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.securityweek.com/palestinian-hackers-hit-100-israeli-organizations-in-destructive-attacks/" + ], + "source": "Tidal Cyber", + "title": "Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks" + }, + "related": [], + "uuid": "413b7917-e22a-4706-aff3-80eb31521b6a", + "value": "SecurityWeek Cyber Toufan January 3 2024" + }, { "description": "Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.", "meta": { @@ -41187,21 +41712,6 @@ "uuid": "6bc5ad93-3cc2-4429-ac4c-aae72193df27", "value": "Man Pam_Unix" }, - { - "description": "Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.", - "meta": { - "date_accessed": "2019-04-19T00:00:00Z", - "date_published": "2017-06-27T00:00:00Z", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/" - ], - "source": "MITRE", - "title": "Paranoid PlugX" - }, - "related": [], - "uuid": "9dc629a0-543c-4221-86cc-0dfb93903988", - "value": "Unit42 PlugX June 2017" - }, { "description": "Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.", "meta": { @@ -41217,6 +41727,21 @@ "uuid": "27f17e79-ef38-4c20-9250-40c81fa8717a", "value": "Palo Alto PlugX June 2017" }, + { + "description": "Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.", + "meta": { + "date_accessed": "2019-04-19T00:00:00Z", + "date_published": "2017-06-27T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/" + ], + "source": "MITRE", + "title": "Paranoid PlugX" + }, + "related": [], + "uuid": "9dc629a0-543c-4221-86cc-0dfb93903988", + "value": "Unit42 PlugX June 2017" + }, { "description": "Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.", "meta": { @@ -41663,19 +42188,20 @@ "value": "Pcwutl.dll - LOLBAS Project" }, { - "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.", + "description": "Microsoft Threat Intelligence. (2024, August 28). Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations . Retrieved August 29, 2024.", "meta": { - "date_accessed": "2023-09-18T00:00:00Z", - "date_published": "2023-09-14T00:00:00Z", + "date_accessed": "2024-08-29T00:00:00Z", + "date_published": "2024-08-28T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + "https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/" ], - "source": "MITRE", - "title": "Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets" + "source": "Tidal Cyber", + "title": "Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations" }, "related": [], - "uuid": "84d026ed-b8f2-5bbb-865a-2d93aa4b2ef8", - "value": "Microsoft Peach Sandstorm 2023" + "uuid": "940c0755-18df-4fcb-9691-9f2eb45e6441", + "value": "Microsoft Security Blog August 28 2024" }, { "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved January 31, 2024.", @@ -41693,6 +42219,21 @@ "uuid": "98a631f4-4b95-4159-b311-dee1216ec208", "value": "Microsoft Peach Sandstorm September 14 2023" }, + { + "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.", + "meta": { + "date_accessed": "2023-09-18T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + ], + "source": "MITRE", + "title": "Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets" + }, + "related": [], + "uuid": "84d026ed-b8f2-5bbb-865a-2d93aa4b2ef8", + "value": "Microsoft Peach Sandstorm 2023" + }, { "description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.", "meta": { @@ -41755,20 +42296,20 @@ "value": "U.S. CISA BlackTech September 27 2023" }, { - "description": "Cybersecurity and Infrastructure Security Agency. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved May 25, 2023.", + "description": "Cybersecurity and Infrastructure Security Agency. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved July 10, 2024.", "meta": { - "date_accessed": "2023-05-25T00:00:00Z", - "date_published": "2023-05-24T00:00:00Z", + "date_accessed": "2024-07-10T00:00:00Z", + "date_published": "2024-07-08T00:00:00Z", "owner": "TidalCyberIan", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a" ], "source": "Tidal Cyber", - "title": "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" + "title": "People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action" }, "related": [], - "uuid": "12320f38-ebbf-486a-a450-8a548c3722d6", - "value": "U.S. CISA Volt Typhoon May 24 2023" + "uuid": "3bf90a48-caf6-4b9d-adc2-3d1176f49ffc", + "value": "U.S. CISA APT40 July 8 2024" }, { "description": "NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.", @@ -41785,6 +42326,22 @@ "uuid": "14872f08-e219-5c0d-a2d7-43a3ba348b4b", "value": "Joint Cybersecurity Advisory Volt Typhoon June 2023" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved May 25, 2023.", + "meta": { + "date_accessed": "2023-05-25T00:00:00Z", + "date_published": "2023-05-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" + ], + "source": "Tidal Cyber", + "title": "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" + }, + "related": [], + "uuid": "12320f38-ebbf-486a-a450-8a548c3722d6", + "value": "U.S. CISA Volt Typhoon May 24 2023" + }, { "description": "Microsoft. (2004, February 6). Perimeter Firewall Design. Retrieved April 25, 2016.", "meta": { @@ -42281,22 +42838,6 @@ "uuid": "a78613a5-ce17-4d11-8f2f-3e642cd7673c", "value": "Symantec Play Ransomware April 19 2023" }, - { - "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved September 21, 2023.", - "meta": { - "date_accessed": "2023-09-21T00:00:00Z", - "date_published": "2022-09-06T00:00:00Z", - "owner": "TidalCyberIan", - "refs": [ - "https://www.trendmicro.com/es_es/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" - ], - "source": "Tidal Cyber", - "title": "Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa" - }, - "related": [], - "uuid": "ed02529c-920d-4a92-8e86-be1ed7083991", - "value": "Trend Micro Play Ransomware September 06 2022" - }, { "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved August 10, 2023.", "meta": { @@ -42313,6 +42854,22 @@ "uuid": "2d2b527d-25b0-4b58-9ae6-c87060b64069", "value": "Trend Micro Play Playbook September 06 2022" }, + { + "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved September 21, 2023.", + "meta": { + "date_accessed": "2023-09-21T00:00:00Z", + "date_published": "2022-09-06T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/es_es/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" + ], + "source": "Tidal Cyber", + "title": "Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa" + }, + "related": [], + "uuid": "ed02529c-920d-4a92-8e86-be1ed7083991", + "value": "Trend Micro Play Ransomware September 06 2022" + }, { "description": "Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.", "meta": { @@ -43051,20 +43608,6 @@ "uuid": "c84be284-03ad-4674-94db-03f264f2db9f", "value": "PrivateLoader: The first step in many malware schemes | Intel471" }, - { - "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved September 21, 2023.", - "meta": { - "date_accessed": "2023-09-21T00:00:00Z", - "refs": [ - "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/" - ], - "source": "MITRE", - "title": "Privilege Escalation in Google Cloud Platform – Part 1 (IAM)" - }, - "related": [], - "uuid": "55173e12-9edc-5685-ac0b-acd51617cc6e", - "value": "Rhino Google Cloud Privilege Escalation" - }, { "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved May 27, 2022.", "meta": { @@ -43079,6 +43622,20 @@ "uuid": "55373476-1cbe-49f5-aecb-69d60b336d38", "value": "Rhingo Security Labs GCP Privilege Escalation" }, + { + "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved September 21, 2023.", + "meta": { + "date_accessed": "2023-09-21T00:00:00Z", + "refs": [ + "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/" + ], + "source": "MITRE", + "title": "Privilege Escalation in Google Cloud Platform – Part 1 (IAM)" + }, + "related": [], + "uuid": "55173e12-9edc-5685-ac0b-acd51617cc6e", + "value": "Rhino Google Cloud Privilege Escalation" + }, { "description": "Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.", "meta": { @@ -43363,6 +43920,22 @@ "uuid": "188d990e-f0be-40f2-90f3-913dfe687d27", "value": "Talos Promethium June 2020" }, + { + "description": "Daryna Antoniuk. (2023, December 29). Pro-Palestinian operation claims dozens of data breaches against Israeli firms. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2023-12-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://therecord.media/cyber-toufan-data-breaches-israel-iran-palestinians" + ], + "source": "Tidal Cyber", + "title": "Pro-Palestinian operation claims dozens of data breaches against Israeli firms" + }, + "related": [], + "uuid": "bc621380-7094-4877-abbe-5c20588e5dbc", + "value": "The Record Cyber Toufan December 29 2023" + }, { "description": "Intel471. (2022, September 14). Pro-Russian Hacktivist Groups Target Ukraine Supporters. Retrieved April 30, 2024.", "meta": { @@ -43755,21 +44328,6 @@ "uuid": "069ef9af-3402-4b13-8c60-b397b0b0bfd7", "value": "PaloAlto EncodedCommand March 2017" }, - { - "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", - "meta": { - "date_accessed": "2019-03-04T00:00:00Z", - "date_published": "2018-12-06T00:00:00Z", - "refs": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" - ], - "source": "MITRE", - "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" - }, - "related": [], - "uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f", - "value": "Anomali Linux Rabbit 2018" - }, { "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.", "meta": { @@ -43785,6 +44343,21 @@ "uuid": "ec413dc7-028c-4153-9e98-abe85961747f", "value": "anomali-linux-rabbit" }, + { + "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", + "meta": { + "date_accessed": "2019-03-04T00:00:00Z", + "date_published": "2018-12-06T00:00:00Z", + "refs": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "source": "MITRE", + "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" + }, + "related": [], + "uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f", + "value": "Anomali Linux Rabbit 2018" + }, { "description": "CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.", "meta": { @@ -44116,6 +44689,22 @@ "uuid": "58df8729-ab42-55ee-a27d-655644bdeb0d", "value": "qr-phish-agriculture" }, + { + "description": "The DFIR Report. (2022, April 25). Quantum Ransomware. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-04-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://thedfirreport.com/2022/04/25/quantum-ransomware/" + ], + "source": "Tidal Cyber", + "title": "Quantum Ransomware" + }, + "related": [], + "uuid": "2e28c754-911a-4f08-a7bd-4580f5283571", + "value": "The DFIR Report April 25 2022" + }, { "description": "hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.", "meta": { @@ -44432,19 +45021,20 @@ "value": "DHS/CISA Ransomware Targeting Healthcare October 2020" }, { - "description": "Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.", + "description": "Federal Bureau of Investigation. (2023, November 7). Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools. Retrieved June 28, 2024.", "meta": { - "date_accessed": "2021-02-09T00:00:00Z", - "date_published": "2020-02-24T00:00:00Z", + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2023-11-07T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + "https://www.aha.org/system/files/media/file/2023/11/bi-tlp-clear-pin-ransomware-actors-continue-to-gain-access-through-third-parties-and-legitimate-system-tools-11-7-23.pdf" ], - "source": "MITRE", - "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" + "source": "Tidal Cyber", + "title": "Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools" }, "related": [], - "uuid": "9ffa0f35-98e4-4265-8b66-9c805a2b6525", - "value": "FireEye Ransomware Disrupt Industrial Production" + "uuid": "e096e1f4-6b62-4756-8811-f263cf1dcecc", + "value": "FBI Ransomware Tools November 7 2023" }, { "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", @@ -44461,6 +45051,21 @@ "uuid": "44856547-2de5-45ff-898f-a523095bd593", "value": "FireEye Ransomware Feb 2020" }, + { + "description": "Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.", + "meta": { + "date_accessed": "2021-02-09T00:00:00Z", + "date_published": "2020-02-24T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + ], + "source": "MITRE", + "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" + }, + "related": [], + "uuid": "9ffa0f35-98e4-4265-8b66-9c805a2b6525", + "value": "FireEye Ransomware Disrupt Industrial Production" + }, { "description": "Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.", "meta": { @@ -44491,6 +45096,22 @@ "uuid": "833018b5-6ef6-5327-9af5-1a551df25cd2", "value": "Microsoft Ransomware as a Service" }, + { + "description": "Andreas Klopsch. (2024, August 14). Ransomware attackers introduce new EDR killer to their arsenal. Retrieved August 22, 2024.", + "meta": { + "date_accessed": "2024-08-22T00:00:00Z", + "date_published": "2024-08-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/" + ], + "source": "Tidal Cyber", + "title": "Ransomware attackers introduce new EDR killer to their arsenal" + }, + "related": [], + "uuid": "d0811fd4-e89d-4337-9bc1-a9a8774d44b1", + "value": "Sophos News August 14 2024" + }, { "description": "Www.invictus-ir.com. (2024, January 11). Ransomware in the cloud. Retrieved April 17, 2024.", "meta": { @@ -45594,21 +46215,6 @@ "uuid": "4054604b-7c0f-5012-b40c-2b117f6b54c2", "value": "Mandiant Remediation and Hardening Strategies for Microsoft 365" }, - { - "description": "Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.", - "meta": { - "date_accessed": "2021-01-22T00:00:00Z", - "date_published": "2021-01-19T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" - ], - "source": "MITRE", - "title": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" - }, - "related": [], - "uuid": "ed031297-d0f5-44a7-9723-ba692e923a6e", - "value": "Mandiant Defend UNC2452 White Paper" - }, { "description": "Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.", "meta": { @@ -45624,6 +46230,21 @@ "uuid": "7aa5c294-df8e-4994-9b9e-69444d75ef37", "value": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" }, + { + "description": "Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.", + "meta": { + "date_accessed": "2021-01-22T00:00:00Z", + "date_published": "2021-01-19T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" + ], + "source": "MITRE", + "title": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" + }, + "related": [], + "uuid": "ed031297-d0f5-44a7-9723-ba692e923a6e", + "value": "Mandiant Defend UNC2452 White Paper" + }, { "description": "Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.", "meta": { @@ -46595,6 +47216,22 @@ "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745", "value": "Kroll Royal Deep Dive February 2023" }, + { + "description": "Laurie Iacono, Keith Wojcieszek, George Glass. (2023, February 13). Royal Ransomware Deep Dive. Retrieved June 17, 2024.", + "meta": { + "date_accessed": "2024-06-17T00:00:00Z", + "date_published": "2023-02-13T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" + ], + "source": "Tidal Cyber", + "title": "Royal Ransomware Deep Dive" + }, + "related": [], + "uuid": "de385ede-f928-4a1e-934c-8ce7a6e7f33b", + "value": "Kroll Royal Ransomware February 13 2023" + }, { "description": "Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.", "meta": { @@ -46610,21 +47247,6 @@ "uuid": "e5bb846f-d11f-580c-b96a-9de4ba5eaed6", "value": "Trend Micro Royal Linux ESXi February 2023" }, - { - "description": "Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.", - "meta": { - "date_accessed": "2023-03-30T00:00:00Z", - "date_published": "2022-12-14T00:00:00Z", - "refs": [ - "https://www.cybereason.com/blog/royal-ransomware-analysis" - ], - "source": "MITRE", - "title": "Royal Rumble: Analysis of Royal Ransomware" - }, - "related": [], - "uuid": "28aef64e-20d3-5227-a3c9-e657c6e2d07e", - "value": "Cybereason Royal December 2022" - }, { "description": "Cybereason global soc & cybereason security research teams. (n.d.). Royal Rumble: Analysis of Royal Ransomware. Retrieved May 18, 2023.", "meta": { @@ -46640,6 +47262,21 @@ "uuid": "5afa7fd0-908e-4714-9ab3-2bbbc1fff976", "value": "Royal Rumble: Analysis of Royal Ransomware" }, + { + "description": "Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.", + "meta": { + "date_accessed": "2023-03-30T00:00:00Z", + "date_published": "2022-12-14T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/royal-ransomware-analysis" + ], + "source": "MITRE", + "title": "Royal Rumble: Analysis of Royal Ransomware" + }, + "related": [], + "uuid": "28aef64e-20d3-5227-a3c9-e657c6e2d07e", + "value": "Cybereason Royal December 2022" + }, { "description": "LOLBAS. (2018, May 25). Rpcping.exe. Retrieved December 4, 2023.", "meta": { @@ -47644,21 +48281,6 @@ "uuid": "2dd5b872-a4ab-4b77-8457-a3d947298fc0", "value": "Securelist ScarCruft May 2019" }, - { - "description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.", - "meta": { - "date_accessed": "2023-09-25T00:00:00Z", - "date_published": "2023-07-11T00:00:00Z", - "refs": [ - "https://sysdig.com/blog/scarleteel-2-0/" - ], - "source": "MITRE", - "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto" - }, - "related": [], - "uuid": "285266e7-7a62-5f98-9b0f-fefde4b21c88", - "value": "Sysdig ScarletEel 2.0 2023" - }, { "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.", "meta": { @@ -47674,6 +48296,21 @@ "uuid": "90e60242-82d8-5648-b7e4-def6fd508e16", "value": "Sysdig ScarletEel 2.0" }, + { + "description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.", + "meta": { + "date_accessed": "2023-09-25T00:00:00Z", + "date_published": "2023-07-11T00:00:00Z", + "refs": [ + "https://sysdig.com/blog/scarleteel-2-0/" + ], + "source": "MITRE", + "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto" + }, + "related": [], + "uuid": "285266e7-7a62-5f98-9b0f-fefde4b21c88", + "value": "Sysdig ScarletEel 2.0 2023" + }, { "description": "Alberto Pellitteri. (2023, February 28). SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft. Retrieved February 2, 2023.", "meta": { @@ -48491,21 +49128,6 @@ "uuid": "c2f7958b-f521-4133-9aeb-c5c8fae23e78", "value": "ProofPoint Serpent" }, - { - "description": "Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.", - "meta": { - "date_accessed": "2016-06-12T00:00:00Z", - "date_published": "2016-06-12T00:00:00Z", - "refs": [ - "https://en.wikipedia.org/wiki/Server_Message_Block" - ], - "source": "MITRE", - "title": "Server Message Block" - }, - "related": [], - "uuid": "087b4779-22d5-4872-adb7-583904a92285", - "value": "Wikipedia SMB" - }, { "description": "Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.", "meta": { @@ -48521,6 +49143,21 @@ "uuid": "3ea03c65-12e0-4e28-bbdc-17bb8c1e1831", "value": "Wikipedia Server Message Block" }, + { + "description": "Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.", + "meta": { + "date_accessed": "2016-06-12T00:00:00Z", + "date_published": "2016-06-12T00:00:00Z", + "refs": [ + "https://en.wikipedia.org/wiki/Server_Message_Block" + ], + "source": "MITRE", + "title": "Server Message Block" + }, + "related": [], + "uuid": "087b4779-22d5-4872-adb7-583904a92285", + "value": "Wikipedia SMB" + }, { "description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.", "meta": { @@ -48992,6 +49629,20 @@ "uuid": "6f454218-91b7-4606-9467-c6d465c0fd1f", "value": "AWS EBS Snapshot Sharing" }, + { + "description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.", + "meta": { + "date_accessed": "2020-01-31T00:00:00Z", + "refs": [ + "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html" + ], + "source": "MITRE", + "title": "Shared Libraries" + }, + "related": [], + "uuid": "2862845b-72b3-41d8-aafb-b36e90c6c30a", + "value": "TLDP Shared Libraries" + }, { "description": "Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.", "meta": { @@ -49007,20 +49658,6 @@ "uuid": "054d769a-f88e-55e9-971a-f169ee434cfe", "value": "Linux Shared Libraries" }, - { - "description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.", - "meta": { - "date_accessed": "2020-01-31T00:00:00Z", - "refs": [ - "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html" - ], - "source": "MITRE", - "title": "Shared Libraries" - }, - "related": [], - "uuid": "2862845b-72b3-41d8-aafb-b36e90c6c30a", - "value": "TLDP Shared Libraries" - }, { "description": "halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.", "meta": { @@ -50076,21 +50713,6 @@ "uuid": "a81ad3ef-fd96-432c-a7c8-ccc86d127a1b", "value": "FireEye SMOKEDHAM June 2021" }, - { - "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.", - "meta": { - "date_accessed": "2021-05-20T00:00:00Z", - "date_published": "2017-08-08T00:00:00Z", - "refs": [ - "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/" - ], - "source": "MITRE", - "title": "Smuggling HTA files in Internet Explorer/Edge" - }, - "related": [], - "uuid": "f5615cdc-bc56-415b-8e38-6f3fd1c33c88", - "value": "nccgroup Smuggling HTA 2017" - }, { "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019.", "meta": { @@ -50106,6 +50728,21 @@ "uuid": "b16bae1a-75aa-478b-b8c7-458ee5a3f7e5", "value": "Environmental Keyed HTA" }, + { + "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.", + "meta": { + "date_accessed": "2021-05-20T00:00:00Z", + "date_published": "2017-08-08T00:00:00Z", + "refs": [ + "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/" + ], + "source": "MITRE", + "title": "Smuggling HTA files in Internet Explorer/Edge" + }, + "related": [], + "uuid": "f5615cdc-bc56-415b-8e38-6f3fd1c33c88", + "value": "nccgroup Smuggling HTA 2017" + }, { "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", "meta": { @@ -50228,21 +50865,6 @@ "uuid": "01d9c3ba-29e2-5090-b399-0e7adf50a6b9", "value": "SocGholish-update" }, - { - "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", - "meta": { - "date_accessed": "2024-03-22T00:00:00Z", - "date_published": "2022-11-07T00:00:00Z", - "refs": [ - "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" - ], - "source": "MITRE", - "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" - }, - "related": [], - "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", - "value": "SentinelOne SocGholish Infrastructure November 2022" - }, { "description": "Aleksandar Milenkoski. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved May 7, 2023.", "meta": { @@ -50259,6 +50881,21 @@ "uuid": "c2dd119c-25d8-4e48-8eeb-89552a5a096c", "value": "SentinelLabs SocGholish November 2022" }, + { + "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "date_published": "2022-11-07T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" + ], + "source": "MITRE", + "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" + }, + "related": [], + "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", + "value": "SentinelOne SocGholish Infrastructure November 2022" + }, { "description": "Proofpoint. (2022, November 21). SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US. Retrieved May 7, 2023.", "meta": { @@ -50291,6 +50928,22 @@ "uuid": "ba749fe0-1ac7-4767-85df-97e6351c37f9", "value": "Rapid7 Blog 5 10 2024" }, + { + "description": "Federal Bureau of Investigation. (2024, June 24). Social Engineering Tactics Targeting Healthcare & Public Health Entities and Providers. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2024-06-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.ic3.gov/Media/News/2024/240624.pdf" + ], + "source": "Tidal Cyber", + "title": "Social Engineering Tactics Targeting Healthcare & Public Health Entities and Providers" + }, + "related": [], + "uuid": "527ac41a-a65e-4cf9-a9c9-194443b37c5b", + "value": "FBI Social Engineering Attacks June 24 2024" + }, { "description": "Felipe Duarte, Ido Naor. (2022, March 9). Sockbot in GoLand. Retrieved September 22, 2023.", "meta": { @@ -51219,21 +51872,6 @@ "uuid": "edd0cab4-48f7-48d8-a318-ced118af6a63", "value": "Sekoia.io Stealc February 27 2023" }, - { - "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.", - "meta": { - "date_accessed": "2023-02-21T00:00:00Z", - "date_published": "2022-02-15T00:00:00Z", - "refs": [ - "https://aadinternals.com/post/deviceidentity/" - ], - "source": "MITRE", - "title": "Stealing and faking Azure AD device identities" - }, - "related": [], - "uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc", - "value": "AADInternals Azure AD Device Identities" - }, { "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.", "meta": { @@ -51249,6 +51887,21 @@ "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338", "value": "O365 Blog Azure AD Device IDs" }, + { + "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.", + "meta": { + "date_accessed": "2023-02-21T00:00:00Z", + "date_published": "2022-02-15T00:00:00Z", + "refs": [ + "https://aadinternals.com/post/deviceidentity/" + ], + "source": "MITRE", + "title": "Stealing and faking Azure AD device identities" + }, + "related": [], + "uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc", + "value": "AADInternals Azure AD Device Identities" + }, { "description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.", "meta": { @@ -51340,6 +51993,22 @@ "uuid": "bd034cc8-29e2-4d58-a72a-161b831191b7", "value": "FireEye VBA stomp Feb 2020" }, + { + "description": "Threat Hunter Team. (2022, April 27). Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets. Retrieved July 26, 2024.", + "meta": { + "date_accessed": "2024-07-26T00:00:00Z", + "date_published": "2022-04-27T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-espionage" + ], + "source": "Tidal Cyber", + "title": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets" + }, + "related": [], + "uuid": "64d72689-0c7a-480a-a295-6321fc0d82fc", + "value": "Symantec Stonefly April 27 2022" + }, { "description": "Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.", "meta": { @@ -51512,6 +52181,22 @@ "uuid": "cbf5ecfb-de79-41cc-8250-01790ff6e89b", "value": "U.S. CISA Daixin Team October 2022" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2022, November 25). #StopRansomware: Hive Ransomware. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "date_published": "2022-11-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a" + ], + "source": "Tidal Cyber", + "title": "#StopRansomware: Hive Ransomware" + }, + "related": [], + "uuid": "fce322e6-5e23-404a-acf8-cd003f00c79d", + "value": "U.S. CISA Hive November 25 2022" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved May 19, 2023.", "meta": { @@ -52419,20 +53104,6 @@ "uuid": "6be16aba-a37f-49c4-9a36-51d2676f64e6", "value": "Ubuntu Manpage systemd rc" }, - { - "description": "Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.", - "meta": { - "date_accessed": "2020-03-16T00:00:00Z", - "refs": [ - "https://www.freedesktop.org/software/systemd/man/systemd.service.html" - ], - "source": "MITRE", - "title": "systemd.service — Service unit configuration" - }, - "related": [], - "uuid": "43bae447-d2e3-4b53-b17b-12a0b54ac604", - "value": "Systemd Service Units" - }, { "description": "Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023.", "meta": { @@ -52447,6 +53118,20 @@ "uuid": "cae49a7a-db3b-5202-ba45-fbfa98b073c9", "value": "freedesktop systemd.service" }, + { + "description": "Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.", + "meta": { + "date_accessed": "2020-03-16T00:00:00Z", + "refs": [ + "https://www.freedesktop.org/software/systemd/man/systemd.service.html" + ], + "source": "MITRE", + "title": "systemd.service — Service unit configuration" + }, + "related": [], + "uuid": "43bae447-d2e3-4b53-b17b-12a0b54ac604", + "value": "Systemd Service Units" + }, { "description": "Man7. (n.d.). systemd-sleep.conf(5) — Linux manual page. Retrieved June 7, 2023.", "meta": { @@ -52519,20 +53204,6 @@ "uuid": "2a3c5216-b153-4d89-b0b1-f32af3aa83d0", "value": "Peripheral Discovery macOS" }, - { - "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", - "meta": { - "date_accessed": "2016-11-25T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/ms724961.aspx" - ], - "source": "MITRE", - "title": "System Time" - }, - "related": [], - "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", - "value": "MSDN System Time" - }, { "description": "ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.", "meta": { @@ -52548,6 +53219,20 @@ "uuid": "2dfd22d7-c78b-5967-b732-736f37ea5489", "value": "linux system time" }, + { + "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", + "meta": { + "date_accessed": "2016-11-25T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/ms724961.aspx" + ], + "source": "MITRE", + "title": "System Time" + }, + "related": [], + "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", + "value": "MSDN System Time" + }, { "description": "Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.", "meta": { @@ -53255,21 +53940,6 @@ "uuid": "b98f1967-c62f-5afe-a2f7-4c426615d576", "value": "AquaSec TeamTNT 2023" }, - { - "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.", - "meta": { - "date_accessed": "2022-07-08T00:00:00Z", - "date_published": "2022-04-21T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html" - ], - "source": "MITRE", - "title": "TeamTNT targeting AWS, Alibaba" - }, - "related": [], - "uuid": "acd1b4c5-da28-584e-b892-599180a8dbb0", - "value": "Talos TeamTNT" - }, { "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.", "meta": { @@ -53285,6 +53955,21 @@ "uuid": "f39b5f92-6e14-4c7f-b79d-7bade722e6d9", "value": "Cisco Talos Intelligence Group" }, + { + "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.", + "meta": { + "date_accessed": "2022-07-08T00:00:00Z", + "date_published": "2022-04-21T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html" + ], + "source": "MITRE", + "title": "TeamTNT targeting AWS, Alibaba" + }, + "related": [], + "uuid": "acd1b4c5-da28-584e-b892-599180a8dbb0", + "value": "Talos TeamTNT" + }, { "description": "Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.", "meta": { @@ -53987,21 +54672,6 @@ "uuid": "93a23447-641c-4ee2-9fbd-64b2adea8a5f", "value": "BlackBerry CostaRicto November 2020" }, - { - "description": "Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.", - "meta": { - "date_accessed": "2024-03-19T00:00:00Z", - "date_published": "2024-01-31T00:00:00Z", - "refs": [ - "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - ], - "source": "MITRE", - "title": "The curious case of DangerDev@protonmail.me" - }, - "related": [], - "uuid": "90d608b9-ddbf-5476-bce1-85e8466aca47", - "value": "Invictus IR DangerDev 2024" - }, { "description": "Www.invictus-ir.com. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved April 17, 2024.", "meta": { @@ -54018,6 +54688,21 @@ "uuid": "803a084a-0468-4c43-9843-a0b5652acdba", "value": "Www.invictus-ir.com 1 31 2024" }, + { + "description": "Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.", + "meta": { + "date_accessed": "2024-03-19T00:00:00Z", + "date_published": "2024-01-31T00:00:00Z", + "refs": [ + "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + ], + "source": "MITRE", + "title": "The curious case of DangerDev@protonmail.me" + }, + "related": [], + "uuid": "90d608b9-ddbf-5476-bce1-85e8466aca47", + "value": "Invictus IR DangerDev 2024" + }, { "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.", "meta": { @@ -54661,8 +55346,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", - "value": "GitHub LaZagne Dec 2018" + "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", + "value": "GitHub LaZange Dec 2018" }, { "description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.", @@ -54675,8 +55360,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", - "value": "GitHub LaZange Dec 2018" + "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", + "value": "GitHub LaZagne Dec 2018" }, { "description": "SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.", @@ -56045,6 +56730,22 @@ "uuid": "dcdd4e48-3c3d-4008-a6f6-390f896f147b", "value": "Palo Alto Unit 42 EKANS" }, + { + "description": "Kristopher Russo. (2022, November 21). Threat Assessment: Luna Moth Callback Phishing Campaign. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-11-21T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/" + ], + "source": "Tidal Cyber", + "title": "Threat Assessment: Luna Moth Callback Phishing Campaign" + }, + "related": [], + "uuid": "042f51db-c9f3-4827-883d-d7e7422fd642", + "value": "Unit42 Luna Moth November 21 2022" + }, { "description": "UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.", "meta": { @@ -56165,20 +56866,6 @@ "uuid": "c113cde7-5dd5-45e9-af16-3ab6ed0b1728", "value": "Awake Security Avaddon" }, - { - "description": "Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.", - "meta": { - "date_accessed": "2022-07-08T00:00:00Z", - "refs": [ - "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" - ], - "source": "MITRE", - "title": "Threat Hunting Series: Detecting Command & Control in the Cloud" - }, - "related": [], - "uuid": "b12e0288-48cd-46ec-8305-0f4d050782f2", - "value": "Detecting Command & Control in the Cloud" - }, { "description": "Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.", "meta": { @@ -56193,6 +56880,20 @@ "uuid": "fa3762ce-3e60-4991-b464-12601d2a6912", "value": "Awake Security C2 Cloud" }, + { + "description": "Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.", + "meta": { + "date_accessed": "2022-07-08T00:00:00Z", + "refs": [ + "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" + ], + "source": "MITRE", + "title": "Threat Hunting Series: Detecting Command & Control in the Cloud" + }, + "related": [], + "uuid": "b12e0288-48cd-46ec-8305-0f4d050782f2", + "value": "Detecting Command & Control in the Cloud" + }, { "description": "Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.", "meta": { @@ -56583,6 +57284,22 @@ "uuid": "140e6b01-6b98-4f82-9455-0c84b3856b86", "value": "TrendMicro Tonto Team October 2020" }, + { + "description": "Sandra Joyce, Shane Huntley. (2024, February 14). Tool of First Resort: Israel-Hamas War in Cyber. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-02-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + ], + "source": "Tidal Cyber", + "title": "Tool of First Resort: Israel-Hamas War in Cyber" + }, + "related": [], + "uuid": "55290507-e007-4366-9116-bbad364c14f3", + "value": "Google Israel-Hamas War February 14 2024" + }, { "description": "Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.", "meta": { @@ -56806,21 +57523,6 @@ "uuid": "99e48516-f918-477c-b85e-4ad894cc031f", "value": "JScrip May 2018" }, - { - "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.", - "meta": { - "date_accessed": "2022-07-29T00:00:00Z", - "date_published": "2021-05-13T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" - ], - "source": "MITRE", - "title": "Transparent Tribe APT expands its Windows malware arsenal" - }, - "related": [], - "uuid": "be1e3092-1981-457b-ae76-b55b057e1d73", - "value": "tt_obliqueRAT" - }, { "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", "meta": { @@ -56836,6 +57538,21 @@ "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d", "value": "Talos Transparent Tribe May 2021" }, + { + "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.", + "meta": { + "date_accessed": "2022-07-29T00:00:00Z", + "date_published": "2021-05-13T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" + ], + "source": "MITRE", + "title": "Transparent Tribe APT expands its Windows malware arsenal" + }, + "related": [], + "uuid": "be1e3092-1981-457b-ae76-b55b057e1d73", + "value": "tt_obliqueRAT" + }, { "description": "N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.", "meta": { @@ -57613,21 +58330,6 @@ "uuid": "5d69d122-13bc-45c4-95ab-68283a21b699", "value": "TrendMicro Tropic Trooper Mar 2018" }, - { - "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.", - "meta": { - "date_accessed": "2018-11-09T00:00:00Z", - "date_published": "2016-11-22T00:00:00Z", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ], - "source": "MITRE", - "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy" - }, - "related": [], - "uuid": "cad84e3d-9506-44f8-bdd9-d090e6ce9b06", - "value": "Unit 42 Tropic Trooper Nov 2016" - }, { "description": "Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.", "meta": { @@ -57643,6 +58345,21 @@ "uuid": "47524b17-1acd-44b1-8de5-168369fa9455", "value": "paloalto Tropic Trooper 2016" }, + { + "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.", + "meta": { + "date_accessed": "2018-11-09T00:00:00Z", + "date_published": "2016-11-22T00:00:00Z", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ], + "source": "MITRE", + "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy" + }, + "related": [], + "uuid": "cad84e3d-9506-44f8-bdd9-d090e6ce9b06", + "value": "Unit 42 Tropic Trooper Nov 2016" + }, { "description": "Microsoft. (2023, October 23). Troubleshooting Conditional Access policy changes. Retrieved January 2, 2024.", "meta": { @@ -58319,6 +59036,22 @@ "uuid": "452ca091-42b1-5bef-8a01-921c1f46bbee", "value": "Mandiant APT29 Eye Spy Email Nov 22" }, + { + "description": "Mandiant. (2024, June 13). UNC3944 Targets SaaS Applications . Retrieved June 17, 2024.", + "meta": { + "date_accessed": "2024-06-17T00:00:00Z", + "date_published": "2024-06-13T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications" + ], + "source": "Tidal Cyber", + "title": "UNC3944 Targets SaaS Applications" + }, + "related": [], + "uuid": "161423a2-165d-448f-90e9-0c53e319a125", + "value": "Google Cloud June 13 2024" + }, { "description": "Mandiant. (2024, June 10). UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion . Retrieved June 13, 2024.", "meta": { @@ -58351,6 +59084,22 @@ "uuid": "cef19ceb-179f-4d49-acba-5ce40ab9f65e", "value": "Mandiant UNC961 March 23 2023" }, + { + "description": "Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-05-01T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations" + ], + "source": "Tidal Cyber", + "title": "Uncharmed: Untangling Iran's APT42 Operations" + }, + "related": [], + "uuid": "84c0313a-bea1-44a7-9396-8e12437852d1", + "value": "Mandiant Uncharmed May 1 2024" + }, { "description": "Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.", "meta": { @@ -59129,6 +59878,22 @@ "uuid": "600de668-f128-4368-8667-24ed9a9db47a", "value": "USCYBERCOM SLOTHFULMEDIA October 2020" }, + { + "description": "Office of Public Affairs. (2023, January 26). U.S. Department of Justice Disrupts Hive Ransomware Variant. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "date_published": "2023-01-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant" + ], + "source": "Tidal Cyber", + "title": "U.S. Department of Justice Disrupts Hive Ransomware Variant" + }, + "related": [], + "uuid": "81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0", + "value": "U.S. Justice Department Hive January 2023" + }, { "description": "Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.", "meta": { @@ -60251,21 +61016,6 @@ "uuid": "a26344a2-63ca-422e-8cf9-0cf22a5bee72", "value": "CheckPoint Volatile Cedar March 2015" }, - { - "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", - "meta": { - "date_accessed": "2023-07-27T00:00:00Z", - "date_published": "2023-05-24T00:00:00Z", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" - ], - "source": "MITRE", - "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques" - }, - "related": [], - "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f", - "value": "Microsoft Volt Typhoon May 2023" - }, { "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved May 25, 2023.", "meta": { @@ -60282,6 +61032,21 @@ "uuid": "2e94c44a-d2a7-4e56-ac8a-df315fc14ec1", "value": "Microsoft Volt Typhoon May 24 2023" }, + { + "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", + "meta": { + "date_accessed": "2023-07-27T00:00:00Z", + "date_published": "2023-05-24T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" + ], + "source": "MITRE", + "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques" + }, + "related": [], + "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f", + "value": "Microsoft Volt Typhoon May 2023" + }, { "description": "LOLBAS. (2023, July 12). VSDiagnostics.exe. Retrieved December 4, 2023.", "meta": { @@ -60902,6 +61667,20 @@ "uuid": "d316c581-646d-48e7-956e-34e2f957c67d", "value": "Cofense Astaroth Sept 2018" }, + { + "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", + "meta": { + "date_accessed": "2021-09-14T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" + ], + "source": "MITRE", + "title": "wevtutil" + }, + "related": [], + "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", + "value": "Wevtutil Microsoft Documentation" + }, { "description": "Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.", "meta": { @@ -60917,20 +61696,6 @@ "uuid": "8896d802-96c6-4546-8a82-c1f7f2d71ea1", "value": "Microsoft wevtutil Oct 2017" }, - { - "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", - "meta": { - "date_accessed": "2021-09-14T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" - ], - "source": "MITRE", - "title": "wevtutil" - }, - "related": [], - "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", - "value": "Wevtutil Microsoft Documentation" - }, { "description": "LOLBAS. (2021, September 26). Wfc.exe. Retrieved December 4, 2023.", "meta": { @@ -61904,6 +62669,21 @@ "uuid": "92ac290c-4863-4774-b334-848ed72e3627", "value": "Trend Micro Privileged Container" }, + { + "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" + ], + "source": "MITRE", + "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" + }, + "related": [], + "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", + "value": "Mandiant UNC3944 SMS Phishing 2023" + }, { "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved November 16, 2023.", "meta": { @@ -61920,21 +62700,6 @@ "uuid": "7420d79f-c6a3-4932-9c2e-c9cc36e2ca35", "value": "Mandiant UNC3944 September 14 2023" }, - { - "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", - "meta": { - "date_accessed": "2024-01-02T00:00:00Z", - "date_published": "2023-09-14T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" - ], - "source": "MITRE", - "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" - }, - "related": [], - "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", - "value": "Mandiant UNC3944 SMS Phishing 2023" - }, { "description": "Stack Overflow. (n.d.). Why do I see an \"Electron Security Warning\" after updating my Electron project to the latest version?. Retrieved March 7, 2024.", "meta": { @@ -63771,5 +64536,5 @@ "value": "Sysdig Kinsing November 2020" } ], - "version": 2 + "version": 1 } diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index d27482d..096cdd4 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -28,6 +28,10 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" + }, + { + "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", + "type": "similar" } ], "uuid": "71d76208-c465-4447-8d6e-c54f142b65a4", @@ -52,6 +56,10 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" + }, + { + "dest-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", + "type": "similar" } ], "uuid": "a15142a3-4797-4fef-8ec6-065e3322a69b", @@ -67,6 +75,7 @@ "software_attack_id": "S5023", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "c45ce044-b5b9-426a-866c-130e9f2a4427", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -85,6 +94,14 @@ ] }, "related": [ + { + "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", + "type": "used-by" + }, + { + "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -164,6 +181,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756", + "type": "similar" } ], "uuid": "3d33fbf5-c21e-4587-ba31-9aeec3cc10c0", @@ -188,6 +209,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c", + "type": "similar" } ], "uuid": "394cadd0-bc4d-4181-ac53-858e84b8e3de", @@ -259,6 +284,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", + "type": "similar" } ], "uuid": "cf465790-3d6d-5767-bb8c-63a429f95d83", @@ -280,6 +309,10 @@ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" + }, + { + "dest-uuid": "36801ffb-5c85-4c50-9121-6122e389366d", + "type": "similar" } ], "uuid": "202781a3-d481-4984-9e5a-31caafc20135", @@ -301,6 +334,10 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" + }, + { + "dest-uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", + "type": "similar" } ], "uuid": "f52e759a-a725-4b50-84f2-12bef89d369e", @@ -336,6 +373,9 @@ "software_attack_id": "S0552", "source": "MITRE", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -357,13 +397,25 @@ }, "related": [ { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -396,6 +448,10 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" @@ -407,6 +463,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", + "type": "similar" } ], "uuid": "70559096-2a6b-4388-97e6-c2b16f3be78e", @@ -491,6 +551,14 @@ ] }, "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -640,6 +708,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", + "type": "similar" } ], "uuid": "ef7f4f5f-6f30-4059-87d1-cd8375bf1bee", @@ -661,7 +733,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", + "type": "similar" + } + ], "uuid": "f27c9a91-c618-40c6-837d-089ba4d80f45", "value": "Agent.btz" }, @@ -710,6 +787,10 @@ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" + }, + { + "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", + "type": "similar" } ], "uuid": "304650b1-a0b5-460c-9210-23a5b53815a4", @@ -737,16 +818,24 @@ ] }, "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" + }, + { + "dest-uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", + "type": "similar" } ], "uuid": "96ae0e1e-975a-5e11-adbe-c79ee17cee11", "value": "Akira" }, { - "description": "A ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, \"Akira Ransomware Actors\".", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Akira\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nA ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, \"Akira Ransomware Actors\".", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -774,7 +863,7 @@ } ], "uuid": "59d598a9-e115-4d90-8fef-096015afa8d4", - "value": "Akira Ransomware" + "value": "Akira Ransomware (Deprecated)" }, { "description": "[Amadey](https://app.tidalcyber.com/software/f173ec20-ef40-436b-a859-fef017e1e767) is a Trojan bot that has been used since at least October 2018.[[Korean FSI TA505 2020](https://app.tidalcyber.com/references/d4e2c109-341c-45b3-9d41-3eb980724524)][[BlackBerry Amadey 2020](https://app.tidalcyber.com/references/21b7a7c7-55a2-4235-ba11-d34ba68d1bf5)]", @@ -797,6 +886,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9", + "type": "similar" } ], "uuid": "f173ec20-ef40-436b-a859-fef017e1e767", @@ -822,6 +915,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e", + "type": "similar" } ], "uuid": "9521c535-1043-4b82-ba5d-e5eaeca500ee", @@ -839,7 +936,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d", + "type": "similar" + } + ], "uuid": "69aac793-9e6a-5167-bc62-823189ee2f7b", "value": "ANDROMEDA" }, @@ -907,6 +1009,14 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, + { + "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -955,6 +1065,10 @@ "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -1011,6 +1125,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858", + "type": "similar" } ], "uuid": "cdeb3110-07e5-4c3d-9eef-e6f2b760ef33", @@ -1036,6 +1154,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570", + "type": "similar" } ], "uuid": "9df2e42e-b454-46ea-b50d-2f7d999f3d42", @@ -1101,6 +1223,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "3161d76a-e2b2-4b97-9906-24909b735386", + "type": "similar" } ], "uuid": "7ba79887-d496-47aa-8b71-df7f46329322", @@ -1143,6 +1269,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", + "type": "similar" } ], "uuid": "45b51950-6190-4572-b1a2-7c69d865251e", @@ -1200,6 +1330,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "type": "similar" } ], "uuid": "a0cce010-9158-45e5-978a-f002e5c31a03", @@ -1220,7 +1354,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6", + "type": "similar" + } + ], "uuid": "ea719a35-cbe9-4503-873d-164f68ab4544", "value": "Astaroth" }, @@ -1233,6 +1372,12 @@ "software_attack_id": "S1087", "source": "MITRE", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "2feda37d-5579-4102-a073-aa02e82cb49f", @@ -1244,6 +1389,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" @@ -1251,6 +1400,10 @@ { "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" + }, + { + "dest-uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d", + "type": "similar" } ], "uuid": "d587efff-4699-51c7-a4cc-bdbd1b302ed4", @@ -1287,6 +1440,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "type": "similar" } ], "uuid": "af01dc7b-a2bc-4fda-bbfe-d2be889c2860", @@ -1345,6 +1502,14 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -1353,6 +1518,10 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", + "type": "used-by" + }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -1362,11 +1531,11 @@ "type": "used-by" }, { - "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { - "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" } ], @@ -1406,7 +1575,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", + "type": "similar" + } + ], "uuid": "89c35e9f-b435-4f58-9073-f24c1ee8754f", "value": "Attor" }, @@ -1426,6 +1600,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", + "type": "similar" } ], "uuid": "d0c25f14-5eb3-40c1-a890-2ab1349dff53", @@ -1451,6 +1629,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", + "type": "similar" } ], "uuid": "3f927596-5219-49eb-bd0d-57068b0e04ed", @@ -1504,6 +1686,10 @@ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" + }, + { + "dest-uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5", + "type": "similar" } ], "uuid": "649a4cfc-c0d0-412d-a28c-1bd4ed604ea8", @@ -1526,7 +1712,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "58c5a3a1-928f-4094-9e98-a5a4e56dd5f3", + "type": "similar" + } + ], "uuid": "bad92974-35f6-4183-8024-b629140c6ee6", "value": "Avaddon" }, @@ -1549,6 +1740,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8", + "type": "similar" } ], "uuid": "e5ca0192-e905-46a1-abef-ce1119c1f967", @@ -1577,7 +1772,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d", + "type": "similar" + } + ], "uuid": "e792dc8d-b0f4-5916-8850-a61ff53125d0", "value": "AvosLocker" }, @@ -1600,6 +1800,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", + "type": "similar" } ], "uuid": "cc68a7f0-c955-465f-bee0-2dacbb179078", @@ -1615,6 +1819,9 @@ "software_attack_id": "S0638", "source": "MITRE", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "b5962a84-f1c7-4d0d-985c-86301db95129", "12124060-8392-49a3-b7b7-1dde3ebc8e67", @@ -1630,7 +1837,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "61c7a91a-0b83-461d-ad32-75d96eed4a09", + "type": "similar" + } + ], "uuid": "0dc07eb9-66df-4116-b1bc-7020ca6395a1", "value": "Babuk" }, @@ -1653,6 +1865,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", + "type": "similar" } ], "uuid": "ebb824a2-abff-4bfd-87f0-d63cb02b62e6", @@ -1677,6 +1893,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00", + "type": "similar" } ], "uuid": "2763ad8c-cf4e-42eb-88db-a40ff8f96cf9", @@ -1701,6 +1921,10 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" + }, + { + "dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", + "type": "similar" } ], "uuid": "f7cc5974-767c-4cb4-acc7-36295a386ce5", @@ -1725,6 +1949,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", + "type": "similar" } ], "uuid": "d0daaa00-68e1-4568-bb08-3f28bcd82c63", @@ -1789,6 +2017,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", + "type": "similar" } ], "uuid": "d7aa53a5-0912-4952-8f7f-55698e933c3b", @@ -1813,6 +2045,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790", + "type": "similar" } ], "uuid": "8c454294-81cb-45d0-b299-818994ad3e6f", @@ -1834,6 +2070,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", + "type": "similar" } ], "uuid": "16481e0f-49d5-54c1-a1fe-16d9e7f8d08c", @@ -1855,6 +2095,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63", + "type": "similar" } ], "uuid": "34c24d27-c779-42a4-9f61-3f0d3fea6fd4", @@ -1872,7 +2116,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", + "type": "similar" + } + ], "uuid": "10e76722-4b52-47f6-9276-70e95fecb26b", "value": "BadPatch" }, @@ -1925,6 +2174,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "type": "similar" } ], "uuid": "a1d86d8f-fa48-43aa-9833-7355750e455c", @@ -1951,6 +2204,10 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" + }, + { + "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", + "type": "similar" } ], "uuid": "5c0f8c35-88ff-40a1-977a-af5ce534e932", @@ -1975,6 +2232,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", + "type": "similar" } ], "uuid": "24b8471d-698f-48cc-b47a-8fbbaf28b293", @@ -2064,6 +2325,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0", + "type": "similar" } ], "uuid": "b35d9817-6ead-4dbd-a2fa-4b8e217f8eac", @@ -2088,6 +2353,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea", + "type": "similar" } ], "uuid": "3daa5ae1-464e-4c0a-aa46-15264a2a0126", @@ -2105,7 +2374,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", + "type": "similar" + } + ], "uuid": "be4dab36-d499-4ac3-b204-5e309e3a5331", "value": "BBSRAT" }, @@ -2128,6 +2402,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "805480f1-6caa-4a67-8ca9-b2b39650d986", + "type": "similar" } ], "uuid": "a114a498-fcfd-4e0a-9d1e-e26750d71af8", @@ -2225,6 +2503,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", + "type": "similar" } ], "uuid": "3ad98097-2d10-4aa1-9594-7e74828a3643", @@ -2249,6 +2531,10 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" + }, + { + "dest-uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d", + "type": "similar" } ], "uuid": "b898816e-610f-4c2f-9045-d9f28a54ee58", @@ -2274,6 +2560,10 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" + }, + { + "dest-uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100", + "type": "similar" } ], "uuid": "e7dec940-8701-4c06-9865-5b11c61c046d", @@ -2335,6 +2625,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", + "type": "similar" } ], "uuid": "52a20d3d-1edd-4f17-87f0-b77c67d260b4", @@ -2370,6 +2664,10 @@ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" + }, + { + "dest-uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53", + "type": "similar" } ], "uuid": "0d5b24ba-68dc-50fa-8268-3012180fe374", @@ -2411,6 +2709,10 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" + }, + { + "dest-uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc", + "type": "similar" } ], "uuid": "691369e5-ef74-5ff9-bc20-34efeb4b6c5b", @@ -2440,6 +2742,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", + "type": "similar" } ], "uuid": "e85e2fca-9347-4448-bfc1-342f29d5d6a1", @@ -2464,6 +2770,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "type": "similar" } ], "uuid": "908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f", @@ -2508,6 +2818,10 @@ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" + }, + { + "dest-uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d", + "type": "similar" } ], "uuid": "da348a51-d047-4144-9ba4-34d2ce964a11", @@ -2524,6 +2838,9 @@ "software_attack_id": "S5324", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "a2e000da-8181-4327-bacd-32013dbd3654", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -2533,7 +2850,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + } + ], "uuid": "6e200813-4379-457b-9cce-2203bed4b072", "value": "BlackSuit Ransomware" }, @@ -2553,6 +2875,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", + "type": "similar" } ], "uuid": "1af8ea81-40df-4fba-8d63-1858b8b31217", @@ -2625,6 +2951,10 @@ { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" + }, + { + "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", + "type": "similar" } ], "uuid": "72658763-8077-451e-8572-38858f8cacf3", @@ -2649,6 +2979,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0", + "type": "similar" } ], "uuid": "3aaaaf86-638b-4a65-be18-c6e6dcdcdb97", @@ -2666,7 +3000,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "type": "similar" + } + ], "uuid": "3793db4b-f843-4cfd-89d2-ec28b62feda5", "value": "Bonadan" }, @@ -2686,6 +3025,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", + "type": "similar" } ], "uuid": "d8690218-5272-47d8-8189-35d3b518e66f", @@ -2710,6 +3053,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074", + "type": "similar" } ], "uuid": "9d393f6f-855e-4348-8a26-008174e3605a", @@ -2734,6 +3081,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010", + "type": "similar" } ], "uuid": "74a73624-d53b-4c84-a14b-8ae964fd577c", @@ -2751,7 +3102,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", + "type": "similar" + } + ], "uuid": "d47a4753-80f5-494e-aad7-d033aaff0d6d", "value": "BOOTRASH" }, @@ -2774,6 +3130,10 @@ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" + }, + { + "dest-uuid": "919a056e-5104-43b9-ad55-2ac929108b71", + "type": "similar" } ], "uuid": "d3e46011-3433-426c-83b3-61c2576d5f71", @@ -2795,6 +3155,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5", + "type": "similar" } ], "uuid": "51b27e2c-c737-4006-a657-195ea1a1f4f0", @@ -2816,6 +3180,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", + "type": "similar" } ], "uuid": "7942783c-73a7-413c-94d1-8981029a1c51", @@ -2841,6 +3209,10 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" + }, + { + "dest-uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5", + "type": "similar" } ], "uuid": "23043b44-69a6-5cdf-8f60-5a68068680c7", @@ -2858,7 +3230,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", + "type": "similar" + } + ], "uuid": "c9e773de-0213-4b64-83fb-637060c8b5ed", "value": "BS2005" }, @@ -2881,6 +3258,10 @@ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" + }, + { + "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", + "type": "similar" } ], "uuid": "2be4e3d2-e8c5-4406-8041-2c17bdb3a547", @@ -2905,6 +3286,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", + "type": "similar" } ], "uuid": "c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9", @@ -2931,6 +3316,10 @@ { "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", "type": "used-by" + }, + { + "dest-uuid": "04378e79-4387-468a-a8f7-f974b8254e44", + "type": "similar" } ], "uuid": "cc155181-fb34-4aaf-b083-b7b57b140b7a", @@ -2951,7 +3340,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7bef1b56-4870-4e74-b32a-7dd88c390c44", + "type": "similar" + } + ], "uuid": "e9873bf1-9619-4c62-b4cf-1009e83de186", "value": "Bundlore" }, @@ -2967,7 +3361,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "29a0bb87-1162-4c83-9834-2a98a876051b", + "type": "similar" + } + ], "uuid": "44ed9567-2cb6-590e-b332-154557fb93f9", "value": "BUSHWALK" }, @@ -2987,6 +3386,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", + "type": "similar" } ], "uuid": "7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc", @@ -3037,7 +3440,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b30d999d-64e0-4e35-9856-884e4b83d611", + "type": "similar" + } + ], "uuid": "62d0ddcd-790d-4d2d-9d94-276f54b40cf0", "value": "CaddyWiper" }, @@ -3057,6 +3465,10 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" + }, + { + "dest-uuid": "a705b085-1eae-455e-8f4d-842483d814eb", + "type": "similar" } ], "uuid": "c8a51b39-6906-4381-9bb4-4e9e612aa085", @@ -3078,6 +3490,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", + "type": "similar" } ], "uuid": "ad859a79-c183-44f6-a89a-f734710672a9", @@ -3095,7 +3511,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1", + "type": "similar" + } + ], "uuid": "6b5b408c-4f9d-4137-bfb1-830d12e9736c", "value": "Calisto" }, @@ -3115,6 +3536,10 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" + }, + { + "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", + "type": "similar" } ], "uuid": "352ee271-89e6-4d3f-9c26-98dbab0e2986", @@ -3136,6 +3561,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", + "type": "similar" } ], "uuid": "790e931d-2571-496d-9f48-322774a7d482", @@ -3161,6 +3590,10 @@ { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" + }, + { + "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", + "type": "similar" } ], "uuid": "4cb9294b-9e4c-41b9-b640-46213a01952d", @@ -3178,7 +3611,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bbcd7a02-ef24-4171-ac94-a93540173b94", + "type": "similar" + } + ], "uuid": "df9491fd-5e24-4548-8e21-1268dce59d1f", "value": "Carberp" }, @@ -3198,6 +3636,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", + "type": "similar" } ], "uuid": "61f5d19c-1da2-43d1-ab20-51eacbca71f2", @@ -3218,7 +3660,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4", + "type": "similar" + } + ], "uuid": "fa23acef-3034-43ee-9610-4fc322f0d80b", "value": "Cardinal RAT" }, @@ -3237,7 +3684,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4", + "type": "similar" + } + ], "uuid": "84bb4068-b441-435e-8535-02a458ffd50b", "value": "CARROTBALL" }, @@ -3253,7 +3705,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1b9f0800-035e-4ed1-9648-b18294cc5bc8", + "type": "similar" + } + ], "uuid": "aefa893d-fc6e-41a9-8794-2700049db9e5", "value": "CARROTBAT" }, @@ -3273,6 +3730,10 @@ { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" + }, + { + "dest-uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a", + "type": "similar" } ], "uuid": "04deccb5-9850-45c3-a900-5d7039a94190", @@ -3297,6 +3758,10 @@ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" + }, + { + "dest-uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64", + "type": "similar" } ], "uuid": "ee88afaa-88bc-4c20-906f-332866388549", @@ -3343,7 +3808,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", + "type": "similar" + } + ], "uuid": "4eb0720c-7046-4ff1-adfd-ae603506e499", "value": "CCBkdr" }, @@ -3359,7 +3829,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a394448a-4576-41b8-81cc-9b61abad94ab", + "type": "similar" + } + ], "uuid": "e00c2a0c-bbe5-4eff-b0ad-b2543456a317", "value": "ccf32" }, @@ -3456,10 +3931,6 @@ ] }, "related": [ - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, { "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" @@ -3472,6 +3943,14 @@ "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", + "type": "used-by" + }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -3492,10 +3971,6 @@ "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" }, - { - "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", - "type": "used-by" - }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" @@ -3511,6 +3986,10 @@ { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "type": "similar" } ], "uuid": "2fe21578-ee31-4ee8-b6ab-b5f76f97d043", @@ -3531,7 +4010,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "77e0ecf7-ca91-4c06-8012-8e728986a87a", + "type": "similar" + } + ], "uuid": "0c8efcd0-bfdf-4771-8754-18aac836c359", "value": "Chaes" }, @@ -3551,7 +4035,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5bcd5511-6756-4824-a692-e8bb109364af", + "type": "similar" + } + ], "uuid": "92c88765-6b12-42cd-b1d7-f6a65b2236e2", "value": "Chaos" }, @@ -3574,6 +4063,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", + "type": "similar" } ], "uuid": "b1e3b56f-2e83-4cab-a1c1-16999009d056", @@ -3595,6 +4088,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", + "type": "similar" } ], "uuid": "3f2283ef-67c2-49a3-98ac-1aa9f0499361", @@ -3616,6 +4113,10 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" + }, + { + "dest-uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52", + "type": "similar" } ], "uuid": "6475bc8c-b95d-5cb3-92f0-aa7e2f18859a", @@ -3633,7 +4134,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", + "type": "similar" + } + ], "uuid": "2fd6f564-918e-4ee7-920a-2b4be858d11a", "value": "Cherry Picker" }, @@ -3654,14 +4160,6 @@ ] }, "related": [ - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", - "type": "used-by" - }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" @@ -3670,6 +4168,14 @@ "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -3689,6 +4195,10 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" + }, + { + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", + "type": "similar" } ], "uuid": "723c5ab7-23ca-46f2-83bb-f1d1e550122c", @@ -3706,7 +4216,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e", + "type": "similar" + } + ], "uuid": "7c36563a-9143-4766-8aef-4e1787e18d8c", "value": "Chinoxy" }, @@ -3720,6 +4235,7 @@ "software_attack_id": "S5063", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -3731,6 +4247,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" @@ -3803,6 +4323,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", + "type": "similar" } ], "uuid": "01c6c49a-f7c8-44cd-a377-4dfd358ffeba", @@ -3823,7 +4347,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "579607c2-d046-40df-99ab-beb479c37a2a", + "type": "similar" + } + ], "uuid": "df77ed2a-f135-4f00-9a5e-79b7a6a2ed14", "value": "Chrommme" }, @@ -3843,6 +4372,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49", + "type": "similar" } ], "uuid": "4bac93bd-7e58-4ddb-a205-d99597b9e65e", @@ -3950,6 +4483,10 @@ { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" + }, + { + "dest-uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de", + "type": "similar" } ], "uuid": "5321aa75-924c-47ae-b97a-b36f023abf2a", @@ -3995,6 +4532,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", + "type": "similar" } ], "uuid": "b3dd424b-ee96-449c-aa52-abbc7d4dfb86", @@ -4019,6 +4560,10 @@ ] }, "related": [ + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" @@ -4031,10 +4576,6 @@ "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" @@ -4150,6 +4691,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", + "type": "similar" } ], "uuid": "98d89476-63ec-4baf-b2b3-86c52170f5d8", @@ -4244,7 +4789,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817", + "type": "similar" + } + ], "uuid": "fbd3f71a-e123-5527-908c-9e7ea0d646e8", "value": "COATHANGER" }, @@ -4277,19 +4827,7 @@ }, "related": [ { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", - "type": "used-by" - }, - { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, - { - "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { @@ -4312,6 +4850,22 @@ "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "type": "used-by" + }, + { + "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "type": "used-by" + }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" @@ -4384,6 +4938,10 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -4419,6 +4977,10 @@ { "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" + }, + { + "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", + "type": "similar" } ], "uuid": "9b6bcbba-3ab4-4a4c-a233-cd12254823f6", @@ -4467,7 +5029,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "aa1462a1-d065-416c-b354-bedd04998c7f", + "type": "similar" + } + ], "uuid": "d4e6f9f7-7f4d-47c2-be24-b267d9317303", "value": "Cobian RAT" }, @@ -4504,7 +5071,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d1531eaa-9e17-473e-a680-3298469662c3", + "type": "similar" + } + ], "uuid": "b0d9b31a-072b-4744-8d2f-3a63256a932f", "value": "CoinTicker" }, @@ -4542,7 +5114,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", + "type": "similar" + } + ], "uuid": "341fc709-4908-4e41-8df3-554dae6d72b0", "value": "Comnie" }, @@ -4565,6 +5142,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", + "type": "similar" } ], "uuid": "300c5997-a486-4a61-8213-93a180c22849", @@ -4622,7 +5203,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "type": "similar" + } + ], "uuid": "ef33f1fa-18a3-4b30-b359-17b7930f43a7", "value": "Conficker" }, @@ -4724,6 +5310,10 @@ { "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" + }, + { + "dest-uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261", + "type": "similar" } ], "uuid": "6f9bb24d-cce2-49de-bedd-1849d9bde7a0", @@ -4738,6 +5328,9 @@ "software_attack_id": "S0575", "source": "MITRE", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "0ed7d10c-c65b-4174-9edb-446bf301d250", @@ -4766,6 +5359,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", + "type": "similar" } ], "uuid": "8e995c29-2759-4aeb-9a0f-bb7cd97b06e5", @@ -4805,7 +5402,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "type": "similar" + } + ], "uuid": "6e2c4aef-2f69-4507-9ee3-55432d76341e", "value": "CookieMiner" }, @@ -4828,6 +5430,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", + "type": "similar" } ], "uuid": "f13c8455-d615-4f8d-9d9c-5b31e593cd8a", @@ -4874,6 +5480,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", + "type": "similar" } ], "uuid": "3b193f62-2b49-4eff-bdf4-501fb8a28274", @@ -4898,6 +5508,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", + "type": "similar" } ], "uuid": "43b317c6-5b4f-47b8-b7b4-15cd6f455091", @@ -4915,7 +5529,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5d342981-5194-41e7-b33f-8e91998d7d88", + "type": "similar" + } + ], "uuid": "ea9e2d19-89fe-4039-a1e0-467b14554c6f", "value": "CostaBricks" }, @@ -4938,6 +5557,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", + "type": "similar" } ], "uuid": "c2353daa-fd4c-44e1-8013-55400439965a", @@ -4962,11 +5585,11 @@ }, "related": [ { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { @@ -4980,6 +5603,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", + "type": "similar" } ], "uuid": "47e710b4-1397-47cf-a979-20891192f313", @@ -5042,6 +5669,11 @@ ], "software_attack_id": "S1023", "source": "MITRE", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "be319849-fb2c-4b5f-8055-0bde562c280b", + "8bf128ad-288b-41bc-904f-093f4fdde745" + ], "type": [ "malware" ] @@ -5050,6 +5682,10 @@ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" + }, + { + "dest-uuid": "750eb92a-7fdf-451e-9592-1d42357018f1", + "type": "similar" } ], "uuid": "7f7f05c3-fbb1-475e-b672-2113709065c8", @@ -5071,6 +5707,10 @@ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" + }, + { + "dest-uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b", + "type": "similar" } ], "uuid": "11ce380c-481b-4c9b-b44e-06f1a91c01c1", @@ -5095,6 +5735,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", + "type": "similar" } ], "uuid": "3b3f296f-20a6-459a-98c5-62ebdee3701f", @@ -5118,6 +5762,10 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" + }, + { + "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", + "type": "similar" } ], "uuid": "38811c3b-f548-43fa-ab26-c7243b84a055", @@ -5139,6 +5787,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593", + "type": "similar" } ], "uuid": "e1ad229b-d750-4148-a1f3-36e767b03cd1", @@ -5160,6 +5812,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "type": "similar" } ], "uuid": "12ce6d04-ebe5-440e-b342-0283b7c8a0c8", @@ -5252,6 +5908,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94", + "type": "similar" } ], "uuid": "eb481db6-d7ba-4873-a171-76a228c9eb97", @@ -5266,6 +5926,9 @@ "software_attack_id": "S0625", "source": "MITRE", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930", @@ -5292,6 +5955,10 @@ { "dest-uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", "type": "used-by" + }, + { + "dest-uuid": "6cd07296-14aa-403d-9229-6343d03d4752", + "type": "similar" } ], "uuid": "095064c6-144e-4935-b878-f82151bc08e4", @@ -5339,6 +6006,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e", + "type": "similar" } ], "uuid": "68792756-7dbf-41fd-8d48-ac3cc2b52712", @@ -5362,6 +6033,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "type": "similar" } ], "uuid": "9d521c18-09f0-47be-bfe5-e1bf26f7b928", @@ -5386,6 +6061,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb", + "type": "similar" } ], "uuid": "131c0eb2-9191-4ccd-a2d6-5f36046a8f2f", @@ -5418,6 +6097,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", + "type": "similar" } ], "uuid": "74f88899-56d0-4de8-97de-539b3590ab90", @@ -5442,13 +6125,17 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "6f6f67c9-556d-4459-95c2-78d272190e52", + "type": "similar" } ], "uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55", "value": "DarkGate - Duplicate" }, { - "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nDarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[[Bleeping Computer DarkGate October 14 2023](/references/313e5558-d8f9-4457-9004-810d9fa5340c)] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[[DarkGate Loader delivered via Teams - Truesec](/references/4222a06f-9528-4076-8037-a27012c2930c)][[Trend Micro DarkGate October 12 2023](/references/81650f5b-628b-4e76-80d6-2c15cf70d37a)]", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"DarkGate\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\n*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nDarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[[Bleeping Computer DarkGate October 14 2023](/references/313e5558-d8f9-4457-9004-810d9fa5340c)] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[[DarkGate Loader delivered via Teams - Truesec](/references/4222a06f-9528-4076-8037-a27012c2930c)][[Trend Micro DarkGate October 12 2023](/references/81650f5b-628b-4e76-80d6-2c15cf70d37a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -5470,7 +6157,7 @@ } ], "uuid": "7144b703-f471-4bde-bedc-e8b274854de5", - "value": "DarkGate" + "value": "DarkGate (Deprecated)" }, { "description": "[DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4), AsyncRat, [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), RedLine, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and Metasploit.[[Secureworks DarkTortilla Aug 2022](https://app.tidalcyber.com/references/4b48cc22-55ac-5b61-b183-9008f7db37fd)]", @@ -5484,7 +6171,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8", + "type": "similar" + } + ], "uuid": "35abcb6b-3259-57c1-94fc-50cfd5bde786", "value": "DarkTortilla" }, @@ -5503,7 +6195,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "63686509-069b-4143-99ea-4e59cad6cb2a", + "type": "similar" + } + ], "uuid": "740a0327-4caf-4d90-8b51-f3f9a4d59b37", "value": "DarkWatchman" }, @@ -5523,6 +6220,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", + "type": "similar" } ], "uuid": "fad65026-57c4-4d4f-8803-87178dd4b887", @@ -5592,6 +6293,10 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" + }, + { + "dest-uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0", + "type": "similar" } ], "uuid": "26ae3cd1-6710-4807-b674-957bd67d3e76", @@ -5610,6 +6315,10 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" + }, + { + "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", + "type": "similar" } ], "uuid": "0657b804-a889-400a-97d7-a4989809a623", @@ -5630,7 +6339,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470", + "type": "similar" + } + ], "uuid": "e9533664-90c5-5b40-a40e-a69a2eda8bc9", "value": "DEADEYE" }, @@ -5653,6 +6367,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", + "type": "similar" } ], "uuid": "64dc5d44-2304-4875-b517-316ab98512c2", @@ -5674,7 +6392,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6de9cad1-eed2-4e27-b0b5-39fa29349ea0", + "type": "similar" + } + ], "uuid": "832f5ab1-1267-40c9-84ef-f32d6373be4e", "value": "DEATHRANSOM" }, @@ -5754,6 +6477,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", + "type": "similar" } ], "uuid": "df4002d2-f557-4f95-af7a-9a4582fb7068", @@ -5814,6 +6541,10 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", + "type": "similar" } ], "uuid": "9222aa77-922e-43c7-89ad-71067c428fb2", @@ -6056,6 +6787,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623", + "type": "similar" } ], "uuid": "d057b6e7-1de4-4f2f-b374-7e879caecd67", @@ -6077,6 +6812,10 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" + }, + { + "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", + "type": "similar" } ], "uuid": "226ee563-4d49-48c2-aa91-82999f43ce30", @@ -6098,6 +6837,10 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" + }, + { + "dest-uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", + "type": "similar" } ], "uuid": "194314e3-4edc-5346-96b6-d2d7bf5d830a", @@ -6176,6 +6919,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900", + "type": "similar" } ], "uuid": "e69a913d-4ddc-4d69-9961-25a31cae5899", @@ -6221,6 +6968,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", + "type": "similar" } ], "uuid": "81ce23c0-f505-4d75-9928-4fbd627d3bc2", @@ -6238,7 +6989,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f36b2598-515f-4345-84e5-5ccde253edbe", + "type": "similar" + } + ], "uuid": "dfa14314-3c64-4a10-9889-0423b884f7aa", "value": "Dok" }, @@ -6258,7 +7014,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", + "type": "similar" + } + ], "uuid": "e6160c55-1868-47bd-bec6-7becbf236bbb", "value": "Doki" }, @@ -6282,6 +7043,10 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" + }, + { + "dest-uuid": "a7b5df47-73bb-4d47-b701-869f185633a6", + "type": "similar" } ], "uuid": "40d25a38-91f4-4e07-bb97-8866bed8e44f", @@ -6328,6 +7093,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", + "type": "similar" } ], "uuid": "f7b64b81-f9e7-46bf-8f63-6d7520da832c", @@ -6352,6 +7121,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc", + "type": "similar" } ], "uuid": "20b796cf-6c90-4928-999e-88107078e15e", @@ -6373,6 +7146,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", + "type": "similar" } ], "uuid": "fc433c9d-a7fe-4915-8aa0-06b58f288249", @@ -6390,7 +7167,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "56aa3c82-ed40-4b5a-84bf-7231356d9e96", + "type": "similar" + } + ], "uuid": "c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf", "value": "DRATzarus" }, @@ -6417,6 +7199,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", + "type": "similar" } ], "uuid": "e3cd4405-b698-41d9-88e4-fff29e7a19e2", @@ -6438,6 +7224,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa", + "type": "similar" } ], "uuid": "9c44d3f9-7a7b-4716-9cfa-640b36548ab0", @@ -6464,6 +7254,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "99164b38-1775-40bc-b77b-a2373b14540a", + "type": "similar" } ], "uuid": "bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b", @@ -6516,6 +7310,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", + "type": "similar" } ], "uuid": "06402bdc-a4a1-4e4a-bfc4-09f2c159af75", @@ -6540,6 +7338,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "f8774023-8021-4ece-9aca-383ac89d2759", + "type": "similar" } ], "uuid": "aa21462d-9653-48eb-a82e-5c93c9db5f7a", @@ -6604,7 +7406,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", + "type": "similar" + } + ], "uuid": "d4a664e5-9819-4f33-8b2b-e6f8e6a64999", "value": "Duqu" }, @@ -6627,6 +7434,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", + "type": "similar" } ], "uuid": "77506f02-104f-4aac-a4e0-9649bd7efe2e", @@ -6670,6 +7481,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", + "type": "similar" } ], "uuid": "38e012f7-fb3a-4250-a129-92da3a488724", @@ -6726,6 +7541,10 @@ { "dest-uuid": "eeb69751-8c22-4a5f-8da2-239cc7d7746c", "type": "used-by" + }, + { + "dest-uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", + "type": "similar" } ], "uuid": "2375465a-e6a9-40ab-b631-a5b04cf5c689", @@ -6751,6 +7570,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", + "type": "similar" } ], "uuid": "70f703b3-0e24-4ffe-9772-f0e386ec607f", @@ -6772,11 +7595,42 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", + "type": "similar" } ], "uuid": "6508d3dc-eb22-468c-9122-dcf541caa69c", "value": "Ecipekac" }, + { + "description": "EDRKillShifter is a suspected threat actor-developed tool that is designed to disable victim endpoint detection & response (EDR) software. In August 2024, security researchers reported that the RansomHub ransomware group had deployed EDRKillShifter during attacks in May. The researchers also noted that EDRKillShifter primarily functions as a loader for payloads that could vary. This object mainly reflects ATT&CK Techniques associated with observed EDRKillShifter loader and payload deployments reported in August 2024.[[Sophos News August 14 2024](/references/d0811fd4-e89d-4337-9bc1-a9a8774d44b1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5332", + "source": "Tidal Cyber", + "tags": [ + "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + } + ], + "uuid": "1233436f-2a00-4557-89a4-8cbc45e6f9f7", + "value": "EDRKillShifter" + }, { "description": "[Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) and Sekhmet ransomware, as well as [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware.[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)][[Cyble Egregor Oct 2020](https://app.tidalcyber.com/references/545a131d-88fc-4b34-923c-0b759b45fc7f)][[Security Boulevard Egregor Oct 2020](https://app.tidalcyber.com/references/cd37a000-9e15-45a3-a7c9-bb508c10e55d)]", "meta": { @@ -6796,7 +7650,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "cc4c1287-9c86-4447-810c-744f3880ec37", + "type": "similar" + } + ], "uuid": "0e36b62f-a6e2-4406-b3d9-e05204e14a66", "value": "Egregor" }, @@ -6817,10 +7676,46 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "type": "similar" + } + ], "uuid": "cd7821cb-32f3-4d81-a5d1-0cdee94a15c4", "value": "EKANS" }, + { + "description": "This object reflects the ATT&CK Techniques associated with binaries of Eldorado, a ransomware-as-a-service (\"RaaS\") first observed in March 2024.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)] A small number of Techniques associated with threat actors who deploy Eldorado can be found in the \"Eldorado Ransomware Operators\" Group object.\n\nEldorado is written in the cross-platform Golang language. A custom \"builder\" allows threat actors to create both Windows- and Linux-focused versions of the ransomware. Researchers indicate that the Linux version has a relatively simple set of capabilities, lacking any native discovery, defense evasion, or other common post-exploit abilities common in many modern (Windows) ransomware. The operator must have access to the target system(s) and must provide a target directory path, after which the ransomware will recursively loop through the files within that path and encrypt them (T1486).[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S5330", + "source": "Tidal Cyber", + "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", + "5e7433ad-a894-4489-93bc-41e90da90019", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "26e1c52e-0c48-4cd0-bdc5-9cf981a6e714", + "type": "used-by" + } + ], + "uuid": "a2ad5253-e31b-432c-804d-971be8652344", + "value": "Eldorado Ransomware" + }, { "description": "[Elise](https://app.tidalcyber.com/software/fd5efee9-8710-4536-861f-c88d882f4d24) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. [[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)][[Accenture Dragonfish Jan 2018](https://app.tidalcyber.com/references/f692c6fa-7b3a-4d1d-9002-b1a59f7116f4)]", "meta": { @@ -6840,6 +7735,10 @@ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" + }, + { + "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", + "type": "similar" } ], "uuid": "fd5efee9-8710-4536-861f-c88d882f4d24", @@ -6861,6 +7760,10 @@ { "dest-uuid": "06a05175-0812-44f5-a529-30eba07d1762", "type": "used-by" + }, + { + "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", + "type": "similar" } ], "uuid": "6a3ca97e-6dd6-44e5-a5f0-7225099ab474", @@ -6882,6 +7785,10 @@ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" + }, + { + "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", + "type": "similar" } ], "uuid": "fd95d38d-83f9-4b31-8292-ba2b04275b36", @@ -6916,6 +7823,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", + "type": "similar" } ], "uuid": "c987d255-a351-4736-913f-91e2f28d0654", @@ -6945,7 +7856,7 @@ }, "related": [ { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { @@ -6953,7 +7864,7 @@ "type": "used-by" }, { - "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { @@ -7015,6 +7926,10 @@ { "dest-uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "type": "used-by" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "type": "similar" } ], "uuid": "fea655ac-558f-4dd0-867f-9a5553626207", @@ -7039,6 +7954,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d", + "type": "similar" } ], "uuid": "8da6fbf0-a18d-49a0-9235-101300d49d5e", @@ -7063,6 +7982,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", + "type": "similar" } ], "uuid": "a7e71387-b276-413c-a0de-4cf07e39b158", @@ -7093,6 +8016,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27", + "type": "similar" } ], "uuid": "a7589733-6b04-4215-a4e7-4b62cd4610fa", @@ -7132,7 +8059,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a8a778f5-0035-4870-bb25-53dc05029586", + "type": "similar" + } + ], "uuid": "300e8176-e7ee-44ef-8d10-dff96502f6c6", "value": "EvilBunny" }, @@ -7146,6 +8078,7 @@ "software_attack_id": "S5078", "source": "Tidal Cyber", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" @@ -7186,6 +8119,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", + "type": "similar" } ], "uuid": "e862419c-d6b6-4433-a02a-c1cc98ea6f9e", @@ -7210,6 +8147,10 @@ { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" + }, + { + "dest-uuid": "7cdfccda-2950-4167-981a-60872ff5d0db", + "type": "similar" } ], "uuid": "e0eaae6d-5137-4053-bf37-ff90bf5767a9", @@ -7231,6 +8172,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd", + "type": "similar" } ], "uuid": "c773f709-b5fe-4514-9d88-24ceb0dd8063", @@ -7252,6 +8197,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", + "type": "similar" } ], "uuid": "21569dfb-c9f1-468e-903e-348f19dbae1f", @@ -7320,7 +8269,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973", + "type": "similar" + } + ], "uuid": "5d7a39e3-c667-45b3-987e-3b0ca49cff61", "value": "Expand" }, @@ -7370,6 +8324,10 @@ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" + }, + { + "dest-uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44", + "type": "similar" } ], "uuid": "572eec55-2855-49ac-a82e-2c21e9aca27e", @@ -7470,6 +8428,10 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" + }, + { + "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", + "type": "similar" } ], "uuid": "8c64a330-1457-4c32-ab2f-12b6eb37d607", @@ -7519,6 +8481,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", + "type": "similar" } ], "uuid": "ea47f1fd-0171-4254-8c92-92b7a5eec5e1", @@ -7543,6 +8509,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a", + "type": "similar" } ], "uuid": "997ff740-1b00-40b6-887a-ef4101e93295", @@ -7564,6 +8534,10 @@ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" + }, + { + "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", + "type": "similar" } ], "uuid": "c66ed8ab-4692-4948-820e-5ce87cc78db5", @@ -7581,7 +8555,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624", + "type": "similar" + } + ], "uuid": "4b1a07cd-4c1f-4d93-a454-07fd59b3039a", "value": "FELIXROOT" }, @@ -7601,6 +8580,10 @@ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" + }, + { + "dest-uuid": "73d08401-005f-4e1f-90b9-8f45d120879f", + "type": "similar" } ], "uuid": "3e54ba7a-fd4c-477f-9c2d-34b4f69fc091", @@ -7618,7 +8601,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", + "type": "similar" + } + ], "uuid": "1bbf04bb-d869-48c5-a538-70a25503de1d", "value": "Fgdump" }, @@ -7688,6 +8676,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", + "type": "similar" } ], "uuid": "eb4dc358-e353-47fc-8207-b7cb10d580f7", @@ -7741,6 +8733,10 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" + }, + { + "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", + "type": "similar" } ], "uuid": "41f54ce1-842c-428a-977f-518a5b63b4d7", @@ -7791,6 +8787,10 @@ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" + }, + { + "dest-uuid": "f464354c-7103-47c6-969b-8766f0157ed2", + "type": "similar" } ], "uuid": "84187393-2fe9-4136-8720-a6893734ee8c", @@ -7815,6 +8815,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d", + "type": "similar" } ], "uuid": "977aaf8a-2216-40f0-8682-61dd91638147", @@ -7835,7 +8839,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "type": "similar" + } + ], "uuid": "87604333-638f-4f4a-94e0-16aa825dd5b8", "value": "Flame" }, @@ -7855,6 +8864,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", + "type": "similar" } ], "uuid": "44a5e62a-6de4-49d2-8f1b-e68ecdf9f332", @@ -7876,13 +8889,17 @@ ] }, "related": [ + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" + "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", + "type": "similar" } ], "uuid": "308dbe77-3d58-40bb-b0a5-cd00f152dc60", @@ -7918,6 +8935,10 @@ { "dest-uuid": "eb10ed9e-ea8d-4b61-bfc3-5994d30970df", "type": "used-by" + }, + { + "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", + "type": "similar" } ], "uuid": "c558e948-c817-4494-a95d-ad3207f10e26", @@ -7970,6 +8991,10 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" + }, + { + "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", + "type": "similar" } ], "uuid": "18002747-ddcc-42c1-b0ca-1e598a9f1919", @@ -8016,11 +9041,44 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", + "type": "similar" } ], "uuid": "bc11844e-0348-4eed-a48a-0554d68db38c", "value": "FoggyWeb" }, + { + "description": "Fog is a ransomware family first observed in May 2024. Its distribution has been linked to Storm-0844, a threat actor that also leverages suspected valid credentials and freely available tools for initial access and post-exploit activity prior to ransomware deployment.[[Arctic Wolf Fog Ransomware June 4 2024](/references/86111971-cd37-4a87-bcaa-3e0f6326da5c)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5331", + "source": "Tidal Cyber", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + } + ], + "uuid": "3480069a-13eb-4f1e-9967-57ecac415c52", + "value": "Fog Ransomware" + }, { "description": "[Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [[Microsoft Forfiles Aug 2016](https://app.tidalcyber.com/references/fd7eaa47-3512-4dbd-b881-bc679d06cd1b)]", "meta": { @@ -8043,6 +9101,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", + "type": "similar" } ], "uuid": "c6dc67a6-587d-4700-a7de-bee043a0031a", @@ -8082,7 +9144,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bcaae558-9697-47a2-9ec7-c75000ddf58c", + "type": "similar" + } + ], "uuid": "83721b89-df58-50bf-be2a-0b696fb0da78", "value": "FRAMESTING" }, @@ -8099,6 +9166,10 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" + }, + { + "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737", + "type": "similar" } ], "uuid": "aef7cbbc-5163-419c-8e4b-3f73bed50474", @@ -8151,7 +9222,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36", + "type": "similar" + } + ], "uuid": "3a05085e-5a1f-4a74-b489-d679b80e2c18", "value": "FruitFly" }, @@ -8251,6 +9327,10 @@ ] }, "related": [ + { + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -8259,10 +9339,6 @@ "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, - { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", - "type": "used-by" - }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -8270,6 +9346,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", + "type": "similar" } ], "uuid": "062deac9-8f05-44e2-b347-96b59ba166ca", @@ -8290,7 +9370,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "be25c1c0-1590-4219-a3d5-6f31799d1d1b", + "type": "similar" + } + ], "uuid": "d0490e1d-8287-44d3-8342-944d1203b237", "value": "FunnyDream" }, @@ -8310,6 +9395,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "434ba392-ebdc-488b-b1ef-518deea65774", + "type": "similar" } ], "uuid": "be9a2ae5-373a-4dee-9c1e-b54235dafed0", @@ -8334,6 +9423,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b", + "type": "similar" } ], "uuid": "317a7647-aee7-4ce1-a8f8-33a61190f55d", @@ -8358,6 +9451,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", + "type": "similar" } ], "uuid": "7a60b984-b0c8-4acc-be24-841f4b652872", @@ -8375,7 +9472,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b", + "type": "similar" + } + ], "uuid": "9a117508-1d22-4fea-aa65-db670c13a5c9", "value": "Gelsemium" }, @@ -8395,6 +9497,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", + "type": "similar" } ], "uuid": "97f32f68-dcd2-4f80-9967-cc87305dc342", @@ -8419,6 +9525,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69", + "type": "similar" } ], "uuid": "a997aaaf-edfc-4489-80a9-3f8d64545de1", @@ -8462,10 +9572,6 @@ ] }, "related": [ - { - "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", - "type": "used-by" - }, { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" @@ -8478,6 +9584,10 @@ "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" }, + { + "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", + "type": "used-by" + }, { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" @@ -8501,6 +9611,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "type": "similar" } ], "uuid": "269ef8f5-35c8-44ba-afe4-63f4c6431427", @@ -8518,7 +9632,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "554e010d-726b-439d-9a1a-f60fff0cc109", + "type": "similar" + } + ], "uuid": "5c1a1ce5-927c-5c79-8a14-2789756d41ee", "value": "GLASSTOKEN" }, @@ -8538,6 +9657,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", + "type": "similar" } ], "uuid": "09fdec78-5253-433d-8680-294ba6847be9", @@ -8602,6 +9725,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", + "type": "similar" } ], "uuid": "348fdeb5-6a74-4803-ac6e-e0133ecd7263", @@ -8622,7 +9749,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b9704a7d-feef-4af9-8898-5280f1686326", + "type": "similar" + } + ], "uuid": "1b135393-c799-4698-a880-c6a86782adee", "value": "GoldenSpy" }, @@ -8642,6 +9774,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "b7010785-699f-412f-ba49-524da6033c76", + "type": "similar" } ], "uuid": "4e8c58c5-443e-4f73-91e9-89146f04e307", @@ -8667,6 +9803,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0", + "type": "similar" } ], "uuid": "b05a9763-4288-4656-bf4e-ba02bb8b35d6", @@ -8691,6 +9831,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad", + "type": "similar" } ], "uuid": "a75855fd-2b6b-43d8-99a5-2be03b544f34", @@ -8734,6 +9878,8 @@ "software_attack_id": "S5289", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" @@ -8742,7 +9888,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + } + ], "uuid": "3eec857e-dce3-4865-a65f-3ad5a559a3e6", "value": "Gootloader" }, @@ -8783,7 +9934,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "958b5d06-8bb0-4c5b-a2e7-0130fe654ac7", + "type": "similar" + } + ], "uuid": "61d277f2-abdc-4f2b-b50a-10d0fe91e588", "value": "Grandoreiro" }, @@ -8821,7 +9977,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1d1fce2f-0db5-402b-9843-4278a0694637", + "type": "similar" + } + ], "uuid": "08cb425d-7b7a-41dc-a897-9057ce57fea9", "value": "GravityRAT" }, @@ -8840,7 +10001,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "59c8a28c-200c-4565-9af1-cbdb24870ba0", + "type": "similar" + } + ], "uuid": "f5691425-6690-4e5e-8304-3ede9d2f5a90", "value": "Green Lambert" }, @@ -8860,6 +10026,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", + "type": "similar" } ], "uuid": "f646e7f9-4d09-46f6-9831-54668fa20483", @@ -8884,6 +10054,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142", + "type": "similar" } ], "uuid": "ad358082-d83a-4c22-81a1-6c34dd67af26", @@ -8912,6 +10086,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", + "type": "similar" } ], "uuid": "c40a71d4-8592-4f82-8af5-18f763e52caf", @@ -8977,6 +10155,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "type": "similar" } ], "uuid": "5ffe662f-9da1-4b6f-ad3a-f296383e828c", @@ -8999,7 +10181,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "45c759ac-b490-48bb-80d4-c8eee3431027", + "type": "similar" + } + ], "uuid": "03e985d6-870b-4533-af13-08b1e0511444", "value": "GuLoader" }, @@ -9015,7 +10202,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", + "type": "similar" + } + ], "uuid": "5f1602fe-a4ce-4932-9cf9-ec842f2c58f1", "value": "H1N1" }, @@ -9028,7 +10220,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", + "type": "similar" + } + ], "uuid": "75db2ac3-901e-4b1f-9a0d-bac6562d57a3", "value": "Hacking Team UEFI Rootkit" }, @@ -9045,6 +10242,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", + "type": "similar" } ], "uuid": "5edf0ef7-a960-4500-8a89-8c8b4fdf8824", @@ -9069,6 +10270,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", + "type": "similar" } ], "uuid": "cc07f03f-9919-4856-9b30-f4d88940b0ec", @@ -9089,7 +10294,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817", + "type": "similar" + } + ], "uuid": "4eee3272-07fa-48ee-a7b9-9dfee3e4550a", "value": "Hancitor" }, @@ -9106,6 +10316,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", + "type": "similar" } ], "uuid": "c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8", @@ -9127,6 +10341,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", + "type": "similar" } ], "uuid": "ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7", @@ -9145,6 +10363,10 @@ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" + }, + { + "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", + "type": "similar" } ], "uuid": "8bd36306-bd4b-4a76-8842-44acb0cedbcc", @@ -9162,7 +10384,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", + "type": "similar" + } + ], "uuid": "392c5a32-53b5-4ce8-a946-226cb533cc4e", "value": "HAWKBALL" }, @@ -9182,6 +10409,10 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" + }, + { + "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", + "type": "similar" } ], "uuid": "a7ffe1bd-45ca-4ca4-94da-3b6c583a868d", @@ -9203,6 +10434,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", + "type": "similar" } ], "uuid": "f155b6f9-258d-4446-8867-fe5ee26d8c72", @@ -9232,6 +10467,10 @@ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" + }, + { + "dest-uuid": "5d11d418-95dd-4377-b782-23160dfa17b4", + "type": "similar" } ], "uuid": "813a4ca1-84fe-42dc-89de-5873d028f98d", @@ -9256,6 +10495,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", + "type": "similar" } ], "uuid": "d6560c81-1e7e-4d01-9814-4be4fb43e655", @@ -9276,7 +10519,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a0ab8a96-40c9-4483-8a54-3fafa6d6007a", + "type": "similar" + } + ], "uuid": "f0456f14-4913-4861-b4ad-5e7f3960040e", "value": "HermeticWiper" }, @@ -9295,7 +10543,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa", + "type": "similar" + } + ], "uuid": "36ddc8cd-8f80-489e-a702-c682936b5393", "value": "HermeticWizard" }, @@ -9318,6 +10571,10 @@ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" + }, + { + "dest-uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0", + "type": "similar" } ], "uuid": "1841a6e8-6c23-46a1-9c81-783746083764", @@ -9357,7 +10614,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "fc774af4-533b-4724-96d2-ac1026316794", + "type": "similar" + } + ], "uuid": "ec02fb9c-bf9f-404d-bc54-819f2b3fb040", "value": "HiddenWasp" }, @@ -9380,6 +10642,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", + "type": "similar" } ], "uuid": "ce1af464-0b14-4fe9-8591-a6fe58aa96c7", @@ -9401,6 +10667,10 @@ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" + }, + { + "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", + "type": "similar" } ], "uuid": "8046c80c-4339-4cfb-8bfd-464801db2bfe", @@ -9428,6 +10698,10 @@ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" + }, + { + "dest-uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120", + "type": "similar" } ], "uuid": "7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c", @@ -9448,7 +10722,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", + "type": "similar" + } + ], "uuid": "286184d9-f28a-4d5a-a9dd-2216b3c47809", "value": "Hi-Zor" }, @@ -9468,6 +10747,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", + "type": "similar" } ], "uuid": "16db13f2-f350-4323-96cb-c5f4ac36c3e0", @@ -9493,6 +10776,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", + "type": "similar" } ], "uuid": "4d94594c-2224-46ca-8bc3-28b12ed139f9", @@ -9514,6 +10801,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3", + "type": "similar" } ], "uuid": "a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe", @@ -9543,6 +10834,10 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" + }, + { + "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "type": "similar" } ], "uuid": "b98d9fe7-9aa3-409a-bf5c-eadb01bac948", @@ -9568,6 +10863,10 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" + }, + { + "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", + "type": "similar" } ], "uuid": "c4fe23f7-f18c-40f6-b431-0b104b497eaa", @@ -9589,6 +10888,10 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" + }, + { + "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", + "type": "similar" } ], "uuid": "bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49", @@ -9614,6 +10917,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", + "type": "similar" } ], "uuid": "2df88e4e-5a89-5535-ae1a-4c68b19d9078", @@ -9643,6 +10950,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", + "type": "similar" } ], "uuid": "4ffbca79-358a-4ba5-bfbb-dc1694c45646", @@ -9667,6 +10978,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", + "type": "similar" } ], "uuid": "57cec527-26fb-44a1-b1a9-506a3af2c9f2", @@ -9688,6 +11003,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e", + "type": "similar" } ], "uuid": "ba3236e9-c86b-4b5d-89ed-7f71940a0588", @@ -9705,7 +11024,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dd889a55-fb2c-4ec7-8e9f-c399939a49e1", + "type": "similar" + } + ], "uuid": "5a73defd-6a1a-4132-8427-cec649e8267a", "value": "IceApple" }, @@ -9732,6 +11056,14 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, + { + "dest-uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "type": "similar" } ], "uuid": "7f59bb7c-5fa9-497d-9d8e-ba9349fd9433", @@ -9854,7 +11186,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", + "type": "similar" + } + ], "uuid": "93ab16d1-625e-4b1c-bb28-28974c269c47", "value": "ifconfig" }, @@ -9870,7 +11207,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513", + "type": "similar" + } + ], "uuid": "71098f6e-a2c0-434f-b991-6c079fd3e82d", "value": "iKitten" }, @@ -9968,6 +11310,10 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9", + "type": "similar" } ], "uuid": "925fc0db-9315-4703-9353-1d0e9ecb1439", @@ -9984,6 +11330,7 @@ "software_attack_id": "S0357", "source": "MITRE", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "6070668f-1cbd-4878-8066-c636d1d8659c", @@ -10006,6 +11353,14 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -10018,10 +11373,6 @@ "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -10085,6 +11436,10 @@ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "type": "similar" } ], "uuid": "cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c", @@ -10110,6 +11465,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808", + "type": "similar" } ], "uuid": "09398a7c-aee5-44af-b99d-f73d3b39c299", @@ -10132,6 +11491,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "type": "similar" } ], "uuid": "53c5fb76-a690-55c3-9e02-39577990da2a", @@ -10170,7 +11533,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952", + "type": "similar" + } + ], "uuid": "e42bf572-1e70-4467-a4b7-5e22c776c758", "value": "InnaputRAT" }, @@ -10251,7 +11619,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce", + "type": "similar" + } + ], "uuid": "3ee4c49d-2f2c-4677-b193-69f16f2851a4", "value": "InvisiMole" }, @@ -10268,6 +11641,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", + "type": "similar" } ], "uuid": "2200a647-3312-44c0-9691-4a26153febbb", @@ -10384,6 +11761,10 @@ "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" @@ -10395,6 +11776,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "type": "similar" } ], "uuid": "4f519002-0576-4f8e-8add-73ebac9a86e6", @@ -10419,6 +11804,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e", + "type": "similar" } ], "uuid": "9ca96281-8ff9-4619-a79d-16c5a9594eae", @@ -10443,6 +11832,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", + "type": "similar" } ], "uuid": "752ab0fc-7fa1-4e54-bd9a-7a280a38ed77", @@ -10464,6 +11857,10 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" + }, + { + "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", + "type": "similar" } ], "uuid": "6dbf31cf-0ba0-48b4-be82-38889450845c", @@ -10510,7 +11907,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", + "type": "similar" + } + ], "uuid": "a4debf1f-8a37-4c89-8ebc-31de71d33f79", "value": "Janicab" }, @@ -10526,7 +11928,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "64122557-5940-4271-9123-25bfc0c693db", + "type": "similar" + } + ], "uuid": "853d3d18-d746-4650-a9bd-c36a0e86dd02", "value": "Javali" }, @@ -10543,7 +11950,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", + "type": "similar" + } + ], "uuid": "41ec0bbc-65ca-4913-a763-1638215d7b2f", "value": "JCry" }, @@ -10566,6 +11978,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", + "type": "similar" } ], "uuid": "d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae", @@ -10587,6 +12003,10 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" + }, + { + "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", + "type": "similar" } ], "uuid": "c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f", @@ -10614,6 +12034,10 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", + "type": "similar" } ], "uuid": "42fe9795-5cf6-4ad7-b56e-2aa655377992", @@ -10661,6 +12085,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "f559f945-eb8b-48b1-904c-68568deebed3", + "type": "similar" } ], "uuid": "c67f3029-a26c-4752-b7f1-8e3369c2f79d", @@ -10709,6 +12137,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", + "type": "similar" } ], "uuid": "ca883d21-97ca-420d-a66b-ef19a8355467", @@ -10729,7 +12161,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", + "type": "similar" + } + ], "uuid": "1896b9c9-a93e-4220-b4c2-6c4c9c5ca297", "value": "Kasidet" }, @@ -10753,6 +12190,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", + "type": "similar" } ], "uuid": "e93990a0-4841-4867-8b74-ac2806d787bf", @@ -10777,6 +12218,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5", + "type": "similar" } ], "uuid": "17c28e46-1005-4737-8567-d4ad9f1aefd1", @@ -10794,7 +12239,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c984b414-b766-44c5-814a-2fe96c913c12", + "type": "similar" + } + ], "uuid": "32f1e0d3-753f-4b51-aec5-cfaa393cedc3", "value": "Kessel" }, @@ -10814,6 +12264,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a", + "type": "similar" } ], "uuid": "b9730d7c-aa57-4d6f-9125-57dcb65b02e0", @@ -10835,6 +12289,10 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" + }, + { + "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", + "type": "similar" } ], "uuid": "6ec39371-d50b-43b6-937c-52de00491eab", @@ -10852,7 +12310,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4b072c90-bc7a-432b-940e-016fc1c01761", + "type": "similar" + } + ], "uuid": "aefbe6ff-7ce4-479e-916d-e8f0259d81f6", "value": "Keydnap" }, @@ -10872,6 +12335,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", + "type": "similar" } ], "uuid": "a644f61e-6a9b-41ab-beca-72518351c27f", @@ -10894,6 +12361,10 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", + "type": "similar" } ], "uuid": "ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a", @@ -10915,6 +12386,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d", + "type": "similar" } ], "uuid": "c1e1ab6a-d5ce-4520-98c5-c6df41005fd9", @@ -10946,6 +12421,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "type": "similar" } ], "uuid": "b5532e91-d267-4819-a05d-8c5358995add", @@ -10968,7 +12447,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d6e55656-e43f-411f-a7af-45df650471c5", + "type": "similar" + } + ], "uuid": "7b4f157c-4b34-4f55-9c20-ff787495e9ba", "value": "Kinsing" }, @@ -10988,6 +12472,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", + "type": "similar" } ], "uuid": "673ed346-9562-4997-80b2-e701b1a99a58", @@ -11021,6 +12509,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", + "type": "similar" } ], "uuid": "5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd", @@ -11038,7 +12530,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9", + "type": "similar" + } + ], "uuid": "bf918663-90bd-489e-91e7-6951a18a25fd", "value": "Kobalos" }, @@ -11058,6 +12555,10 @@ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" + }, + { + "dest-uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb", + "type": "similar" } ], "uuid": "3e13d07d-d9e1-4456-bec3-b2375e404753", @@ -11079,6 +12580,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", + "type": "similar" } ], "uuid": "2cf1be0d-2fba-4fd0-ab2f-3695716d1735", @@ -11100,6 +12605,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", + "type": "similar" } ], "uuid": "3067f148-2e2b-4aac-9652-59823b3ad4f1", @@ -11120,7 +12629,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1", + "type": "similar" + } + ], "uuid": "d381de2a-30cb-4d50-bbce-fd1e489c4889", "value": "KONNI" }, @@ -11140,6 +12654,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", + "type": "similar" } ], "uuid": "d09c4459-1aa3-547d-99f4-7ac73b8043f0", @@ -11161,6 +12679,10 @@ { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" + }, + { + "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", + "type": "similar" } ], "uuid": "35ac4018-8506-4025-a9e3-bd017700b3b3", @@ -11221,11 +12743,11 @@ }, "related": [ { - "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", + "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { - "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" }, { @@ -11287,6 +12809,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "type": "similar" } ], "uuid": "f5558af4-e3e2-47c2-b8fe-72850bd30f37", @@ -11404,6 +12930,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", + "type": "similar" } ], "uuid": "c9d2f023-d54b-4d08-9598-a42fb92b3161", @@ -11421,7 +12951,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5dc9e8ec-9917-4de7-b8ab-16007899dd80", + "type": "similar" + } + ], "uuid": "1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0", "value": "LIGHTWIRE" }, @@ -11435,6 +12970,7 @@ "software_attack_id": "S5034", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -11452,6 +12988,10 @@ ] }, "related": [ + { + "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -11531,6 +13071,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", + "type": "similar" } ], "uuid": "925975f8-e8ff-411f-a40e-f799968046f7", @@ -11552,7 +13096,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0efefea5-78da-4022-92bc-d726139e8883", + "type": "similar" + } + ], "uuid": "d017e133-fce9-4982-a2df-6867a80089e7", "value": "Linux Rabbit" }, @@ -11575,6 +13124,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d", + "type": "similar" } ], "uuid": "71e4028c-9ca1-45ce-bc44-98209ae9f6bd", @@ -11596,6 +13149,10 @@ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" + }, + { + "dest-uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd", + "type": "similar" } ], "uuid": "cc568409-71ff-468b-9c38-d0dd9020e409", @@ -11613,7 +13170,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "19256855-65e9-48f2-8b74-9f3d0a994428", + "type": "similar" + } + ], "uuid": "c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca", "value": "LITTLELAMB.WOOLTEA" }, @@ -11643,6 +13205,10 @@ { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" + }, + { + "dest-uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc", + "type": "similar" } ], "uuid": "65d46aab-b3ce-4f5b-b1fc-871db2573fa1", @@ -11705,6 +13271,10 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" + }, + { + "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", + "type": "similar" } ], "uuid": "65bc8e81-0a08-49f6-9d04-a2d63d512342", @@ -11726,6 +13296,10 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" + }, + { + "dest-uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48", + "type": "similar" } ], "uuid": "d28c3706-df25-59e2-939f-131abaf8a1eb", @@ -11752,6 +13326,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" @@ -11783,6 +13361,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", + "type": "similar" } ], "uuid": "039f34e9-f379-4a24-a53f-b28ba579854c", @@ -11807,6 +13389,10 @@ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" + }, + { + "dest-uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae", + "type": "similar" } ], "uuid": "4fead65c-499d-4f44-8879-2c35b24dac68", @@ -11824,7 +13410,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c9ccc4df-1f56-49e7-ad57-b383e1451688", + "type": "similar" + } + ], "uuid": "bfd2a077-5000-4500-82c4-5c85fb98dd5a", "value": "LookBack" }, @@ -11879,7 +13470,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f99f3dcc-683f-4936-8791-075ac5e58f10", + "type": "similar" + } + ], "uuid": "f503535b-406c-4e24-8123-0e22fec995bb", "value": "LoudMiner" }, @@ -11899,6 +13495,10 @@ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" + }, + { + "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", + "type": "similar" } ], "uuid": "fce1117a-e699-4aef-b1fc-04c3967acc33", @@ -11923,6 +13523,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", + "type": "similar" } ], "uuid": "37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc", @@ -11940,7 +13544,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "54a73038-1937-4d71-a253-316e76d5413c", + "type": "similar" + } + ], "uuid": "723d9a27-74fd-4333-a8db-63df2a8b4dd4", "value": "Lucifer" }, @@ -11960,6 +13569,10 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" + }, + { + "dest-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", + "type": "similar" } ], "uuid": "0cc9e24b-d458-4782-a332-4e4fd68c057b", @@ -11981,6 +13594,10 @@ { "dest-uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "type": "used-by" + }, + { + "dest-uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04", + "type": "similar" } ], "uuid": "be8a1630-9562-41ad-a621-65989f961a10", @@ -11998,7 +13615,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a", + "type": "similar" + } + ], "uuid": "7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb", "value": "MacMa" }, @@ -12014,7 +13636,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2a59a237-1530-4d55-91f9-2aebf961cc37", + "type": "similar" + } + ], "uuid": "74feb557-21bc-40fb-8ab5-45d3af84c380", "value": "macOS.OSAMiner" }, @@ -12030,7 +13657,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f72251cb-2be5-421f-a081-99c29a1209e7", + "type": "similar" + } + ], "uuid": "e5e67c67-e658-45b5-850b-044312be4258", "value": "MacSpy" }, @@ -12050,6 +13682,10 @@ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" + }, + { + "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", + "type": "similar" } ], "uuid": "7506616c-b808-54fb-9982-072a0dcf8a04", @@ -12077,6 +13713,10 @@ { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" + }, + { + "dest-uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e", + "type": "similar" } ], "uuid": "d762974a-ca7e-45ee-bc1d-f5218bf46c84", @@ -12159,6 +13799,10 @@ { "dest-uuid": "275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb", "type": "used-by" + }, + { + "dest-uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1", + "type": "similar" } ], "uuid": "40806539-1496-4a64-b740-66f6a1467f40", @@ -12214,6 +13858,10 @@ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" + }, + { + "dest-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", + "type": "similar" } ], "uuid": "eeb700ea-2819-46f4-936d-f7592f20dedc", @@ -12272,6 +13920,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "d9f7383c-95ec-4080-bbce-121c9384457b", + "type": "similar" } ], "uuid": "3c206491-45c0-4ff7-9f40-45f9aae4de64", @@ -12320,6 +13972,10 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" + }, + { + "dest-uuid": "975737f1-b10d-476f-8bda-3ec26ea57172", + "type": "similar" } ], "uuid": "939cbe39-5b63-4651-b0c0-85ac39cb9f0e", @@ -12341,6 +13997,10 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" + }, + { + "dest-uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", + "type": "similar" } ], "uuid": "31cbe3c8-be88-4a4f-891d-04c3bb7ed482", @@ -12394,11 +14054,47 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", + "type": "similar" } ], "uuid": "6c3bbcae-3217-43c7-b709-5c54bc7636b1", "value": "meek" }, + { + "description": "MEGAcmd is an open-source tool that enables non-UI access (e.g., via command line interaction or scripts) to the MEGA cloud storage/file sharing service.[[GitHub meganz MEGAcmd](/references/6e4d67f5-cca1-4298-b21c-d7511aa264ae)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Linux", + "Windows" + ], + "software_attack_id": "S5328", + "source": "Tidal Cyber", + "tags": [ + "8bf128ad-288b-41bc-904f-093f4fdde745", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "e1af18e3-3224-4e4c-9d0f-533768474508", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + } + ], + "uuid": "f2384d09-61fa-4679-b975-6901dcd5c506", + "value": "MEGAcmd" + }, { "description": "[MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10) is ransomware that first appeared in May 2019. [[IBM MegaCortex](https://app.tidalcyber.com/references/3d70d9b7-88e4-411e-a59a-bc862da965a7)] [MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10) has mainly targeted industrial organizations. [[FireEye Ransomware Disrupt Industrial Production](https://app.tidalcyber.com/references/9ffa0f35-98e4-4265-8b66-9c805a2b6525)][[FireEye Financial Actors Moving into OT](https://app.tidalcyber.com/references/4bd514b8-1f79-4946-b001-110ce5cf29a9)]", "meta": { @@ -12415,7 +14111,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "909617c3-6d87-4330-8f32-bd3af38c3b92", + "type": "similar" + } + ], "uuid": "d8a4a817-2914-47b0-867c-ad8eeb7efd10", "value": "MegaCortex" }, @@ -12464,6 +14165,10 @@ "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" @@ -12496,7 +14201,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d3105fb5-c494-4fd1-a7be-414eab9e0c96", + "type": "similar" + } + ], "uuid": "aa844e6b-feda-4928-8c6d-c59f7be88da0", "value": "Melcoz" }, @@ -12516,6 +14226,10 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573", + "type": "similar" } ], "uuid": "15d7e478-349d-42e6-802d-f16302b98319", @@ -12537,6 +14251,10 @@ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" + }, + { + "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", + "type": "similar" } ], "uuid": "0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d", @@ -12557,7 +14275,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "type": "similar" + } + ], "uuid": "ca607087-25ad-4a91-af83-608646cccbcb", "value": "Metamorfo" }, @@ -12629,7 +14352,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d79e7a60-5de9-448e-a074-f95d2d80f8d0", + "type": "similar" + } + ], "uuid": "ee07030e-ff50-404b-ad27-ab999fc1a23a", "value": "Meteor" }, @@ -12673,6 +14401,10 @@ { "dest-uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14", "type": "used-by" + }, + { + "dest-uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", + "type": "similar" } ], "uuid": "5879efc1-f122-43ec-a80d-e25aa449594d", @@ -12741,6 +14473,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c", + "type": "similar" } ], "uuid": "57545dbc-c72a-409d-a373-bc35e25160cd", @@ -12755,6 +14491,9 @@ "software_attack_id": "S0002", "source": "MITRE", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", @@ -12780,27 +14519,11 @@ }, "related": [ { - "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", - "type": "used-by" - }, - { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", - "type": "used-by" - }, - { - "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { @@ -12831,16 +14554,44 @@ "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, + { + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "type": "used-by" + }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { - "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, + { + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", + "type": "used-by" + }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, + { + "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", + "type": "used-by" + }, + { + "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "type": "used-by" + }, + { + "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { @@ -12996,11 +14747,11 @@ "type": "used-by" }, { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { @@ -13012,8 +14763,8 @@ "type": "used-by" }, { - "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", - "type": "used-by" + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "type": "similar" } ], "uuid": "b8e7c0b4-49e4-4e8d-9467-b17f305ddf16", @@ -13038,6 +14789,10 @@ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" + }, + { + "dest-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", + "type": "similar" } ], "uuid": "42350632-b59a-4cc5-995e-d95d8c608553", @@ -13052,7 +14807,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", + "type": "similar" + } + ], "uuid": "c0dea9db-1551-4f6c-8a19-182efc34093a", "value": "Miner-C" }, @@ -13075,6 +14835,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "type": "similar" } ], "uuid": "2bb16809-6bc3-46c3-b28a-39cb49410340", @@ -13099,6 +14863,10 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" + }, + { + "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", + "type": "similar" } ], "uuid": "535f1b97-7a70-4d18-be4e-3a9f74ccf78a", @@ -13116,7 +14884,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", + "type": "similar" + } + ], "uuid": "4048afa2-79c8-4d38-8219-2207adddd884", "value": "Misdat" }, @@ -13139,6 +14912,10 @@ { "dest-uuid": "803f8018-6e45-5b0f-978f-1fe96b217120", "type": "used-by" + }, + { + "dest-uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80", + "type": "similar" } ], "uuid": "758e5226-6015-5cc7-af4b-20fa35c9bac1", @@ -13156,7 +14933,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", + "type": "similar" + } + ], "uuid": "fe554d2e-f974-41d6-8e7a-701bd758355d", "value": "Mis-Type" }, @@ -13176,6 +14958,10 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" + }, + { + "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", + "type": "similar" } ], "uuid": "f603ea32-91c3-4b62-a60f-57670433b080", @@ -13216,6 +15002,10 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" + }, + { + "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", + "type": "similar" } ], "uuid": "116f913c-0d5e-43d1-ba0d-3a12127af8f6", @@ -13240,6 +15030,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2", + "type": "similar" } ], "uuid": "7ca5debb-f813-4e06-98f8-d1186552e5d2", @@ -13264,6 +15058,10 @@ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" + }, + { + "dest-uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154", + "type": "similar" } ], "uuid": "7f5355b3-e819-4c82-a0fa-b80fda8fd6e6", @@ -13281,7 +15079,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", + "type": "similar" + } + ], "uuid": "a699f32f-6596-4060-8fcd-42587a844b80", "value": "MoonWind" }, @@ -13312,6 +15115,10 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" + }, + { + "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", + "type": "similar" } ], "uuid": "69f202e7-4bc9-4f4f-943f-330c053ae977", @@ -13333,6 +15140,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448", + "type": "similar" } ], "uuid": "385e1eaf-9ba8-4381-981a-3c7af718a77d", @@ -13357,6 +15168,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", + "type": "similar" } ], "uuid": "c3939dad-d728-4ddb-804e-cf1e3743a55d", @@ -13774,6 +15589,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", + "type": "similar" } ], "uuid": "768111f9-0948-474b-82a6-cd5455079513", @@ -13797,7 +15616,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66", + "type": "similar" + } + ], "uuid": "f1398367-a0af-4a89-b240-50cae4985ed9", "value": "Mythic" }, @@ -13820,6 +15644,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", + "type": "similar" } ], "uuid": "5cfd6135-c53b-4234-a17e-759494b2101f", @@ -13841,6 +15669,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", + "type": "similar" } ], "uuid": "0e28dfc9-8948-4c08-b7d8-9e80e19cc464", @@ -13878,6 +15710,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "type": "similar" } ], "uuid": "db05dbaa-eb3a-4303-b37e-18d67e7e85a1", @@ -13902,6 +15738,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84", + "type": "similar" } ], "uuid": "a814fd1d-8c2c-41b3-bb3a-30c4318c74c0", @@ -13926,6 +15766,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", + "type": "similar" } ], "uuid": "b410d30c-4db6-4239-950e-9b0e0521f0d2", @@ -13977,6 +15821,10 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" + }, + { + "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", + "type": "similar" } ], "uuid": "950f13e6-3ae3-411e-a2b2-4ba1afe6cb76", @@ -13995,6 +15843,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", + "type": "similar" } ], "uuid": "81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e", @@ -14016,6 +15868,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", + "type": "similar" } ], "uuid": "6d42e6c5-3056-4ff1-8d5d-a736807ec84c", @@ -14037,6 +15893,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b", + "type": "similar" } ], "uuid": "38510bab-aece-4d7b-b621-7594c2c4fe14", @@ -14061,6 +15921,10 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" + }, + { + "dest-uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67", + "type": "similar" } ], "uuid": "8662e29e-5766-4311-894e-5ca52515ccbe", @@ -14082,6 +15946,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", + "type": "similar" } ], "uuid": "de8b18c9-ebab-4126-96a9-282fa8829877", @@ -14115,18 +15983,6 @@ ] }, "related": [ - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" @@ -14152,13 +16008,29 @@ "type": "used-by" }, { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" @@ -14223,6 +16095,10 @@ "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" @@ -14251,10 +16127,6 @@ "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, - { - "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", - "type": "used-by" - }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" @@ -14262,6 +16134,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "type": "similar" } ], "uuid": "c9b8522f-126d-40ff-b44e-1f46098bd8cc", @@ -14283,6 +16159,10 @@ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" + }, + { + "dest-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", + "type": "similar" } ], "uuid": "947c6212-4da8-48dd-9da9-ce4b077dd759", @@ -14307,6 +16187,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", + "type": "similar" } ], "uuid": "852c300d-9313-442d-9b49-9883522c3f4b", @@ -14380,6 +16264,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "type": "similar" } ], "uuid": "803192b8-747b-4108-ae15-2d7481d39162", @@ -14403,10 +16291,6 @@ ] }, "related": [ - { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", - "type": "used-by" - }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -14423,6 +16307,10 @@ "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, + { + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "type": "used-by" + }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -14450,6 +16338,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "type": "similar" } ], "uuid": "132fb908-9f13-4bcf-aa64-74cbc72f5491", @@ -14509,6 +16401,10 @@ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" + }, + { + "dest-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", + "type": "similar" } ], "uuid": "1b8f9cf9-db8f-437d-800e-5ddd090fe30d", @@ -14538,7 +16434,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "754effde-613c-4244-a83e-fb659b2a4d06", + "type": "similar" + } + ], "uuid": "5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d", "value": "Netwalker" }, @@ -14575,6 +16476,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", + "type": "similar" } ], "uuid": "c7d0e881-80a1-49ea-9c1f-b6e53cf399a8", @@ -14621,7 +16526,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "72b5f07f-5448-4e00-9ff2-08bc193a7b77", + "type": "similar" + } + ], "uuid": "48b161fe-3ae1-5551-9f26-d6f2d6b5afb9", "value": "NGLite" }, @@ -14700,11 +16610,42 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" + }, + { + "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "type": "similar" } ], "uuid": "316ecd9d-ac0b-58c7-8083-5d9214c770f6", "value": "ngrok" }, + { + "description": "NICECURL is a custom backdoor developed and used by Iranian espionage group APT42. It is usually delivered via phishing attacks and serves as a post-compromise command execution and malware ingress capability.[[Mandiant Uncharmed May 1 2024](/references/84c0313a-bea1-44a7-9396-8e12437852d1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5333", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", + "type": "used-by" + } + ], + "uuid": "9d3fd630-1ba8-4d14-907f-f3bdc5a13fa3", + "value": "NICECURL" + }, { "description": "[Nidiran](https://app.tidalcyber.com/software/3ae9acd7-39f8-45c6-b557-c7d9a40eed2c) is a custom backdoor developed and used by [Suckfly](https://app.tidalcyber.com/groups/06549082-ff70-43bf-985e-88c695c7113c). It has been delivered via strategic web compromise. [[Symantec Suckfly March 2016](https://app.tidalcyber.com/references/8711c175-e405-4cb0-8c86-8aaa471e5573)]", "meta": { @@ -14721,6 +16662,10 @@ { "dest-uuid": "06549082-ff70-43bf-985e-88c695c7113c", "type": "used-by" + }, + { + "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", + "type": "similar" } ], "uuid": "3ae9acd7-39f8-45c6-b557-c7d9a40eed2c", @@ -14742,6 +16687,10 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" + }, + { + "dest-uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", + "type": "similar" } ], "uuid": "b1963876-dbdc-5beb-ace3-acb6d7705543", @@ -14763,6 +16712,10 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" + }, + { + "dest-uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5", + "type": "similar" } ], "uuid": "2dd26ff0-22d6-591b-9054-78e84fa3e05c", @@ -14791,6 +16744,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" @@ -14843,6 +16800,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "type": "similar" } ], "uuid": "82996f6f-0575-45cd-8f7c-ba1b063d5b9f", @@ -14862,7 +16823,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bd2ebee8-7c38-408a-871d-221012104222", + "type": "similar" + } + ], "uuid": "e26988e0-e755-54a4-8234-e8f961266d82", "value": "NKAbuse" }, @@ -14890,11 +16856,11 @@ }, "related": [ { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { @@ -14924,6 +16890,14 @@ { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, + { + "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "type": "similar" } ], "uuid": "fbb1546a-f288-4e43-9e5c-14c94423c4f6", @@ -14939,6 +16913,15 @@ "software_attack_id": "S5051", "source": "Tidal Cyber", "tags": [ + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "35e694ec-5133-46e3-b7e1-5831867c3b55", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "6ff40d11-214a-434b-b137-993e4ff5e34e", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -14988,6 +16971,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", + "type": "similar" } ], "uuid": "31aa0433-fb6b-4290-8af5-a0d0c6c18548", @@ -15017,6 +17004,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", + "type": "similar" } ], "uuid": "2538e0fe-1290-4ae1-aef9-e55d83c9eb23", @@ -15123,6 +17114,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9", + "type": "similar" } ], "uuid": "97e8148c-e146-444c-9de5-6e2fdbda2f9f", @@ -15140,7 +17135,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "288fa242-e894-4c7e-ac86-856deedf5cea", + "type": "similar" + } + ], "uuid": "f1723994-058b-4525-8e11-2f0c80d8f3a4", "value": "OceanSalt" }, @@ -15160,6 +17160,10 @@ { "dest-uuid": "5f8c6ee0-f302-403b-b712-f1e3df064c0c", "type": "used-by" + }, + { + "dest-uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", + "type": "similar" } ], "uuid": "8f04e609-8773-4529-b247-d32f530cc453", @@ -15232,6 +17236,10 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" + }, + { + "dest-uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83", + "type": "similar" } ], "uuid": "f9bcf0a1-f287-44ec-8f53-6859d41e041c", @@ -15256,6 +17264,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", + "type": "similar" } ], "uuid": "479814e2-2656-4ea2-9e79-fcdb818f703e", @@ -15280,6 +17292,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", + "type": "similar" } ], "uuid": "073b5288-11d6-4db0-9f2c-a1816847d15c", @@ -15326,6 +17342,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", + "type": "similar" } ], "uuid": "6056bf36-fb45-498d-a285-5f98ae08b090", @@ -15350,6 +17370,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", + "type": "similar" } ], "uuid": "4f1894d4-d085-4348-af50-dfda257a9e18", @@ -15399,6 +17423,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -15442,6 +17470,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", + "type": "similar" } ], "uuid": "45a52a29-00c0-458a-b705-1040e06a43f2", @@ -15463,6 +17495,10 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" + }, + { + "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", + "type": "similar" } ], "uuid": "fa1e13b8-2fb7-42e8-b630-25f0edfbca65", @@ -15487,6 +17523,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", + "type": "similar" } ], "uuid": "a45904b5-0ada-4567-be4c-947146c7f574", @@ -15504,7 +17544,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f1314e75-ada8-49f4-b281-b1fb8b48f2a7", + "type": "similar" + } + ], "uuid": "4d91d625-21d8-484a-b63f-0a3daa4ed434", "value": "OSX/Shlayer" }, @@ -15524,6 +17569,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d", + "type": "similar" } ], "uuid": "273b1e8d-a23d-4c22-8493-80f3d6639352", @@ -15549,6 +17598,10 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" + }, + { + "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae", + "type": "similar" } ], "uuid": "042fe42b-f60e-45e1-b47d-a913e0677976", @@ -15566,7 +17619,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", + "type": "similar" + } + ], "uuid": "6d8a8510-e6f1-49a7-b3a5-bd4664937147", "value": "OwaAuth" }, @@ -15582,7 +17640,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", + "type": "similar" + } + ], "uuid": "916f8a7c-e487-4446-b6ee-c8da712a9569", "value": "P2P ZeuS" }, @@ -15602,6 +17665,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9", + "type": "similar" } ], "uuid": "1933ad3d-3085-4b1b-82b9-ac51b440e2bf", @@ -15624,6 +17691,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1", + "type": "similar" } ], "uuid": "13856c51-d81c-5d75-bb6a-0bbdcc857cdd", @@ -15656,6 +17727,10 @@ { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" + }, + { + "dest-uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9", + "type": "similar" } ], "uuid": "e90eb529-1665-5fd7-a44e-695715e4081b", @@ -15684,6 +17759,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1", + "type": "similar" } ], "uuid": "320b0784-4f0f-46ea-99e9-c34bfcca1c2e", @@ -15705,6 +17784,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", + "type": "similar" } ], "uuid": "3f018e73-d09b-4c8d-815b-8b2c8faf7055", @@ -15723,6 +17806,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", + "type": "similar" } ], "uuid": "8d007d52-8898-494c-8d72-354abd93da1e", @@ -15783,6 +17870,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", + "type": "similar" } ], "uuid": "4d79530c-2fd9-4438-a8da-74f42119695a", @@ -15809,6 +17900,10 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" + }, + { + "dest-uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83", + "type": "similar" } ], "uuid": "9aa21e50-726e-4002-8b7b-75697a03eb2b", @@ -15852,6 +17947,10 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" + }, + { + "dest-uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15", + "type": "similar" } ], "uuid": "873ede85-548b-5fc0-a29e-80bd5afc5bf4", @@ -15922,6 +18021,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "3a53b207-aba2-4a2b-9cdb-273d633669e7", + "type": "similar" } ], "uuid": "71eb2211-39aa-4b89-bd51-9dcabd363149", @@ -15996,6 +18099,10 @@ { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" + }, + { + "dest-uuid": "79dd477a-8226-4b3d-ad15-28623675f221", + "type": "similar" } ], "uuid": "52a19c73-2454-4893-8f84-8d05c37a9472", @@ -16017,6 +18124,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550", + "type": "similar" } ], "uuid": "951fad62-f636-4c01-b924-bb0ce87f5b20", @@ -16038,6 +18149,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623", + "type": "similar" } ], "uuid": "1f080577-c002-4b49-a342-fa70983c1d58", @@ -16141,6 +18256,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", + "type": "similar" } ], "uuid": "fd63cec1-9f72-4ed0-9926-2dbbb3d9cead", @@ -16191,6 +18310,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "type": "similar" } ], "uuid": "db5d718b-1344-4aa2-8e6a-54e68d8adfb1", @@ -16215,6 +18338,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", + "type": "similar" } ], "uuid": "ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4", @@ -16238,11 +18365,11 @@ }, "related": [ { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { @@ -16296,6 +18423,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "type": "similar" } ], "uuid": "4ea12106-c0a1-4546-bb64-a1675d9f5dc7", @@ -16358,6 +18489,10 @@ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" + }, + { + "dest-uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1", + "type": "similar" } ], "uuid": "4360cc62-7263-48b2-bd2a-a7737563545c", @@ -16379,6 +18514,10 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" + }, + { + "dest-uuid": "8393dac0-0583-456a-9372-fd81691bca20", + "type": "similar" } ], "uuid": "92744f7b-9f1a-472c-bae0-2d4a7ce68bb4", @@ -16400,6 +18539,10 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" + }, + { + "dest-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", + "type": "similar" } ], "uuid": "14e65c5d-5164-41a3-92de-67fdd1d529d2", @@ -16417,7 +18560,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d79b1800-3b5d-4a4f-8863-8251eca793e2", + "type": "similar" + } + ], "uuid": "c0e56f14-9768-5547-abcb-aa3f220d0e40", "value": "PITSTOP" }, @@ -16458,6 +18606,10 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" + }, + { + "dest-uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", + "type": "similar" } ], "uuid": "9445f18a-a796-447a-a35f-94a9fb72411c", @@ -16512,6 +18664,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "b57f419e-8b12-49d3-886b-145383725dcd", + "type": "similar" } ], "uuid": "9a890a85-afbe-4c35-a3e7-1adad481bdf7", @@ -16527,6 +18683,10 @@ "software_attack_id": "S5041", "source": "Tidal Cyber", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -16546,6 +18706,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -16578,10 +18742,6 @@ ] }, "related": [ - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" @@ -16594,6 +18754,10 @@ "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", "type": "used-by" }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" @@ -16633,6 +18797,10 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "type": "similar" } ], "uuid": "070b56f4-7810-4dad-b85f-bdfce9c08c10", @@ -16654,6 +18822,10 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" + }, + { + "dest-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", + "type": "similar" } ], "uuid": "95c273d2-3081-4cb5-8d41-37eb4e90264d", @@ -16693,7 +18865,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", + "type": "similar" + } + ], "uuid": "79b4f277-3b18-4aa7-9f96-44b35b23166b", "value": "PoetRAT" }, @@ -16772,6 +18949,10 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "type": "similar" } ], "uuid": "1d87a695-7989-49ae-ac1a-b6601db565c3", @@ -16796,6 +18977,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e", + "type": "similar" } ], "uuid": "3b7179fa-7b8b-4068-b224-d8d9c642964d", @@ -16816,7 +19001,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "222ba512-32d9-49ac-aefd-50ce981ce2ce", + "type": "similar" + } + ], "uuid": "555b612e-3f0d-421d-b2a7-63eb2d1ece5f", "value": "Pony" }, @@ -16836,11 +19026,58 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", + "type": "similar" } ], "uuid": "1353d695-5bae-4593-988f-9bd07a6fd1bb", "value": "POORAIM" }, + { + "description": "POORTRY is a malicious kernel driver known to be used by multiple ransomware groups for defense evasion purposes, typically in conjunction with a related loader capability, STONESTOP. POORTRY abuses or falsifies certificates to evade code signing processes. Since being discovered and disclosed in 2022, POORTRY has evolved its focus from disabling security software to actually removing critical software components from victim disks.[[Sophos News August 27 2024](/references/af1dfc7b-fdc2-448f-a4bf-34f8ee7d55bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5336", + "source": "Tidal Cyber", + "tags": [ + "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "5216ac81-da4c-4b87-86ce-b90a651f1048", + "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, + { + "dest-uuid": "316a49d5-5fe0-4e0b-a276-f955f4277162", + "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + } + ], + "uuid": "439059e2-f756-4c38-8d87-1d3c534f2e16", + "value": "POORTRY" + }, { "description": "[PoshC2](https://app.tidalcyber.com/software/a3a03835-79bf-4558-8e80-7983aeb842fb) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Although [PoshC2](https://app.tidalcyber.com/software/a3a03835-79bf-4558-8e80-7983aeb842fb) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[[GitHub PoshC2](https://app.tidalcyber.com/references/45e79c0e-a2f6-4b56-b621-4142756bd1b1)]", "meta": { @@ -16866,6 +19103,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", + "type": "similar" } ], "uuid": "a3a03835-79bf-4558-8e80-7983aeb842fb", @@ -16890,6 +19131,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", + "type": "similar" } ], "uuid": "b92f28c4-cbc8-4721-ac79-2d8bdf5247e5", @@ -16914,6 +19159,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", + "type": "similar" } ], "uuid": "d9e4f4a1-dd41-424e-986a-b9a39ebea805", @@ -16935,6 +19184,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4", + "type": "similar" } ], "uuid": "8b9159c1-db48-472b-9897-34325da5dca7", @@ -16949,7 +19202,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", + "type": "similar" + } + ], "uuid": "018ee1d9-35af-49dc-a667-11b77cd76f46", "value": "Power Loader" }, @@ -16993,6 +19251,10 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" + }, + { + "dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15", + "type": "similar" } ], "uuid": "e7cdaf70-5e28-442a-b34d-894484788dc5", @@ -17014,6 +19276,10 @@ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" + }, + { + "dest-uuid": "53486bc7-7748-4716-8190-e4f1fde04c53", + "type": "similar" } ], "uuid": "2ca245de-77a9-4857-ba93-fd0d6988df9d", @@ -17038,6 +19304,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", + "type": "similar" } ], "uuid": "a4700431-6578-489f-9782-52e394277296", @@ -17061,6 +19331,14 @@ ] }, "related": [ + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" @@ -17077,14 +19355,6 @@ "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, - { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" - }, - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" - }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -17104,6 +19374,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "type": "similar" } ], "uuid": "82fad10d-c921-4a87-a533-49def83d002b", @@ -17128,6 +19402,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "type": "similar" } ], "uuid": "837bcf97-37a7-4001-a466-306574fd7890", @@ -17152,6 +19430,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", + "type": "similar" } ], "uuid": "39fc59c6-f1aa-4c93-8e43-1f41563e9d9e", @@ -17173,6 +19455,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "type": "similar" } ], "uuid": "b3c28750-3825-4e4d-ab92-f39a6b0827dd", @@ -17279,6 +19565,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3", + "type": "similar" } ], "uuid": "7ed984bb-d098-4d0a-90fd-b03e68842479", @@ -17303,6 +19593,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "type": "similar" } ], "uuid": "67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4", @@ -17350,6 +19644,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be", + "type": "similar" } ], "uuid": "4fb5b109-5a5c-5441-a0f9-f639ead5405e", @@ -17370,7 +19668,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", + "type": "similar" + } + ], "uuid": "1da989a8-41cc-4e89-a435-a88acb72ae0d", "value": "Prikormka" }, @@ -17428,6 +19731,10 @@ "software_attack_id": "S5036", "source": "Tidal Cyber", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "c3eaf8a7-06e5-4e3a-9615-36316d9e10a8", "af5e9be5-b86e-47af-91dd-966a5e34a186", @@ -17445,6 +19752,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -17518,7 +19829,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "471d0e9f-2c8a-4e4b-8f3b-f85d2407806e", + "type": "similar" + } + ], "uuid": "c8af096e-c71e-4751-b203-70c285b7a7bd", "value": "ProLock" }, @@ -17556,7 +19872,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", + "type": "similar" + } + ], "uuid": "d3bcdbc4-5998-4e50-bd45-cba6a3278427", "value": "Proton" }, @@ -17598,6 +19919,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "069af411-9b24-4e85-b26c-623d035bbe84", + "type": "similar" } ], "uuid": "94f43629-243e-49dc-8c2b-cdf4fc15cf83", @@ -17615,7 +19940,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "13183cdf-280b-46be-913a-5c6df47831e7", + "type": "similar" + } + ], "uuid": "8cd401ac-a233-4395-a8ae-d75db9d5b845", "value": "PS1" }, @@ -17652,19 +19982,7 @@ }, "related": [ { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { @@ -17683,6 +20001,22 @@ "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", "type": "used-by" }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "type": "used-by" + }, + { + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "type": "used-by" + }, { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" @@ -17771,6 +20105,10 @@ "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -17822,6 +20160,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "type": "similar" } ], "uuid": "73eb32af-4bd3-4e21-8048-355edc55a9c6", @@ -17865,6 +20207,10 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" + }, + { + "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", + "type": "similar" } ], "uuid": "8c35d349-2f70-4edb-8668-e1cc2b67e4a0", @@ -17889,6 +20235,10 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" + }, + { + "dest-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", + "type": "similar" } ], "uuid": "7fed4276-807e-4656-95f5-90878b6e2dbb", @@ -17938,6 +20288,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", + "type": "similar" } ], "uuid": "d777204c-f93c-54d9-b80e-41641a3d55ce", @@ -17990,6 +20344,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", + "type": "similar" } ], "uuid": "d8999d60-3818-4d75-8756-8a55531254d8", @@ -18014,6 +20372,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", + "type": "similar" } ], "uuid": "1638d99b-fbcf-40ec-ac48-802ce5be520a", @@ -18042,6 +20404,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "type": "similar" } ], "uuid": "0a8bedc2-b404-4a9a-b4f5-ff90ff8294be", @@ -18079,6 +20445,11 @@ "software_attack_id": "S5065", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee" @@ -18088,6 +20459,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -18139,6 +20514,10 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" + }, + { + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", + "type": "similar" } ], "uuid": "77f629db-d971-49d8-8b73-c7c779b7de3e", @@ -18163,6 +20542,10 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" + }, + { + "dest-uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3", + "type": "similar" } ], "uuid": "51b2c56e-7d64-4e15-b1bd-45a980c9c44d", @@ -18185,7 +20568,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a19c1197-9414-46e3-986f-0f609ff4a46b", + "type": "similar" + } + ], "uuid": "e0d5ecce-eca0-4f01-afcc-0c8e92323016", "value": "Pysa" }, @@ -18225,6 +20613,10 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" + }, + { + "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", + "type": "similar" } ], "uuid": "9050b418-5ffd-481a-a30d-f9059b0871ea", @@ -18252,7 +20644,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + } + ], "uuid": "3b78dda9-d273-4ffc-9a9f-75e80178c7b2", "value": "Qilin Ransomware" }, @@ -18300,6 +20697,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", + "type": "similar" } ], "uuid": "2bf68242-1dbd-405b-ac35-330eda887081", @@ -18321,6 +20722,10 @@ ] }, "related": [ + { + "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", + "type": "used-by" + }, { "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" @@ -18329,10 +20734,6 @@ "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", - "type": "used-by" - }, { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" @@ -18340,6 +20741,10 @@ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "type": "similar" } ], "uuid": "4bab7c2b-5ec4-467e-8df4-f2e6996e136b", @@ -18390,7 +20795,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4", + "type": "similar" + } + ], "uuid": "52d3515c-5184-5257-bf24-56adccb4cccd", "value": "QUIETCANARY" }, @@ -18413,6 +20823,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", + "type": "similar" } ], "uuid": "947ab087-7550-577f-9ae9-5e82e9910610", @@ -18437,6 +20851,10 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" + }, + { + "dest-uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828", + "type": "similar" } ], "uuid": "dcdb74c5-4445-49bd-9f9c-236a7ecc7904", @@ -18573,6 +20991,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb", + "type": "similar" } ], "uuid": "d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f", @@ -18597,6 +21019,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", + "type": "similar" } ], "uuid": "80295aeb-59e3-4c5d-ac39-9879158f8d23", @@ -18618,6 +21044,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7", + "type": "similar" } ], "uuid": "42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e", @@ -18635,7 +21065,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", + "type": "similar" + } + ], "uuid": "dc307b3c-9bc5-4624-b0bc-4807fa1fc57b", "value": "Ramsay" }, @@ -18660,7 +21095,20 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + } + ], "uuid": "a3044fb5-3aae-4590-b589-cc88bf0d1f34", "value": "RansomHub (Payload)" }, @@ -18681,6 +21129,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b", + "type": "similar" } ], "uuid": "129abb68-7992-554e-92fa-fa376279c0b6", @@ -18705,6 +21157,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831", + "type": "similar" } ], "uuid": "a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2", @@ -18774,6 +21230,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", + "type": "similar" } ], "uuid": "40466d7d-a107-46aa-a6fc-180e0eef2c6b", @@ -18795,6 +21255,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", + "type": "similar" } ], "uuid": "d86a562d-d235-4481-9a3f-273fa3ebe89a", @@ -18816,6 +21280,10 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" + }, + { + "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", + "type": "similar" } ], "uuid": "6ea1bf95-fed8-4b94-8071-aa19a3af5e34", @@ -18855,6 +21323,10 @@ ] }, "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -18867,6 +21339,10 @@ "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -18887,6 +21363,10 @@ "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -18894,6 +21374,10 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" + }, + { + "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", + "type": "similar" } ], "uuid": "1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4", @@ -18922,6 +21406,10 @@ { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" + }, + { + "dest-uuid": "03acae53-9b98-46f6-b204-16b930839055", + "type": "similar" } ], "uuid": "38c4d208-fe38-4965-871c-709fa1479ba3", @@ -18967,6 +21455,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "type": "similar" } ], "uuid": "567da30e-fd4d-4ec5-a308-bf08788f3bfb", @@ -18991,6 +21483,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "065196de-d7e8-4888-acfb-b2134022ba1b", + "type": "similar" } ], "uuid": "ca4e973c-da15-46a9-8f3a-0b1560c9a783", @@ -19060,7 +21556,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", + "type": "similar" + } + ], "uuid": "ca544771-d43e-4747-80e5-cf0f4a4836f3", "value": "Reaver" }, @@ -19080,6 +21581,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", + "type": "similar" } ], "uuid": "5264c3ab-14e1-4ae1-854e-889ebde029b4", @@ -19149,6 +21654,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "type": "similar" } ], "uuid": "d796615c-fa3d-4afd-817a-1a3db8c73532", @@ -19195,6 +21704,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd", + "type": "similar" } ], "uuid": "52dc08d8-82cc-46dc-91ae-383193d72963", @@ -19234,7 +21747,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", + "type": "similar" + } + ], "uuid": "e88bf527-bb9c-45c3-b86b-04a07dcd91fd", "value": "Regin" }, @@ -19391,6 +21909,10 @@ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" + }, + { + "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", + "type": "similar" } ], "uuid": "2eb92fa8-514e-4018-adc4-c9fe4f082567", @@ -19412,6 +21934,10 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" + }, + { + "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", + "type": "similar" } ], "uuid": "82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb", @@ -19455,6 +21981,10 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" + }, + { + "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", + "type": "similar" } ], "uuid": "57fa64ea-975a-470a-a194-3428148ae9ee", @@ -19476,6 +22006,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b", + "type": "similar" } ], "uuid": "8a7fa0df-c688-46be-94bf-462fae33b788", @@ -19497,6 +22031,10 @@ { "dest-uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "type": "used-by" + }, + { + "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", + "type": "similar" } ], "uuid": "e3729cff-f25e-4c01-a7a1-e8b83e903b30", @@ -19549,6 +22087,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", + "type": "similar" } ], "uuid": "2a5ea3a7-9873-4a2e-b4b5-4e27a80db305", @@ -19574,6 +22116,10 @@ { "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", "type": "used-by" + }, + { + "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "type": "similar" } ], "uuid": "f99712b4-37a2-437c-92d7-fb4f94a1f892", @@ -19609,16 +22155,20 @@ }, "related": [ { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" }, { - "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "type": "similar" } ], "uuid": "9314531e-bf46-4cba-9c19-198279ccf9cd", @@ -19643,6 +22193,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", + "type": "similar" } ], "uuid": "d5649d69-52d4-4198-9683-b250348dea32", @@ -19693,6 +22247,10 @@ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" + }, + { + "dest-uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65", + "type": "similar" } ], "uuid": "ca5ae7c8-467a-4434-82fc-db50ce3fc671", @@ -19714,6 +22272,10 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" + }, + { + "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", + "type": "similar" } ], "uuid": "00fa4cc2-6f99-4b18-b927-689964ef57e1", @@ -19731,7 +22293,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "56e6b6c2-e573-4969-8bab-783205cebbbf", + "type": "similar" + } + ], "uuid": "19b1f1c8-5ef3-4328-b605-38e0bafc084d", "value": "Rising Sun" }, @@ -19751,6 +22318,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d", + "type": "similar" } ], "uuid": "15bc8e94-64d1-4f1f-bc99-08cfbac417dc", @@ -19773,7 +22344,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0a607c53-df52-45da-a75d-0e53df4dad5f", + "type": "similar" + } + ], "uuid": "b65956ef-439a-463d-b85e-6606467f508a", "value": "RobbinHood" }, @@ -19793,6 +22369,10 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", + "type": "similar" } ], "uuid": "cb7aa34e-312f-4210-be7b-47a1e3f5b7b5", @@ -19814,6 +22394,10 @@ { "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "type": "used-by" + }, + { + "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", + "type": "similar" } ], "uuid": "852cf78d-9cdc-4971-a972-405921027436", @@ -19838,6 +22422,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", + "type": "similar" } ], "uuid": "a3479628-af0b-4088-8d2a-fafa384731dd", @@ -19886,6 +22474,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", + "type": "similar" } ], "uuid": "169bfcf6-544c-5824-a7cd-2d5070304b57", @@ -19908,6 +22500,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", + "type": "similar" } ], "uuid": "3b755518-9085-474e-8bc4-4f9344d9c8af", @@ -19925,7 +22521,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", + "type": "similar" + } + ], "uuid": "ef38ff3e-fa36-46f2-a720-3abaca167b04", "value": "Rover" }, @@ -19938,6 +22539,8 @@ "software_attack_id": "S1073", "source": "MITRE", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", "15787198-6c8b-4f79-bf50-258d55072fee", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -19954,6 +22557,10 @@ { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" + }, + { + "dest-uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21", + "type": "similar" } ], "uuid": "221e24cb-910f-5988-9473-578ef350870c", @@ -20021,6 +22628,10 @@ { "dest-uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "type": "used-by" + }, + { + "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", + "type": "similar" } ], "uuid": "1836485e-a3a6-4fae-a15d-d0990788811a", @@ -20044,6 +22655,10 @@ ] }, "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -20055,6 +22670,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "e33267fe-099f-4af2-8730-63d49f8813b2", + "type": "similar" } ], "uuid": "2e54f40c-ab62-535e-bbab-3f3a835ff55a", @@ -20077,6 +22696,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "type": "similar" } ], "uuid": "69563cbd-7dc1-4396-b576-d5886df11046", @@ -20216,7 +22839,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58", + "type": "similar" + } + ], "uuid": "e8afda1f-fa83-4fc3-b6fb-7d5daca7173f", "value": "RunningRAT" }, @@ -20298,6 +22926,10 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" + }, + { + "dest-uuid": "a020a61c-423f-4195-8c46-ba1d21abba37", + "type": "similar" } ], "uuid": "8ae86854-4cdc-49eb-895a-d1fa742f7974", @@ -20322,6 +22954,10 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" + }, + { + "dest-uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b", + "type": "similar" } ], "uuid": "d66e5d18-e9f5-4091-bdf4-acdac129e2e0", @@ -20346,6 +22982,10 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" + }, + { + "dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", + "type": "similar" } ], "uuid": "a316c704-144a-4d14-8e4e-685bb6ae391c", @@ -20367,7 +23007,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", + "type": "similar" + } + ], "uuid": "88831e9f-453e-466f-9510-9acaa1f20368", "value": "SamSam" }, @@ -20387,6 +23032,10 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" + }, + { + "dest-uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0", + "type": "similar" } ], "uuid": "bd75c822-7be6-5e6f-bd2e-0512be6d38d9", @@ -20408,6 +23057,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", + "type": "similar" } ], "uuid": "9ab0d523-3496-5e64-9ca1-bb756f5e64e0", @@ -20498,6 +23151,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", + "type": "similar" } ], "uuid": "2aacbf3a-a359-41d2-9a71-76447f0545b5", @@ -20564,6 +23221,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c", + "type": "similar" } ], "uuid": "046bbd0c-bff5-46fc-9028-cbe46a9f8ec5", @@ -20600,6 +23261,10 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" + }, + { + "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", + "type": "similar" } ], "uuid": "3d4be65d-231b-44bb-8d12-5038a3d48bae", @@ -20624,6 +23289,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", + "type": "similar" } ], "uuid": "ae30d58e-21c5-41a4-9ebb-081dc1f26863", @@ -20645,6 +23314,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", + "type": "similar" } ], "uuid": "3527b09b-f3f6-4716-9f90-64ea7d3b9d8a", @@ -20669,6 +23342,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", + "type": "similar" } ], "uuid": "42c8504c-8a18-46d2-a145-35b0cd8ba669", @@ -20748,6 +23425,40 @@ "uuid": "a1fef846-cb22-4885-aa14-cb67ab38fce4", "value": "secretsdump" }, + { + "description": "According to its GitHub project page, Secure Socket Funneling (SSF) is a \"network tool and toolkit\" that \"provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer\".[[GitHub securesocketfunneling ssf](/references/077ab224-9406-4be7-8467-2a6da8dc786d)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Network", + "Linux", + "Windows" + ], + "software_attack_id": "S5329", + "source": "Tidal Cyber", + "tags": [ + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "80b9180e-bae5-44a7-8016-8c1463bbd054", + "value": "Secure Socket Funneling" + }, { "description": "[ServHelper](https://app.tidalcyber.com/software/704ed49d-103c-4b33-b85c-73670cc1d719) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)]", "meta": { @@ -20767,6 +23478,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", + "type": "similar" } ], "uuid": "704ed49d-103c-4b33-b85c-73670cc1d719", @@ -20788,7 +23503,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f931a0b9-0361-4b1b-bacf-955062c35746", + "type": "similar" + } + ], "uuid": "fb47c051-d22b-4a05-94a7-cf979419b60a", "value": "Seth-Locker" }, @@ -20893,6 +23613,10 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" + }, + { + "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", + "type": "similar" } ], "uuid": "5190f50d-7e54-410a-9961-79ab751ddbab", @@ -20913,7 +23637,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", + "type": "similar" + } + ], "uuid": "840db1db-e262-4d6f-b6e3-2a64696a41c5", "value": "Shamoon" }, @@ -20936,6 +23665,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229", + "type": "similar" } ], "uuid": "278da5e8-4d4c-4c45-ad72-8f078872fb4a", @@ -20982,11 +23715,44 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" + }, + { + "dest-uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", + "type": "similar" } ], "uuid": "4ed1e83b-a208-5518-bed2-d07c1b289da2", "value": "SharpDisco" }, + { + "description": "According to its GitHub project page, SharpExfiltrate is a \"modular C# framework to exfiltrate loot over secure and trusted channels\".[[GitHub Flangvik SharpExfiltrate](/references/7f0c0c86-c042-4a69-982a-c8c70ec1199c)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5327", + "source": "Tidal Cyber", + "tags": [ + "8bf128ad-288b-41bc-904f-093f4fdde745", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "e1af18e3-3224-4e4c-9d0f-533768474508", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + } + ], + "uuid": "20e472dd-dc65-40e4-b655-c8b4fae7714a", + "value": "SharpExfiltrate" + }, { "description": "SharpHound is an open-source software utility incorporated into the BloodHound Active Directory (AD) reconnaissance tool.[[GitHub SharpHound](/references/e1c405b4-b591-4469-848c-7a7dd69151c0)] Adversaries have used SharpHound for AD enumeration.[[U.S. CISA Phobos February 29 2024](/references/bd6f9bd3-22ec-42fc-9d85-fdc14dcfa55a)]", "meta": { @@ -21079,6 +23845,10 @@ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" + }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" } ], "uuid": "a202b37f-5c61-410b-bb14-a3e6b2b82833", @@ -21100,6 +23870,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", + "type": "similar" } ], "uuid": "564643fd-7113-490e-9f6a-f0cc3f0e1a4c", @@ -21124,6 +23898,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9", + "type": "similar" } ], "uuid": "f655306f-f7b4-4eec-9bd6-ac75142fcb43", @@ -21210,6 +23988,10 @@ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" + }, + { + "dest-uuid": "5763217a-05b6-4edd-9bca-057e47b5e403", + "type": "similar" } ], "uuid": "a3287231-351f-472f-96cc-24db2e3829c7", @@ -21231,6 +24013,10 @@ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" + }, + { + "dest-uuid": "115f88dd-0618-4389-83cb-98d33ae81848", + "type": "similar" } ], "uuid": "77d9c948-93e3-4e12-9764-4da7570d9275", @@ -21249,6 +24035,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", + "type": "similar" } ], "uuid": "3db0b464-ec5d-4cdd-86c2-62eac9c8acd6", @@ -21270,6 +24060,10 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" + }, + { + "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", + "type": "similar" } ], "uuid": "49351818-579e-4298-9137-03b3dc699e22", @@ -21288,6 +24082,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", + "type": "similar" } ], "uuid": "5b2d82a6-ed96-485d-bca9-2320590de890", @@ -21312,6 +24110,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c", + "type": "similar" } ], "uuid": "ea0a1282-f2bf-4ae0-a19c-d7e379c2309b", @@ -21336,6 +24138,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de", + "type": "similar" } ], "uuid": "61227a76-d315-4339-803a-e024f96e089e", @@ -21353,7 +24159,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1244e058-fa10-48cb-b484-0bcf671107ae", + "type": "similar" + } + ], "uuid": "4765999f-c35e-4a9f-8284-9f10a17e6c34", "value": "SILENTTRINITY" }, @@ -21373,7 +24184,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4fbd565b-bf55-4ac7-80b4-b183a7b64b9c", + "type": "similar" + } + ], "uuid": "8ea75674-cc08-40cf-824c-40eb5cd6097e", "value": "Siloscape" }, @@ -21393,6 +24209,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", + "type": "similar" } ], "uuid": "206453a4-a298-4cab-9fdf-f136a4e0c761", @@ -21410,7 +24230,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4b68b5ea-2e1b-4225-845b-8632f702b9a0", + "type": "similar" + } + ], "uuid": "cc91d3d4-bbf5-4a9c-b43a-2ba034db4858", "value": "Skidmap" }, @@ -21431,6 +24256,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3", + "type": "similar" } ], "uuid": "c8fed4fc-5721-5db2-b107-b2a9b677244e", @@ -21461,6 +24290,10 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" + }, + { + "dest-uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be", + "type": "similar" } ], "uuid": "bbd16b7b-7e35-4a11-86ff-9b19e17bdab3", @@ -21478,7 +24311,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "feb2d7bb-aacb-48df-ad04-ccf41a30cd90", + "type": "similar" + } + ], "uuid": "563c6534-497e-4d65-828c-420d5bb2041a", "value": "SLOTHFULMEDIA" }, @@ -21498,6 +24336,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", + "type": "similar" } ], "uuid": "7c047a54-93cf-4dfc-ab20-d905791aebb2", @@ -21519,6 +24361,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4", + "type": "similar" } ], "uuid": "37e264a6-5ad3-5a79-bf2c-db725622206e", @@ -21543,6 +24389,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", + "type": "similar" } ], "uuid": "c58028b9-2e79-4bc9-9b04-d24ea4dd4948", @@ -21563,7 +24413,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7e0f8b0f-716e-494d-827e-310bd6ed709e", + "type": "similar" + } + ], "uuid": "9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3", "value": "SMOKEDHAM" }, @@ -21593,6 +24448,10 @@ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" + }, + { + "dest-uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", + "type": "similar" } ], "uuid": "2244253f-a4ad-4ea9-a4bf-fa2f4d895853", @@ -21614,6 +24473,10 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", + "type": "similar" } ], "uuid": "f587dc27-92be-5894-a4a8-d6c8bbcf8ede", @@ -21635,6 +24498,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", + "type": "similar" } ], "uuid": "d6c24f7c-fe79-4094-8f3c-68c4446ae4c7", @@ -21659,6 +24526,10 @@ { "dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", "type": "used-by" + }, + { + "dest-uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", + "type": "similar" } ], "uuid": "ab84f259-9b9a-51d8-a68a-2bcd7512d760", @@ -21676,7 +24547,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", + "type": "similar" + } + ], "uuid": "c1906bb6-0b5b-4916-8b29-37f7e272f6b3", "value": "Socksbot" }, @@ -21699,6 +24575,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108", + "type": "similar" } ], "uuid": "6ecd970c-427b-4421-a831-69f46047d22a", @@ -21790,6 +24670,10 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -21813,7 +24697,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "425771c5-48b4-4ecd-9f95-74ed3fc9da59", + "type": "similar" + } + ], "uuid": "0ec24158-d5d7-4d2e-b5a5-bc862328a317", "value": "SombRAT" }, @@ -21836,6 +24725,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0", + "type": "similar" } ], "uuid": "3e959586-14ff-407b-a0d0-4e9580546f3f", @@ -21857,6 +24750,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", + "type": "similar" } ], "uuid": "069538a5-3cb8-4eb4-9fbb-83867bb4d826", @@ -21878,6 +24775,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", + "type": "similar" } ], "uuid": "0f8d0a73-9cd3-475a-b31b-d457278c921a", @@ -21902,6 +24803,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4", + "type": "similar" } ], "uuid": "93f8c180-6794-4e9c-b716-6b31f42eb72d", @@ -21920,7 +24825,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", + "type": "similar" + } + ], "uuid": "b9b67878-4eb1-4a0b-9b36-a798881ed566", "value": "SpeakUp" }, @@ -21997,6 +24907,10 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" + }, + { + "dest-uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0", + "type": "similar" } ], "uuid": "2be9e22d-0af8-46f5-b30e-b3712ccf716d", @@ -22053,6 +24967,10 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -22108,6 +25026,10 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" + }, + { + "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", + "type": "similar" } ], "uuid": "0fdabff3-d996-493c-af67-f3ac02e4b00b", @@ -22152,6 +25074,10 @@ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" + }, + { + "dest-uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", + "type": "similar" } ], "uuid": "96c224a6-6ca4-4ac1-9990-d863ec5a317a", @@ -22195,6 +25121,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "type": "similar" } ], "uuid": "612f780a-239a-4bd0-a29f-63beadf3ed22", @@ -22258,7 +25188,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3c18ad16-9eaf-4649-984e-68551bff0d47", + "type": "similar" + } + ], "uuid": "46943a69-0b19-4d3a-b2a3-1302e85239a3", "value": "Squirrelwaffle" }, @@ -22302,6 +25237,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", + "type": "similar" } ], "uuid": "3334a124-3e74-4a90-8ed1-55eea3274b19", @@ -22323,6 +25262,10 @@ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" + }, + { + "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", + "type": "similar" } ], "uuid": "fc18e220-2200-4d70-a426-0700ba14c4c0", @@ -22347,6 +25290,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532", + "type": "similar" } ], "uuid": "764c6121-2d15-4a10-ac53-b1c431dc8b47", @@ -22364,7 +25311,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ca0fead6-5277-427a-825b-42ff1fbe476e", + "type": "similar" + } + ], "uuid": "ea561f0b-b891-5735-aa99-97cc8818fbef", "value": "STEADYPULSE" }, @@ -22436,11 +25388,37 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", + "type": "similar" } ], "uuid": "9eee52a2-5ac1-4561-826c-23ec7fbc7876", "value": "StoneDrill" }, + { + "description": "STONESTOP refers to the loader capability associated with the malicious kernel driver POORTRY, which has been used by multiple ransomware groups since 2022.[[Sophos News August 27 2024](/references/af1dfc7b-fdc2-448f-a4bf-34f8ee7d55bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5337", + "source": "Tidal Cyber", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "9bfeb8a3-5a5e-4e66-acfd-0b84d74e0e0d", + "value": "STONESTOP" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Storage diagnostic tool\n\n**Author:** Eral4m\n\n**Paths:**\n* c:\\windows\\system32\\stordiag.exe\n* c:\\windows\\syswow64\\stordiag.exe\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1451112385041911809](https://twitter.com/eral4m/status/1451112385041911809)\n\n**Detection:**\n* Sigma: [proc_creation_win_stordiag_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml)\n* IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\\windows\\system32\\ or c:\\windows\\syswow64\\[[Stordiag.exe - LOLBAS Project](/references/5e52a211-7ef6-42bd-93a1-5902f5e1c2ea)]", "meta": { @@ -22479,6 +25457,10 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" + }, + { + "dest-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", + "type": "similar" } ], "uuid": "502b490c-2067-40a4-8f73-7245d7910851", @@ -22503,6 +25485,10 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" + }, + { + "dest-uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0", + "type": "similar" } ], "uuid": "dd8bb0a3-6cb1-412d-adeb-cbaae98462a9", @@ -22524,6 +25510,10 @@ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" + }, + { + "dest-uuid": "20945359-3b39-4542-85ef-08ecb4e1c174", + "type": "similar" } ], "uuid": "ed563524-235e-4e06-8c69-3f9d8ddbfd8a", @@ -22545,7 +25535,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "088f1d6e-0783-47c6-9923-9c79b2af43d4", + "type": "similar" + } + ], "uuid": "3fdf3833-fca9-4414-8d2e-779dabc4ee31", "value": "Stuxnet" }, @@ -22561,7 +25556,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", + "type": "similar" + } + ], "uuid": "b19b6c38-d38b-46f2-a535-d0bfc5790368", "value": "S-Type" }, @@ -22577,7 +25577,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9c10cede-c0bb-4c5c-91c0-8baec30abaf6", + "type": "similar" + } + ], "uuid": "6ff7bf2e-286c-4b1b-92a0-1e5322870c59", "value": "SUGARDUMP" }, @@ -22593,7 +25598,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "44e2a842-415b-47f4-8549-83fbdb8a5674", + "type": "similar" + } + ], "uuid": "004c781a-3d7d-446b-9677-a042c8f6566e", "value": "SUGARUSH" }, @@ -22616,6 +25626,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", + "type": "similar" } ], "uuid": "6b04e98e-c541-4958-a8a5-d433e575ce78", @@ -22641,6 +25655,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6", + "type": "similar" } ], "uuid": "66966a12-3db3-4e43-a7e8-6c6836ccd8fe", @@ -22658,7 +25676,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9", + "type": "similar" + } + ], "uuid": "f02abaee-237b-4891-bb5d-30ca86dfc2c8", "value": "SUPERNOVA" }, @@ -22677,7 +25700,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6", + "type": "similar" + } + ], "uuid": "a8110f81-5ee9-5819-91ce-3a57aa330dcb", "value": "SVCReady" }, @@ -22693,7 +25721,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", + "type": "similar" + } + ], "uuid": "ae749f9c-cf46-42ce-b0b8-f0be8660e3f3", "value": "Sykipot" }, @@ -22713,7 +25746,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", + "type": "similar" + } + ], "uuid": "19ae8345-745e-4872-8a29-d56c8800d626", "value": "SynAck" }, @@ -22776,7 +25814,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "type": "similar" + } + ], "uuid": "69ab291d-5066-4e47-9862-1f5c7bac7200", "value": "SYNful Knock" }, @@ -22796,6 +25839,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", + "type": "similar" } ], "uuid": "2df35a92-2295-417a-af5a-ba5c943ef40d", @@ -22816,7 +25863,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "edf5aee2-9b1c-4252-8e64-25b12f14c8b3", + "type": "similar" + } + ], "uuid": "ea556a8d-4959-423f-a2dd-622d0497d484", "value": "SYSCON" }, @@ -22852,6 +25904,7 @@ "software_attack_id": "S5058", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], @@ -22860,6 +25913,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -22899,10 +25956,6 @@ ] }, "related": [ - { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", - "type": "used-by" - }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" @@ -22915,6 +25968,10 @@ "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, + { + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -22942,6 +25999,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "type": "similar" } ], "uuid": "cecea681-a753-47b5-9d77-c10a5b4403ab", @@ -22964,6 +26025,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "c009560a-f097-45a3-8f9f-78ec1440a783", + "type": "similar" } ], "uuid": "148d587c-3b1e-4e71-bdfb-8c37005e7e77", @@ -22981,7 +26046,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", + "type": "similar" + } + ], "uuid": "c5647cc4-0d46-4a41-8591-9179737747a2", "value": "T9000" }, @@ -23026,7 +26096,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", + "type": "similar" + } + ], "uuid": "9334df79-9023-44bb-bc28-16c1f07b836b", "value": "Taidoor" }, @@ -23075,6 +26150,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152", + "type": "similar" } ], "uuid": "1548c94a-fb4d-43d8-9956-ea26f5cc552f", @@ -23092,10 +26171,42 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b51797f7-57da-4210-b8ac-b8632ee75d70", + "type": "similar" + } + ], "uuid": "b1b7a8d9-6df3-4e89-8622-a6eea3da729b", "value": "TajMahal" }, + { + "description": "TAMECAT is a custom backdoor developed and used by Iranian espionage group APT42. It is usually delivered via phishing attacks and serves as a post-compromise command execution and malware ingress capability.[[Mandiant Uncharmed May 1 2024](/references/84c0313a-bea1-44a7-9396-8e12437852d1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5334", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", + "type": "used-by" + } + ], + "uuid": "8d00b893-7492-4a67-a9b0-d817c5a21603", + "value": "TAMECAT" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to extract and create archives.\n\n**Author:** Brian Lucero\n\n**Paths:**\n* C:\\Windows\\System32\\tar.exe\n\n**Resources:**\n* [https://twitter.com/Cyber_Sorcery/status/1619819249886969856](https://twitter.com/Cyber_Sorcery/status/1619819249886969856)\n\n**Detection:**\n* IOC: tar.exe extracting files from a remote host within the environment[[Tar.exe - LOLBAS Project](/references/e5f54ded-3ec1-49c1-9302-6b9f372d5015)]", "meta": { @@ -23133,6 +26244,10 @@ { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" + }, + { + "dest-uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8", + "type": "similar" } ], "uuid": "7bb9d181-4405-4938-bafb-b13cc98b6cd8", @@ -23157,10 +26272,6 @@ ] }, "related": [ - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -23169,6 +26280,10 @@ "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -23204,6 +26319,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "type": "similar" } ], "uuid": "abae8f19-9497-4a71-82b6-ae6edd26ad98", @@ -23221,6 +26340,13 @@ "software_attack_id": "S5267", "source": "Tidal Cyber", "tags": [ + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "35e694ec-5133-46e3-b7e1-5831867c3b55", "02495172-1563-48e7-8ac2-98463bd85e9d", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", @@ -23287,6 +26413,10 @@ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" + }, + { + "dest-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", + "type": "similar" } ], "uuid": "e7116740-fe7c-45e2-b98d-0c594a7dff2f", @@ -23424,6 +26554,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", + "type": "similar" } ], "uuid": "bae20f59-469c-451c-b4ca-70a9a04a1574", @@ -23522,6 +26656,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", + "type": "similar" } ], "uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79", @@ -23544,7 +26682,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "727afb95-3d0f-4451-b297-362a43909923", + "type": "similar" + } + ], "uuid": "2ed5f691-68eb-49dd-b730-793dc8a7d134", "value": "ThiefQuest" }, @@ -23564,6 +26707,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092", + "type": "similar" } ], "uuid": "b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e", @@ -23604,6 +26751,33 @@ "uuid": "8fe38eda-30be-4c88-ae76-ac6ebc89d66b", "value": "ThunderShell" }, + { + "description": "Tickler is a custom multi-stage backdoor deployed by Iranian state-sponsored espionage group Peach Sandstorm (APT33) in compromises in Q2 and Q3 2024.[[Microsoft Security Blog August 28 2024](/references/940c0755-18df-4fcb-9691-9f2eb45e6441)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5335", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + } + ], + "uuid": "b39d2bea-83f4-4450-b331-3c39dff89ee8", + "value": "Tickler" + }, { "description": "According to its project page, TightVNC is a free and open-source remote desktop software tool that is Virtual Network Computing (VNC)-compatible. It is designed to enable remote access to other systems.[[TightVNC Software Project Page](/references/e1725230-4f6c-47c5-8e30-90dfb01a75d7)]", "meta": { @@ -23616,6 +26790,8 @@ "software_attack_id": "S5015", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", @@ -23665,6 +26841,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab", + "type": "similar" } ], "uuid": "39f0371c-b755-4655-a97e-82a572f2fae4", @@ -23686,6 +26866,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", + "type": "similar" } ], "uuid": "0e009cb8-848e-427a-9581-d3a4fd9f6a87", @@ -23707,6 +26891,10 @@ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" + }, + { + "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", + "type": "similar" } ], "uuid": "277290fe-51f3-4822-bb46-8b69fd1c8ae5", @@ -23724,7 +26912,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "327b3a25-9e60-4431-b3b6-93b9c64eacbc", + "type": "similar" + } + ], "uuid": "eff417ad-c775-4a95-9f36-a1b5a675ba82", "value": "Tomiris" }, @@ -23750,6 +26943,10 @@ ] }, "related": [ + { + "dest-uuid": "42a7c134-c574-430b-8105-bf7a00e742ae", + "type": "used-by" + }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" @@ -23773,6 +26970,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", + "type": "similar" } ], "uuid": "8c70d85b-b06d-423c-8bab-ecff18f332d6", @@ -23790,7 +26991,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2", + "type": "similar" + } + ], "uuid": "4bce135b-91ba-45ae-88f9-09e01f983a74", "value": "Torisma" }, @@ -23835,6 +27041,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e", + "type": "similar" } ], "uuid": "7a6ae9f8-5f8b-4e94-8716-d8ee82027197", @@ -23867,6 +27077,10 @@ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" + }, + { + "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", + "type": "similar" } ], "uuid": "c2bd4213-fc7b-474f-b5a0-28145b07c51d", @@ -23888,6 +27102,10 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" + }, + { + "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "type": "similar" } ], "uuid": "b88c4891-40da-4832-ba42-6c6acd455bd1", @@ -23905,7 +27123,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", + "type": "similar" + } + ], "uuid": "f8a4213d-633b-4e3d-8e59-a769e852b93b", "value": "Trojan.Mebromi" }, @@ -23962,6 +27185,10 @@ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" + }, + { + "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", + "type": "similar" } ], "uuid": "50844dba-8999-42ba-ba29-511e3faf4bc3", @@ -23983,6 +27210,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace", + "type": "similar" } ], "uuid": "9872ab5a-c76e-4404-91f9-5b745722443b", @@ -24074,6 +27305,10 @@ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" + }, + { + "dest-uuid": "350f12cf-fd3b-4dad-b323-14b943090df4", + "type": "similar" } ], "uuid": "571a45a7-68c9-452c-99bf-1d5b5fdd08b3", @@ -24095,6 +27330,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", + "type": "similar" } ], "uuid": "c7f10715-cf13-4360-8511-aa3f93dd7688", @@ -24119,6 +27358,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", + "type": "similar" } ], "uuid": "6c93d3c4-cae5-48a9-948d-bc5264230316", @@ -24137,7 +27380,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", + "type": "similar" + } + ], "uuid": "5788edee-d1b7-4406-9122-bee596362236", "value": "UACMe" }, @@ -24153,7 +27401,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", + "type": "similar" + } + ], "uuid": "5214ae01-ccd5-4e97-8f9c-14eb16e75544", "value": "UBoatRAT" }, @@ -24169,7 +27422,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", + "type": "similar" + } + ], "uuid": "227c12df-8126-4e79-b9bd-0e4633fa12fa", "value": "Umbreon" }, @@ -24219,6 +27477,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", + "type": "similar" } ], "uuid": "846b3762-3949-4501-b781-6dca22db088f", @@ -24283,6 +27545,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", + "type": "similar" } ], "uuid": "a3c211f8-52aa-4bfd-8382-940f2194af28", @@ -24331,6 +27597,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", + "type": "similar" } ], "uuid": "89ffc27c-b81f-473a-87d6-907cacdce61c", @@ -24354,6 +27624,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" @@ -24365,6 +27639,10 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" + }, + { + "dest-uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", + "type": "similar" } ], "uuid": "3e501609-87e4-4c47-bd88-5054be0f1037", @@ -24386,6 +27664,10 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" + }, + { + "dest-uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984", + "type": "similar" } ], "uuid": "26d93db8-dbc3-44b5-a393-2b219cef4f5b", @@ -24410,6 +27692,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", + "type": "similar" } ], "uuid": "50eab018-8d52-46f5-8252-95942c2c0a89", @@ -24455,6 +27741,10 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" + }, + { + "dest-uuid": "ade37ada-14af-4b44-b36c-210eec255d53", + "type": "similar" } ], "uuid": "b149f12f-3cf4-4547-841d-c63b7677547d", @@ -24479,6 +27769,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194", + "type": "similar" } ], "uuid": "63940761-8dea-4362-8795-7bc0653ce1d4", @@ -24500,6 +27794,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", + "type": "similar" } ], "uuid": "fe116518-cd0c-4b10-8190-4f57208df4e4", @@ -24543,6 +27841,10 @@ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" + }, + { + "dest-uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed", + "type": "similar" } ], "uuid": "150b6079-bb10-48a8-b570-fbe8b0e3287c", @@ -24606,7 +27908,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3", + "type": "similar" + } + ], "uuid": "afa4023f-aa2e-45d6-bb3c-38e61f876eac", "value": "VERMIN" }, @@ -24676,6 +27983,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", + "type": "similar" } ], "uuid": "7fcfba45-5752-4f0c-8023-db67729ae34e", @@ -24885,6 +28196,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "type": "similar" } ], "uuid": "6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a", @@ -24902,7 +28217,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6", + "type": "similar" + } + ], "uuid": "9a592b49-1701-5e4c-95cf-9b8c98b80527", "value": "WARPWIRE" }, @@ -24937,6 +28257,10 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", + "type": "similar" } ], "uuid": "cfebe868-15cb-4be5-b7ed-38b52f2a0722", @@ -24962,6 +28286,10 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" + }, + { + "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", + "type": "similar" } ], "uuid": "0ba6ee8d-2b29-4980-8e55-348ea05f00ad", @@ -24983,6 +28311,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb", + "type": "similar" } ], "uuid": "56872a5b-dc01-455c-85d5-06c577abb030", @@ -25007,6 +28339,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", + "type": "similar" } ], "uuid": "f228af8f-8938-4836-9461-c6ca220ed7c5", @@ -25031,6 +28367,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a", + "type": "similar" } ], "uuid": "b936a1b3-5493-4d6c-9b69-29addeace418", @@ -25056,6 +28396,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4", + "type": "similar" } ], "uuid": "20725ec7-ee35-44cf-bed6-91158aa03ce4", @@ -25097,6 +28441,10 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -25104,6 +28452,10 @@ { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" + }, + { + "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", + "type": "similar" } ], "uuid": "2bcbcea6-192a-4501-aab1-1edde53875fa", @@ -25150,6 +28502,10 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" + }, + { + "dest-uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7", + "type": "similar" } ], "uuid": "791f0afd-c2c4-4e23-8aee-1d14462667f5", @@ -25171,6 +28527,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "039814a0-88de-46c5-a4fb-b293db21880a", + "type": "similar" } ], "uuid": "7b393608-c141-48af-ae3d-3eff13c3e01c", @@ -25219,6 +28579,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "type": "similar" } ], "uuid": "7c2c44d7-b307-4e13-b181-52352975a6f5", @@ -25237,6 +28601,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", + "type": "similar" } ], "uuid": "ed50dcf7-e283-451e-95b1-a8485f8dd214", @@ -25258,6 +28626,10 @@ { "dest-uuid": "4e880d01-313a-4926-8470-78c48824aa82", "type": "used-by" + }, + { + "dest-uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541", + "type": "similar" } ], "uuid": "3afe711d-ed58-4c94-a9b6-9c847e1e8a2f", @@ -25276,6 +28648,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", + "type": "similar" } ], "uuid": "5f994df7-55b0-4383-8ebc-506d4987292a", @@ -25295,13 +28671,17 @@ "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, + { + "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", + "type": "used-by" + }, { "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", "type": "used-by" }, { - "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", - "type": "used-by" + "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", + "type": "similar" } ], "uuid": "65d5b524-0e84-417d-9884-e2c501abfacd", @@ -25323,6 +28703,10 @@ { "dest-uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "type": "used-by" + }, + { + "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", + "type": "similar" } ], "uuid": "3e70078f-407e-4b03-b604-bdc05b372f37", @@ -25366,6 +28750,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", + "type": "similar" } ], "uuid": "e10423c2-71a7-4878-96ba-343191136c19", @@ -25391,6 +28779,10 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" + }, + { + "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", + "type": "similar" } ], "uuid": "e384e711-0796-4cbc-8854-8c3f939faf57", @@ -25412,6 +28804,10 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" + }, + { + "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", + "type": "similar" } ], "uuid": "245c216e-41c3-4dec-8b23-bfc7c6a46d6e", @@ -25427,6 +28823,10 @@ "software_attack_id": "S5081", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -25442,6 +28842,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -25490,6 +28894,9 @@ "software_attack_id": "S5046", "source": "Tidal Cyber", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", @@ -25512,6 +28919,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -25540,6 +28951,10 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" @@ -25588,7 +29003,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", + "type": "similar" + } + ], "uuid": "627e05c2-c02e-433e-9288-c2d78bce156f", "value": "Wiper" }, @@ -25604,7 +29024,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c93e3079-43fb-4d8d-9e99-db63d07eadc9", + "type": "similar" + } + ], "uuid": "93b02819-8acc-5d7d-ad11-abb33f9309cc", "value": "WIREFIRE" }, @@ -25683,6 +29108,10 @@ ] }, "related": [ + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -25706,6 +29135,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" } ], "uuid": "24f3b066-a533-4b6c-a590-313a67154ba0", @@ -25723,7 +29156,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb", + "type": "similar" + } + ], "uuid": "1f374a54-c839-5139-b755-555c66a21c12", "value": "Woody RAT" }, @@ -25769,11 +29207,11 @@ }, "related": [ { - "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { - "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" } ], @@ -25888,6 +29326,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", + "type": "similar" } ], "uuid": "6f411b69-6643-4cc7-9cbd-e15d9219e99c", @@ -25906,7 +29348,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", + "type": "similar" + } + ], "uuid": "ab442140-0761-4227-bd9e-151da5d0a04f", "value": "Xbash" }, @@ -25926,6 +29373,10 @@ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" + }, + { + "dest-uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1", + "type": "similar" } ], "uuid": "11a0dff4-1dc8-4553-8a38-90a07b01bfcd", @@ -25944,6 +29395,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", + "type": "similar" } ], "uuid": "d943d3d9-3a99-464f-94f0-95aa7963d858", @@ -26000,7 +29455,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e14085cb-0e8d-4be6-92ba-e3b93ee5978f", + "type": "similar" + } + ], "uuid": "3672ecfa-20bf-4d69-948d-876be343563f", "value": "XCSSET" }, @@ -26096,6 +29556,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", + "type": "similar" } ], "uuid": "133136f0-7254-4cec-8710-0ab99d5da4e5", @@ -26166,6 +29630,10 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" + }, + { + "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", + "type": "similar" } ], "uuid": "0844bc42-5c29-47c3-b1b3-6bfffbf1732a", @@ -26213,7 +29681,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14", + "type": "similar" + } + ], "uuid": "e0962ff7-5524-4683-9b95-0e4ba07dccb2", "value": "yty" }, @@ -26236,6 +29709,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", + "type": "similar" } ], "uuid": "e317b8a6-1722-4017-be33-717a5a93ef1c", @@ -26250,7 +29727,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "552462b9-ae79-49dd-855c-5973014e157f", + "type": "similar" + } + ], "uuid": "2f52b513-5293-4833-9c4d-b120e7a84341", "value": "Zeroaccess" }, @@ -26273,6 +29755,10 @@ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" + }, + { + "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", + "type": "similar" } ], "uuid": "f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd", @@ -26293,7 +29779,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "198db886-47af-4f4c-bff5-11b891f85946", + "type": "similar" + } + ], "uuid": "be8add13-40d7-495e-91eb-258d3a4711bc", "value": "Zeus Panda" }, @@ -26331,7 +29822,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864", + "type": "similar" + } + ], "uuid": "976a7797-3008-5316-9e28-19c9a05959d0", "value": "ZIPLINE" }, @@ -26347,7 +29843,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", + "type": "similar" + } + ], "uuid": "1ac8d363-2903-43da-9c1d-2b28179638c8", "value": "ZLib" }, @@ -26395,6 +29896,10 @@ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" + }, + { + "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", + "type": "similar" } ], "uuid": "75dd9acb-fcff-4b0b-b45b-f943fb589d78", @@ -26415,7 +29920,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", + "type": "similar" + } + ], "uuid": "49314d4e-dc04-456f-918e-a3bedfc3192a", "value": "zwShell" }, @@ -26439,6 +29949,10 @@ "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" @@ -26448,8 +29962,8 @@ "type": "used-by" }, { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" + "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", + "type": "similar" } ], "uuid": "eea89ff2-036d-4fa6-bbed-f89502c62318", @@ -26471,11 +29985,15 @@ { "dest-uuid": "3a02aa1b-851a-43e1-b83b-58037f3c7025", "type": "used-by" + }, + { + "dest-uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d", + "type": "similar" } ], "uuid": "91e1ee26-d6ae-4203-a466-93c9e5019b47", "value": "ZxxZ" } ], - "version": 2 + "version": 1 }