{ "type": "bundle", "id": "bundle--99ed7a31-d3fb-4b29-b58b-edb08b5eb4f5", "objects": [ { "type": "indicator", "spec_version": "2.1", "id": "indicator--ca566601-32bf-4a17-a73b-f4033939411d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2019-0708", "pattern": "[vulnerability:name = 'CVE-2019-0708']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--96bab1bc-d044-44b7-b041-fb90de9aa10c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2019-15126", "pattern": "[vulnerability:name = 'CVE-2019-15126']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Supply chain dependencies: Have you checked your blind spot?", "url": "https://www.welivesecurity.com/en/business-security/supply-chain-dependencies-have-you-checked-your-blind-spot/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0c410aa8-e81f-4b4f-b8bd-ddcfcd9cd7e8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2022-0847", "pattern": "[vulnerability:name = 'CVE-2022-0847']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "New Linux 'Copy Fail' Vulnerability Enables Root Access on M", "url": "https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0d36787f-f83b-44e1-8509-6f14c9231956", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-20198", "pattern": "[vulnerability:name = 'CVE-2023-20198']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "IR Trends Q1 2026: Phishing reemerges as top initial access ", "url": "https://blog.talosintelligence.com/ir-trends-q1-2026/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a767fc65-9ef4-4025-b0d9-8e2bffb671f7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-32434", "pattern": "[vulnerability:name = 'CVE-2023-32434']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Coruna: the framework used in Operation Triangulation", "url": "https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a433aea0-57ef-4681-ab52-b6f77c53055e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-33538", "pattern": "[vulnerability:name = 'CVE-2023-33538']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" }, { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ef295059-ff11-445f-94d2-f2a77b897f19", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-38606", "pattern": "[vulnerability:name = 'CVE-2023-38606']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Coruna: the framework used in Operation Triangulation", "url": "https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b7dc6c4f-7fdf-402f-ace6-a24b9ecef19e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-1708", "pattern": "[vulnerability:name = 'CVE-2024-1708']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA Adds Actively Exploited ConnectWise and Windows Flaws t", "url": "https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html" }, { "source_name": "CISA KEV: CVE-2024-1708 \u2014 ConnectWise ScreenConnect Path Tra", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--36faa193-2d1f-496f-a1fb-7f9fed87e835", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-1709", "pattern": "[vulnerability:name = 'CVE-2024-1709']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA Adds Actively Exploited ConnectWise and Windows Flaws t", "url": "https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ce9331c7-85fa-4ebe-83cc-f88726adf300", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-32114", "pattern": "[vulnerability:name = 'CVE-2024-32114']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, Prox", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f8cbbefd-8988-42e7-8c72-578b422ec1e9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-57046", "pattern": "[vulnerability:name = 'CVE-2024-57046']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, Prox", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ce2905dc-3393-40a2-9a8b-fd4a1f1a6db2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-57726", "pattern": "[vulnerability:name = 'CVE-2024-57726']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal De", "url": "https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html" }, { "source_name": "CISA KEV: CVE-2024-57726 \u2014 SimpleHelp Missing Authorization ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9147529a-d7e8-4357-875c-d99b6ad5958f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-57728", "pattern": "[vulnerability:name = 'CVE-2024-57728']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal De", "url": "https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html" }, { "source_name": "CISA KEV: CVE-2024-1708 \u2014 ConnectWise ScreenConnect Path Tra", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5282c373-2cb0-4e4d-a497-ad80a6be8dda", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-7399", "pattern": "[vulnerability:name = 'CVE-2024-7399']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal De", "url": "https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html" }, { "source_name": "CISA KEV: CVE-2024-7399 \u2014 Samsung MagicINFO 9 Server Path Tr", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c5f629d0-155c-49ef-b60a-bc5a0b57bd7f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-0921", "pattern": "[vulnerability:name = 'CVE-2025-0921']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--27c63794-fb34-4914-aabc-bf981835b239", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-14847", "pattern": "[vulnerability:name = 'CVE-2025-14847']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" }, { "source_name": "CISA KEV: CVE-2025-14847 \u2014 MongoDB and MongoDB Server Improp", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5f70c85e-0ca8-45f5-b1f8-82e5e4695b71", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-20333", "pattern": "[vulnerability:name = 'CVE-2025-20333']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" }, { "source_name": "FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Sur", "url": "https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html" }, { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ed3574ef-04fa-43d7-b27e-24290222e1a5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-20362", "pattern": "[vulnerability:name = 'CVE-2025-20362']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" }, { "source_name": "FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Sur", "url": "https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html" }, { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a3354714-d75d-4505-9c91-fbe78b788855", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-20393", "pattern": "[vulnerability:name = 'CVE-2025-20393']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "IR Trends Q1 2026: Phishing reemerges as top initial access ", "url": "https://blog.talosintelligence.com/ir-trends-q1-2026/" }, { "source_name": "CISA KEV: CVE-2025-20393 \u2014 Cisco Multiple Products Improper ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c0241f80-0f62-49c1-a0c9-09d1c3d914e4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-21042", "pattern": "[vulnerability:name = 'CVE-2025-21042']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" }, { "source_name": "CISA KEV: CVE-2025-21042 \u2014 Samsung Mobile Devices Out-of-Bou", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4cca8ee3-f831-4bcb-b55d-47085d0d193e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-22952", "pattern": "[vulnerability:name = 'CVE-2025-22952']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, Prox", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c0bbc5fe-6c3b-40f8-a1e7-143bc08b210f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-23304", "pattern": "[vulnerability:name = 'CVE-2025-23304']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dd52945f-6b42-4f62-bdba-ded6e516eb03", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-24371", "pattern": "[vulnerability:name = 'CVE-2025-24371']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--14f9b47b-75c3-40e5-96e5-52a18f67343a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-29635", "pattern": "[vulnerability:name = 'CVE-2025-29635']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal De", "url": "https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html" }, { "source_name": "CISA KEV: CVE-2025-29635 \u2014 D-Link DIR-823X Command Injection", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4d179ad1-37d2-4062-8e99-276ade1161a5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-55182", "pattern": "[vulnerability:name = 'CVE-2025-55182']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" }, { "source_name": "When Wi-Fi Encryption Fails: Protecting Your Enterprise from", "url": "https://unit42.paloaltonetworks.com/air-snitch-enterprise-wireless-attacks/" }, { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--005b9d5c-0505-4633-82e9-233fc95fbbe9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-59287", "pattern": "[vulnerability:name = 'CVE-2025-59287']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--97e4c76f-7be0-4c03-8e64-4236eabbde21", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-66478", "pattern": "[vulnerability:name = 'CVE-2025-66478']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" }, { "source_name": "CISA KEV: CVE-2025-55182 \u2014 Meta React Server Components Remo", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b7a26471-dab0-4321-8082-a4784eea4b46", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-0740", "pattern": "[vulnerability:name = 'CVE-2026-0740']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Di", "url": "https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--80818220-7f8c-4050-930c-c1ef2a7cedf6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-1281", "pattern": "[vulnerability:name = 'CVE-2026-1281']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2148abea-21e3-49d4-b11b-943466f177e8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-1340", "pattern": "[vulnerability:name = 'CVE-2026-1340']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" }, { "source_name": "CISA KEV: CVE-2026-1340 \u2014 Ivanti Endpoint Manager Mobile (EP", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a4d129b6-c6f3-435b-8a90-4b2c79579165", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-1731", "pattern": "[vulnerability:name = 'CVE-2026-1731']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" }, { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" }, { "source_name": "CISA KEV: CVE-2026-1731 \u2014 BeyondTrust Remote Support (RS) an", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "Unit 42 (Palo Alto)", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--36d44ee8-dcb6-464e-8499-4e061fccb526", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21509", "pattern": "[vulnerability:name = 'CVE-2026-21509']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Sednit reloaded: Back in the trenches", "url": "https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/" }, { "source_name": "CISA KEV: CVE-2026-21509 \u2014 Microsoft Office Security Feature", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9c822bb9-8db1-428b-a1bf-6f51f96cb728", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21510", "pattern": "[vulnerability:name = 'CVE-2026-21510']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA Adds Actively Exploited ConnectWise and Windows Flaws t", "url": "https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html" }, { "source_name": "Microsoft Confirms Active Exploitation of Windows Shell CVE-", "url": "https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--28792e56-76e5-438a-951b-737c3ffb2b0d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21513", "pattern": "[vulnerability:name = 'CVE-2026-21513']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA Adds Actively Exploited ConnectWise and Windows Flaws t", "url": "https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html" }, { "source_name": "Microsoft Confirms Active Exploitation of Windows Shell CVE-", "url": "https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html" }, { "source_name": "CISA KEV: CVE-2026-32202 \u2014 Microsoft Windows Protection Mech", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--29a43bfa-e99f-4ae6-9e89-3724d67b728e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21571", "pattern": "[vulnerability:name = 'CVE-2026-21571']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c585514-6d91-46c8-b92c-c8e80ef60cbb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21876", "pattern": "[vulnerability:name = 'CVE-2026-21876']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f89a5bc4-0e60-4079-9e7e-dd15a6d751ad", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-22584", "pattern": "[vulnerability:name = 'CVE-2026-22584']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--083611fe-cfd3-4d5e-9e15-0c6fdd4e9eb8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-23627", "pattern": "[vulnerability:name = 'CVE-2026-23627']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ebc0d481-9f71-48b3-a8af-f8c47a0d10ca", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-24908", "pattern": "[vulnerability:name = 'CVE-2026-24908']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e81963c9-41be-41b0-879c-367093b3c4ca", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-25262", "pattern": "[vulnerability:name = 'CVE-2026-25262']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--29b0f57e-daa6-4f18-8697-1a9b2d4d0f2d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-25874", "pattern": "[vulnerability:name = 'CVE-2026-25874']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to ", "url": "https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2de0c028-a161-49e1-9717-b572cabef980", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-26268", "pattern": "[vulnerability:name = 'CVE-2026-26268']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enab", "url": "https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d4dbfc5b-6370-4f03-ba74-72b9fde5d901", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27174", "pattern": "[vulnerability:name = 'CVE-2026-27174']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, Prox", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--310e89b7-81d0-43a3-96d1-c0fb1467a1f2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27175", "pattern": "[vulnerability:name = 'CVE-2026-27175']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, Prox", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f4eca51b-c5ae-480f-9a34-13ba78dfba83", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27654", "pattern": "[vulnerability:name = 'CVE-2026-27654']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e2df318d-3eff-48a6-ab5b-015b53bdf7fd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-28950", "pattern": "[vulnerability:name = 'CVE-2026-28950']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Mes", "url": "https://thehackernews.com/2026/04/apple-patches-ios-flaw-that-stored.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ac0bdfd7-8e49-406c-a65b-ebf4f72d7f6c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-31431", "pattern": "[vulnerability:name = 'CVE-2026-31431']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "New Linux \u2018Copy Fail\u2019 flaw gives hackers root on major distr", "url": "https://www.bleepingcomputer.com/news/security/new-linux-copy-fail-flaw-gives-hackers-root-on-major-distros/" }, { "source_name": "New Linux 'Copy Fail' Vulnerability Enables Root Access on M", "url": "https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html" } ], "x_severity": "crit", "x_sources": [ "BleepingComputer", "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b74ea46f-511e-4683-8413-d7ec40525f19", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32173", "pattern": "[vulnerability:name = 'CVE-2026-32173']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--44bd92e8-1f0a-4726-bcb9-3ea11729e226", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32202", "pattern": "[vulnerability:name = 'CVE-2026-32202']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PyTorch Lightning and Intercom-client Hit in Supply Chain At", "url": "https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html" }, { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" }, { "source_name": "New Python Backdoor Uses Tunneling Service to Steal Browser ", "url": "https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "Cisco Talos", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--357a5330-b65b-4708-839c-6baa6760f01b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32604", "pattern": "[vulnerability:name = 'CVE-2026-32604']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c481125b-782e-4555-bf46-af2dde07f00f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32613", "pattern": "[vulnerability:name = 'CVE-2026-32613']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--05956513-1599-4a8e-9df2-3db30b762840", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33032", "pattern": "[vulnerability:name = 'CVE-2026-33032']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Harvester Deploys Linux GoGra Backdoor in South Asia Using M", "url": "https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--30106dd2-47ec-42aa-9aba-35e222576a32", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33626", "pattern": "[vulnerability:name = 'CVE-2026-33626']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PyTorch Lightning and Intercom-client Hit in Supply Chain At", "url": "https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html" }, { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" }, { "source_name": "New Python Backdoor Uses Tunneling Service to Steal Browser ", "url": "https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9b6659fa-8db4-4ca2-a03a-31603b646209", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33694", "pattern": "[vulnerability:name = 'CVE-2026-33694']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--621d2021-02ff-4b04-b69d-8bf3348af378", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33824", "pattern": "[vulnerability:name = 'CVE-2026-33824']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" }, { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5611ed56-e1cf-4a39-b6ee-25c207d08dbb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33871", "pattern": "[vulnerability:name = 'CVE-2026-33871']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a4c16a61-6a03-42e1-8ae5-dd5912d6bfe9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-34197", "pattern": "[vulnerability:name = 'CVE-2026-34197']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, Prox", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html" }, { "source_name": "Harvester Deploys Linux GoGra Backdoor in South Asia Using M", "url": "https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html" }, { "source_name": "CISA KEV: CVE-2026-34197 \u2014 Apache ActiveMQ Improper Input Va", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--111a70cb-f377-4d9f-8ef3-13fa21936d84", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3517", "pattern": "[vulnerability:name = 'CVE-2026-3517']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1c07112f-0488-47e0-bd1d-d22d5daf788f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3518", "pattern": "[vulnerability:name = 'CVE-2026-3518']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--10cff40d-3046-4c5d-a696-f53b1b8f842b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3519", "pattern": "[vulnerability:name = 'CVE-2026-3519']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d14b670e-8d59-4997-8875-09371ee0bb08", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3844", "pattern": "[vulnerability:name = 'CVE-2026-3844']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Di", "url": "https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b9c4105b-0243-48af-84db-b36da87ace91", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3854", "pattern": "[vulnerability:name = 'CVE-2026-3854']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PyTorch Lightning and Intercom-client Hit in Supply Chain At", "url": "https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html" }, { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" }, { "source_name": "New Python Backdoor Uses Tunneling Service to Steal Browser ", "url": "https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e71cb7b7-c8e0-4c27-b1e3-3fb7ba5d79d3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3965", "pattern": "[vulnerability:name = 'CVE-2026-3965']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" }, { "source_name": "Hackers exploit RCE flaws in Qinglong task scheduler for cry", "url": "https://www.bleepingcomputer.com/news/security/hackers-exploit-rce-flaws-in-qinglong-task-scheduler-for-cryptomining/" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "BleepingComputer" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--047458bc-f1c3-4c0d-bc53-2fc3eb26a238", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-40050", "pattern": "[vulnerability:name = 'CVE-2026-40050']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b03495a-7c9e-47de-8707-3932db4d63b1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-40372", "pattern": "[vulnerability:name = 'CVE-2026-40372']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" }, { "source_name": "Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privi", "url": "https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bcde3bf-2693-4047-80b9-21f529364cf1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-4047", "pattern": "[vulnerability:name = 'CVE-2026-4047']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" }, { "source_name": "Hackers exploit RCE flaws in Qinglong task scheduler for cry", "url": "https://www.bleepingcomputer.com/news/security/hackers-exploit-rce-flaws-in-qinglong-task-scheduler-for-cryptomining/" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "BleepingComputer" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b686cdc3-b8eb-4996-88d9-a834a2067224", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-4048", "pattern": "[vulnerability:name = 'CVE-2026-4048']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c0015517-ef3f-42b5-a9f3-40144e697839", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-40872", "pattern": "[vulnerability:name = 'CVE-2026-40872']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7adf80dd-1aa7-4fbd-a9ad-5f784a52381a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-41651", "pattern": "[vulnerability:name = 'CVE-2026-41651']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--004dc521-fe84-4d84-8c3f-c3087583e40f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-41940", "pattern": "[vulnerability:name = 'CVE-2026-41940']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Critical cPanel and WHM bug exploited as a zero-day, PoC now", "url": "https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/" }, { "source_name": "CISA KEV: CVE-2026-41940 \u2014 WebPros cPanel & WHM and WP2 (Wor", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "source_name": "Critical cPanel Authentication Vulnerability Identified \u2014 Up", "url": "https://thehackernews.com/2026/04/critical-cpanel-authentication.html" } ], "x_severity": "crit", "x_sources": [ "BleepingComputer", "CISA KEV", "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0b7e47d2-9b11-4cec-b60d-f9b8799845b9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-42208", "pattern": "[vulnerability:name = 'CVE-2026-42208']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hou", "url": "https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos", "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5f9e8c30-0d55-4c86-b7a5-b52f3f99a016", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-5752", "pattern": "[vulnerability:name = 'CVE-2026-5752']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--17c0b711-1ad7-4911-bd01-f21ffb402988", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-5754", "pattern": "[vulnerability:name = 'CVE-2026-5754']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0b2b34-a814-447d-a2bd-1d4a3f94daff", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-5756", "pattern": "[vulnerability:name = 'CVE-2026-5756']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1555228b-101c-4eae-9531-515f00e07a48", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-5757", "pattern": "[vulnerability:name = 'CVE-2026-5757']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--20a87d9d-51f9-4c5e-ab5f-a063c1a34340", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-5760", "pattern": "[vulnerability:name = 'CVE-2026-5760']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "\u26a1 Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdo", "url": "https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3d77f864-51fd-48db-9e4d-ddf6ccbe1454", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: 2b1.916.mytemp.website", "pattern": "[domain-name:value = '2b1.916.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--43652549-b9e7-4859-aab8-49195ba42897", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: 2pd.f22.mytemp.website", "pattern": "[domain-name:value = '2pd.f22.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1b0546b2-b5fb-42fc-b7b2-82caa3bff384", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: 6688cf.jhxrpbgq.com", "pattern": "[domain-name:value = '6688cf.jhxrpbgq.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--90851fcd-3be0-4e3a-a2a5-68cb27d4292d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: 92j.130.mytemp.website", "pattern": "[domain-name:value = '92j.130.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--95d810ed-85f1-4ee5-8182-2c830a70dd36", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: abc.3mkorealtd.com", "pattern": "[domain-name:value = 'abc.3mkorealtd.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a9790ed9-e6cb-42da-a442-76d8bad2790e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: abc.doublemobile.com", "pattern": "[domain-name:value = 'abc.doublemobile.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--37139aae-e968-4199-a627-e8d5039abcb5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: abc.fetish-friends.com", "pattern": "[domain-name:value = 'abc.fetish-friends.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d2c40b0e-f122-467b-bdbf-2b00a2acd0ab", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: abc.haijing88.com", "pattern": "[domain-name:value = 'abc.haijing88.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--73d92796-8b53-493d-9bf5-ac567fb30778", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: abc.ilptour.com", "pattern": "[domain-name:value = 'abc.ilptour.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--29ea16a1-003d-4253-bada-62ebda633486", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: abc.petitechanson.com", "pattern": "[domain-name:value = 'abc.petitechanson.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c25871f3-64b7-463e-8992-2e140e2e46a4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: abc.sudsmama.com", "pattern": "[domain-name:value = 'abc.sudsmama.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa130b7-2ff9-48bd-a44e-3046337b1336", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: abc.woopami.com", "pattern": "[domain-name:value = 'abc.woopami.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--83e6caf8-7e1e-42e2-88c1-61509f0e14be", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: adobe.com", "pattern": "[domain-name:value = 'adobe.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "IR Trends Q1 2026: Phishing reemerges as top initial access ", "url": "https://blog.talosintelligence.com/ir-trends-q1-2026/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--66379b4d-ef85-4f3b-a4ab-85cc8bc9adb8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: ae-payapp.com", "pattern": "[domain-name:value = 'ae-payapp.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e4b08f75-ed2c-4b30-a377-56b1bc0f8a1a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: airansupasdports.cyou", "pattern": "[domain-name:value = 'airansupasdports.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c8d6740c-ff1b-4020-b642-3e23ed15d5bc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: alpha.filehost36.sbs", "pattern": "[domain-name:value = 'alpha.filehost36.sbs']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--51978c0d-5dd5-4f83-a7f1-737571331b7f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: alphafly-drones.com", "pattern": "[domain-name:value = 'alphafly-drones.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PhantomCore Exploits TrueConf Vulnerabilities to Breach Russ", "url": "https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d39f0b2e-4592-4d97-a050-4c364a685953", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: anadnet.com", "pattern": "[domain-name:value = 'anadnet.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" }, { "source_name": "Popular WordPress redirect plugin hid dormant backdoor for y", "url": "https://www.bleepingcomputer.com/news/security/popular-wordpress-redirect-plugin-hid-dormant-backdoor-for-years/" } ], "x_severity": "crit", "x_sources": [ "The Hacker News", "BleepingComputer" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4fa7f5e4-85d0-420c-9c1d-65956f02c9bf", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: ao.online", "pattern": "[domain-name:value = 'ao.online']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "New NGate variant hides in a trojanized NFC payment app", "url": "https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--169e9e40-48dc-4f67-908d-b2d5e56ec084", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: api.dc1637.xyz", "pattern": "[domain-name:value = 'api.dc1637.xyz']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--df4779d7-3b0a-4009-87ad-445b4fce63b7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: api.npoint.io", "pattern": "[domain-name:value = 'api.npoint.io']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--42e8687b-5c78-4553-b383-ce8b4cf15e9b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: api.ra-backup.com", "pattern": "[domain-name:value = 'api.ra-backup.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3223a25a-6503-4065-bd91-9a6d244fed77", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: app1password.com", "pattern": "[domain-name:value = 'app1password.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "How password managers can be hacked \u2013 and how to stay safe", "url": "https://www.welivesecurity.com/en/cybersecurity/password-managers-under-attack-what-you-should-know/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f5458b90-38ed-46c0-97d3-000979cfd8ea", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: appbitwarden.com", "pattern": "[domain-name:value = 'appbitwarden.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "How password managers can be hacked \u2013 and how to stay safe", "url": "https://www.welivesecurity.com/en/cybersecurity/password-managers-under-attack-what-you-should-know/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7ee06c15-7e57-4ccf-b6f3-e35fc8810f5b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: appleid.apple.com-update.required.kontol.emiratesbankgroup.info", "pattern": "[domain-name:value = 'appleid.apple.com-update.required.kontol.emiratesbankgroup.info']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9d30a9ab-0daf-41a5-bcb3-8a9f57d580f0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: appstoreios.com", "pattern": "[domain-name:value = 'appstoreios.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--05da2725-ac17-4910-9742-90bbc0b535b4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: aramcoamericainvest.com", "pattern": "[domain-name:value = 'aramcoamericainvest.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--659c1df0-adf1-475c-9eb9-3a83dc3045aa", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: arch2.maxdatahost1.cyou", "pattern": "[domain-name:value = 'arch2.maxdatahost1.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fadce7e6-faa4-4246-a80a-90c6b450f6bb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: arch2.megadatahost3.homes", "pattern": "[domain-name:value = 'arch2.megadatahost3.homes']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6a9c031a-a455-4f38-b5c2-1fd119a0a46b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: audit.checkmarx.cx", "pattern": "[domain-name:value = 'audit.checkmarx.cx']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" }, { "source_name": "Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain ", "url": "https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html" }, { "source_name": "Malicious KICS Docker Images and VS Code Extensions Hit Chec", "url": "https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c7574640-bc50-4c42-90b6-6e81b8b68c00", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: b0p.c0d.mytemp.website", "pattern": "[domain-name:value = 'b0p.c0d.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--26166f3a-a4d8-429a-92d7-991df64cabb8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: b1z.0f6.mytemp.website", "pattern": "[domain-name:value = 'b1z.0f6.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2e118f7b-deb6-43ad-81f1-b3f216345554", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: bankiran.bet", "pattern": "[domain-name:value = 'bankiran.bet']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--79630be0-ae10-4275-b4a4-ca7e1ce95a49", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: bankofamerica.com.oidscreen.gorequestlocale.emiratesbankgroup.info", "pattern": "[domain-name:value = 'bankofamerica.com.oidscreen.gorequestlocale.emiratesbankgroup.info']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--03980cc5-1f0c-4457-b3fd-37a171f412f7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: biransupasdports.cyou", "pattern": "[domain-name:value = 'biransupasdports.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6c938395-5892-4d1f-914a-ab8d093a804a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: bit.ly", "pattern": "[domain-name:value = 'bit.ly']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bd9b1760-a02c-4389-9a5f-b5fa2518d039", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: bore.pub", "pattern": "[domain-name:value = 'bore.pub']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "New Python Backdoor Uses Tunneling Service to Steal Browser ", "url": "https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f96d638d-3841-4d8a-990e-7e20ae463fc9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: bot.ddosvps.cc", "pattern": "[domain-name:value = 'bot.ddosvps.cc']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--90e9d481-b609-4878-9474-16f6d1e18548", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: bouleversement.niovapahrm.com", "pattern": "[domain-name:value = 'bouleversement.niovapahrm.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Email threat landscape: Q1 2026 trends and insights", "url": "https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/" } ], "x_severity": "crit", "x_sources": [ "Microsoft Security Blog" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cd94ad23-d3d0-4bae-9ef1-5b69e9c55d67", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: buydubaipropertywithcrypto.com", "pattern": "[domain-name:value = 'buydubaipropertywithcrypto.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4343a02a-d4ad-481d-801d-5d41d7e3562f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: c1y.bf3.mytemp.website", "pattern": "[domain-name:value = 'c1y.bf3.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c5dabcc9-f188-4618-a4a8-140be33658ad", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: c45.94b.mytemp.website", "pattern": "[domain-name:value = 'c45.94b.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--34ceb60a-6e5d-4662-ad0c-d7dc21c19fc9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: cache3.filehost36.sbs", "pattern": "[domain-name:value = 'cache3.filehost36.sbs']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--27d32ad4-d4cd-47e3-bee9-6b5f72edc637", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: callnrwise.com", "pattern": "[domain-name:value = 'callnrwise.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--50b2d629-1802-4922-b180-7e69658bc27a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: centrastage.net", "pattern": "[domain-name:value = 'centrastage.net']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The n8n n8mare: How threat actors are misusing AI workflow a", "url": "https://blog.talosintelligence.com/the-n8n-n8mare/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e18e1db8-0db5-4d11-ae00-35d717d26369", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: championships-peoples-point-cassette.trycloudflare.com", "pattern": "[domain-name:value = 'championships-peoples-point-cassette.trycloudflare.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--71df8ec3-9c88-45cb-af53-f9bba1df0666", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: checkmarx.cx", "pattern": "[domain-name:value = 'checkmarx.cx']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" }, { "source_name": "Malicious KICS Docker Images and VS Code Extensions Hit Chec", "url": "https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--249e7f37-5cbe-48f8-ad27-21633f971bcb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: checkmarx.zone", "pattern": "[domain-name:value = 'checkmarx.zone']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" }, { "source_name": "An AI gateway designed to steal your data", "url": "https://securelist.com/litellm-supply-chain-attack/119257/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c6d7915-68ce-42b6-9340-d2bb3907ba22", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: ciderurginsx.com", "pattern": "[domain-name:value = 'ciderurginsx.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "JanelaRAT: a financial threat targeting users in Latin Ameri", "url": "https://securelist.com/janelarat-financial-threat-in-latin-america/119332/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8671cb05-c1e6-4824-bb06-2aab44830518", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io", "pattern": "[domain-name:value = 'cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Self-Propagating Supply Chain Worm Hijacks npm Packages to S", "url": "https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--030cb928-93e3-444e-85fc-bbff91ef3cfe", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: cnc.vietdediserver.shop", "pattern": "[domain-name:value = 'cnc.vietdediserver.shop']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c65bc57e-04ff-4906-bdae-b45b18ed4f70", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: cnmaestro.sapb-aramco.com", "pattern": "[domain-name:value = 'cnmaestro.sapb-aramco.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--39d551d9-5c40-44bc-b710-c4ff9180d2dd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: com-govauv.top", "pattern": "[domain-name:value = 'com-govauv.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--63d15b21-8cb7-4cde-9e54-fce83877bef7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: cover.www.microsoft.com.irancell.courses", "pattern": "[domain-name:value = 'cover.www.microsoft.com.irancell.courses']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--64b8e421-3b67-488b-a4fc-b520c98d43e8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: create-sensitivity-grad-sequence.trycloudflare.com", "pattern": "[domain-name:value = 'create-sensitivity-grad-sequence.trycloudflare.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--71a51db4-7419-4abb-9a11-edd8f80e64c3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: crypto-stroe.cc", "pattern": "[domain-name:value = 'crypto-stroe.cc']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2bc39637-fbcd-4bf8-a53c-b011a4f2778e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: cryptocurrencies-offers.com", "pattern": "[domain-name:value = 'cryptocurrencies-offers.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0302b3cf-c932-4560-ad23-38447010eb83", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: csec-c2-server.onrender.com", "pattern": "[domain-name:value = 'csec-c2-server.onrender.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake ", "url": "https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--85234910-7e0f-454d-9c1f-1d4ab44d7bbc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: d1g.ccd.mytemp.website", "pattern": "[domain-name:value = 'd1g.ccd.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--685acc78-a5d0-4e26-b4b5-f5310b7528db", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dnshook.site", "pattern": "[domain-name:value = 'dnshook.site']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox", "url": "https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--12bb62bb-7b66-4d71-b1b4-bff9935fc836", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: ds20221202.dsc.wcsset.com", "pattern": "[domain-name:value = 'ds20221202.dsc.wcsset.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PlushDaemon compromises network devices for adversary-in-the", "url": "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--979f7b43-9b36-419d-be40-a5b0d7c5571a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubai-custbims.top", "pattern": "[domain-name:value = 'dubai-custbims.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--926bb0d8-633d-43cd-972f-7d1a33f8b10d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubai-custboms.top", "pattern": "[domain-name:value = 'dubai-custboms.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1adae90a-37fb-4ee2-87b9-a86b31726c05", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubai-customs.top", "pattern": "[domain-name:value = 'dubai-customs.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0f480a54-28e7-4db2-909d-d4ea48224944", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubai-polices.ae-finesquery.com", "pattern": "[domain-name:value = 'dubai-polices.ae-finesquery.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e08f4363-9b24-45c7-922c-a8bb00c4990e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubaicuctoms.com", "pattern": "[domain-name:value = 'dubaicuctoms.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9f4c6a45-b10d-427d-a39d-53b66efca695", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubaicustoms.top", "pattern": "[domain-name:value = 'dubaicustoms.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b8146931-5263-44fa-917a-7e08c84e313d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubaicustonms.top", "pattern": "[domain-name:value = 'dubaicustonms.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a01cf868-b1b2-430f-9022-47a9faafad56", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubaiicuctoms.com", "pattern": "[domain-name:value = 'dubaiicuctoms.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fe06066f-161d-44ac-9e93-1d8c0b47f63b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: dubaipolice.gov-tollbillba.life", "pattern": "[domain-name:value = 'dubaipolice.gov-tollbillba.life']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3f4d586e-3a27-403e-8cea-d12db6c0cb65", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: eg3.db1.mytemp.website", "pattern": "[domain-name:value = 'eg3.db1.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--48faac23-1fac-4265-b182-6cadb71e5a53", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: emirates-ae.pack-541202699.azmtrust.com", "pattern": "[domain-name:value = 'emirates-ae.pack-541202699.azmtrust.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--39750a5f-3e55-45d8-99c2-f242cf4e8128", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: emirates-post.racunari-bl.com", "pattern": "[domain-name:value = 'emirates-post.racunari-bl.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b5e60e55-e264-4e60-9664-ca1e362109ad", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: emiratescryptobank.com", "pattern": "[domain-name:value = 'emiratescryptobank.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5931fd39-d7a6-4569-9455-7f545df18c14", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: emiratesinvestunion.com", "pattern": "[domain-name:value = 'emiratesinvestunion.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--675b4a0a-541f-4870-b829-c553aff72d8e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: emiratespost-pay.com", "pattern": "[domain-name:value = 'emiratespost-pay.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--29ab2f7e-5a85-4dc3-a915-88916f28556b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: emiratespost.traz.top", "pattern": "[domain-name:value = 'emiratespost.traz.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--03ee351d-bb9f-4525-8596-ad00d95104aa", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: etisalataccount-quickpayae.click", "pattern": "[domain-name:value = 'etisalataccount-quickpayae.click']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f6a642b9-8d60-4d78-a41e-e8dbec2b052d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: etisalataccountquickpayae.top", "pattern": "[domain-name:value = 'etisalataccountquickpayae.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d7f2c453-6cbb-4428-a63a-b50243bbdb16", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: etisalatquickpay.com", "pattern": "[domain-name:value = 'etisalatquickpay.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ecfa2a57-f0f3-49a8-9ee9-54f2106059fd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: f43.c76.mytemp.website", "pattern": "[domain-name:value = 'f43.c76.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--119249f1-cd8f-4b9f-9f61-a66528b68f58", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: file.io", "pattern": "[domain-name:value = 'file.io']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "China-Linked GopherWhisper Infects 12 Mongolian Government S", "url": "https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3662898a-aa99-42bf-8140-c4c6d5c09402", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: firansupport.cyou", "pattern": "[domain-name:value = 'firansupport.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--af3a0cb5-796f-4bcd-97a9-57c06d858ac1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: fkiransusdpportsdf.cyou", "pattern": "[domain-name:value = 'fkiransusdpportsdf.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--841899b9-d32a-4feb-8edc-a4e57cda8d7c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: fudcrypt.net", "pattern": "[domain-name:value = 'fudcrypt.net']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, Prox", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c1ca0e70-79ec-4b55-8b4f-db94f985bf7b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: gcp-sa-aiplatform-re.iam.gserviceaccount.com", "pattern": "[domain-name:value = 'gcp-sa-aiplatform-re.iam.gserviceaccount.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Double Agents: Exposing Security Blind Spots in GCP Vertex A", "url": "https://unit42.paloaltonetworks.com/double-agents-vertex-ai/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d900ee5e-8db4-4843-a1da-44fc3a55524e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: gov-tollbillba.life", "pattern": "[domain-name:value = 'gov-tollbillba.life']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3956c6b7-12e4-4b25-9c61-dc5a8a484dae", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: govauv.top", "pattern": "[domain-name:value = 'govauv.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--de28aae0-73c5-48ae-a437-3dddff4475fd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: haematogenesis.hvishay.com", "pattern": "[domain-name:value = 'haematogenesis.hvishay.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Email threat landscape: Q1 2026 trends and insights", "url": "https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/" } ], "x_severity": "crit", "x_sources": [ "Microsoft Security Blog" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--17ac8bc6-10be-47fd-ae35-dc71d4152f50", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: helllo2025.com", "pattern": "[domain-name:value = 'helllo2025.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a5527ded-af98-4140-b803-eef273c8a535", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: hyperfilevault1.xyz", "pattern": "[domain-name:value = 'hyperfilevault1.xyz']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--78d750bf-30b0-452e-bcff-2f63eda3ab12", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: hyperfilevault2.mom", "pattern": "[domain-name:value = 'hyperfilevault2.mom']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54662c46-257e-49de-9975-5a3a0c8e931b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: hyperfilevault3.mom", "pattern": "[domain-name:value = 'hyperfilevault3.mom']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6ad6ff9c-e499-4b4c-920c-8d3a2d2739f8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: hyperfilevault3.pics", "pattern": "[domain-name:value = 'hyperfilevault3.pics']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--856209bb-1895-4926-89e6-c8f9baebb2a2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: investigation-launches-hearings-copying.trycloudflare.com", "pattern": "[domain-name:value = 'investigation-launches-hearings-copying.trycloudflare.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4e8aa898-1b00-48f0-92e2-4fac09b9d2ff", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iosfc.com", "pattern": "[domain-name:value = 'iosfc.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0fde05d4-5b10-40a6-a795-dfe19fc023eb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iran.drproxy.pro", "pattern": "[domain-name:value = 'iran.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--10e11165-d0e0-45a6-bd75-aef0fc112489", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iran11.drproxy.pro", "pattern": "[domain-name:value = 'iran11.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--00512454-b9af-44e5-a509-b0a3bb5a760d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iran14.drproxy.pro", "pattern": "[domain-name:value = 'iran14.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d3cbaf99-95d2-4722-a0e4-97248aaa5261", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iran15.drproxy.pro", "pattern": "[domain-name:value = 'iran15.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--995eff05-bbe5-424b-9731-2fffd7312988", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iran16.drproxy.pro", "pattern": "[domain-name:value = 'iran16.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f59a29f2-efa8-459f-aa4b-95e2f2487355", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iran18.drproxy.pro", "pattern": "[domain-name:value = 'iran18.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--07570b1e-fc2d-4dee-9cdf-9bc0194c0825", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iran19.drproxy.pro", "pattern": "[domain-name:value = 'iran19.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b1f9713d-6d51-4b61-aea5-47bac5e7871f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iran2.drproxy.pro", "pattern": "[domain-name:value = 'iran2.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--90b285b4-e598-4ef7-847b-69c43da2beb5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: irancross.shop", "pattern": "[domain-name:value = 'irancross.shop']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--18b9485a-b618-4837-a95d-0993423b8472", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: irandargah.com", "pattern": "[domain-name:value = 'irandargah.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--69bc3f29-bb39-4494-a54c-cd038b25aca3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: irandonation.org", "pattern": "[domain-name:value = 'irandonation.org']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ff0fa00d-f996-4895-be53-33a363543d4d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iranforward.org", "pattern": "[domain-name:value = 'iranforward.org']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e00d988-aa51-400e-97e3-add94abd53bd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iranpaye.com", "pattern": "[domain-name:value = 'iranpaye.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--365610a1-1efd-4362-bcfc-d570fc76ff5b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iransupasdports.cyou", "pattern": "[domain-name:value = 'iransupasdports.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--506e0493-854c-4545-8b3d-a31d29d18dfc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iransupports.cyou", "pattern": "[domain-name:value = 'iransupports.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e2e2723-cc7e-4ebf-9a19-c21e4c51b522", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iransupporttyst.cyou", "pattern": "[domain-name:value = 'iransupporttyst.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fc5091d3-b263-46c4-a6df-c3aa3d587585", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: iransusdpportsdf.cyou", "pattern": "[domain-name:value = 'iransusdpportsdf.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4a7f3f21-41cd-4965-b307-144405bc3372", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: kamikaze.sh", "pattern": "[domain-name:value = 'kamikaze.sh']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54fb289e-072b-46d8-b938-c99bb3263f3d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: kiransupport.cyou", "pattern": "[domain-name:value = 'kiransupport.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--010a1d40-f9e0-4b25-a627-bd3e530d8c6d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: kiransupportsdf.cyou", "pattern": "[domain-name:value = 'kiransupportsdf.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a9ab223a-eba4-48f1-a2ac-f43a4ab37362", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: kkkhhhnnn.com", "pattern": "[domain-name:value = 'kkkhhhnnn.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--27511dbf-d891-401f-971a-19e98069b638", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: kmd.8cd.mytemp.website", "pattern": "[domain-name:value = 'kmd.8cd.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--68073958-49b2-474d-a2f8-242287ab1683", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: kube.py", "pattern": "[domain-name:value = 'kube.py']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--255921f5-38e4-4767-8f8b-0a7ae2201ea9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: kzw.ce3.mytemp.website", "pattern": "[domain-name:value = 'kzw.ce3.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d8a08035-30a2-45ba-9d96-f86ed235ef00", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: m1w.4a0.mytemp.website", "pattern": "[domain-name:value = 'm1w.4a0.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e49db4b9-ae79-4a85-bbc7-01cb5970cb82", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: majormetalcsorp.com", "pattern": "[domain-name:value = 'majormetalcsorp.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The n8n n8mare: How threat actors are misusing AI workflow a", "url": "https://blog.talosintelligence.com/the-n8n-n8mare/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57db38ec-857c-4eb3-8c62-80a3ab5d9da9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: mcagov.cc", "pattern": "[domain-name:value = 'mcagov.cc']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4d9bda53-04bf-47b0-883f-f8b5cef9eb94", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: media.hyperfilevault2.mom", "pattern": "[domain-name:value = 'media.hyperfilevault2.mom']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--43885db5-0a2b-4143-b093-1b8c48a38986", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: media.megafilehost2.sbs", "pattern": "[domain-name:value = 'media.megafilehost2.sbs']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--aab5bf8c-ef9d-4d37-a066-7464f773d6b4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: metadata.google.internal", "pattern": "[domain-name:value = 'metadata.google.internal']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Double Agents: Exposing Security Blind Spots in GCP Vertex A", "url": "https://unit42.paloaltonetworks.com/double-agents-vertex-ai/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--90e0f273-9db6-4520-8b52-8d623a2c34db", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: mgi1y.siyangoil.com", "pattern": "[domain-name:value = 'mgi1y.siyangoil.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b1bb9c99-a15f-4c04-9747-50c272e76192", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: models.litellm.cloud", "pattern": "[domain-name:value = 'models.litellm.cloud']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" }, { "source_name": "An AI gateway designed to steal your data", "url": "https://securelist.com/litellm-supply-chain-attack/119257/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6dfcd55f-c18f-4490-a160-540e90d71546", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: monicasue.app.n8n.cloud", "pattern": "[domain-name:value = 'monicasue.app.n8n.cloud']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The n8n n8mare: How threat actors are misusing AI workflow a", "url": "https://blog.talosintelligence.com/the-n8n-n8mare/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3b352b5b-9e1d-4545-ae9a-02ea6bb83588", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: mti4ywy4.lahuafa.com", "pattern": "[domain-name:value = 'mti4ywy4.lahuafa.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--14ab3359-f78a-49a8-a85d-e80037158ec1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: mtjln.siyangoil.com", "pattern": "[domain-name:value = 'mtjln.siyangoil.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--143145d1-4b21-4e7a-b734-87da9fbab26a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: my-secret.dnshook.site", "pattern": "[domain-name:value = 'my-secret.dnshook.site']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox", "url": "https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b82ef33-26a7-43c6-bea9-ada2dea30aa6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: myemiratespost.click", "pattern": "[domain-name:value = 'myemiratespost.click']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--25fa1756-02f8-46d1-aeef-9e4bcf0fab99", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: mziyytm5ytk.ahroar.com", "pattern": "[domain-name:value = 'mziyytm5ytk.ahroar.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cb547a40-1157-4a2d-9d31-13799bb27f10", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: newso.com", "pattern": "[domain-name:value = 'newso.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9fd284ff-b16e-4b8a-b221-cdfa51250770", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: ngy2yjq0otlj.ahroar.com", "pattern": "[domain-name:value = 'ngy2yjq0otlj.ahroar.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7d87129a-f824-41d7-88d6-8a08ae7a563d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: njb.551.mytemp.website", "pattern": "[domain-name:value = 'njb.551.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c0ddfb8b-671c-49f9-857c-4fa60fb56f1b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: nmu8n.com", "pattern": "[domain-name:value = 'nmu8n.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e2887cfb-b1d9-43b9-99c8-780db1e8ba02", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: ntm0mdkzymy3n.oukwww.com", "pattern": "[domain-name:value = 'ntm0mdkzymy3n.oukwww.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c47be6bd-3cff-4a86-a47b-a37d8d3f1bd5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: nxj.e57.mytemp.website", "pattern": "[domain-name:value = 'nxj.e57.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--208767c5-750b-4d89-8179-e026058b8dd4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: nziwytu5n.lahuafa.com", "pattern": "[domain-name:value = 'nziwytu5n.lahuafa.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--27cd1333-7d0e-4982-b8c7-b3263f725a4e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: odm0.siyangoil.com", "pattern": "[domain-name:value = 'odm0.siyangoil.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b0c7a7d6-5b4e-41e7-9703-27a2642a1f6d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: onedrivedownload.zoholandingpage.com", "pattern": "[domain-name:value = 'onedrivedownload.zoholandingpage.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The n8n n8mare: How threat actors are misusing AI workflow a", "url": "https://blog.talosintelligence.com/the-n8n-n8mare/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54655256-8879-419a-9813-109c3e1dfc92", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: outlook.outlook.saudidigtalbank.com", "pattern": "[domain-name:value = 'outlook.outlook.saudidigtalbank.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--adcce2fc-400b-4bb0-9095-c3c0b0c77a07", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: packages.npm.org", "pattern": "[domain-name:value = 'packages.npm.org']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1b26ceca-a9a7-437b-b2bb-32c14f4b75e0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: pagepoinnc.app.n8n.cloud", "pattern": "[domain-name:value = 'pagepoinnc.app.n8n.cloud']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The n8n n8mare: How threat actors are misusing AI workflow a", "url": "https://blog.talosintelligence.com/the-n8n-n8mare/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--31f68707-7673-4c64-98bc-01f060f81484", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: plug-tab-protective-relay.trycloudflare.com", "pattern": "[domain-name:value = 'plug-tab-protective-relay.trycloudflare.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ae3d5f52-9882-4362-8137-d2eddb4db04f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: pnd.86c.mytemp.website", "pattern": "[domain-name:value = 'pnd.86c.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e7511c8d-2776-43dd-96bc-4fe3058b297d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: policy-my.com", "pattern": "[domain-name:value = 'policy-my.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a4c7d23f-2eb4-4fef-9918-3166bca2bc09", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: portal.0111etisalat.com", "pattern": "[domain-name:value = 'portal.0111etisalat.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f876cc1f-8f34-47aa-8949-4b549bccedf9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: portal.sapb-aramco.com", "pattern": "[domain-name:value = 'portal.sapb-aramco.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--457d7a93-a497-4a63-8e42-5dc1ec9a86e7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: pro.iranpanel.life", "pattern": "[domain-name:value = 'pro.iranpanel.life']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3dc298e1-01e1-4bf7-80b7-0db4ace4b0e0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: progamevl.ru", "pattern": "[domain-name:value = 'progamevl.ru']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "DynoWiper update: Technical analysis and attribution", "url": "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--545d6b62-e15a-4bb4-95b0-d4b5d2a3d0fa", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: prop.py", "pattern": "[domain-name:value = 'prop.py']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ae721c48-499a-4ce2-92c1-87f1eab78464", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: proton.me", "pattern": "[domain-name:value = 'proton.me']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--60f87367-8bb8-43a0-a1ae-e47f834ca69e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: recovery.cover.www.microsoft.com.irancell.courses", "pattern": "[domain-name:value = 'recovery.cover.www.microsoft.com.irancell.courses']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--42a8b525-299d-4acf-bb7c-7073deb832a1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: redalert.apk", "pattern": "[domain-name:value = 'redalert.apk']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b31154d5-bbdd-4b01-8b53-58dc3ef1e9b8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: requestrepo.com", "pattern": "[domain-name:value = 'requestrepo.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Di", "url": "https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5908f8c3-3e1b-4b82-9b5e-a97e60851b80", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: robinhood.com", "pattern": "[domain-name:value = 'robinhood.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K ", "url": "https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--50ffc911-bfa7-4f84-9762-778fef0cafc1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: roldco.com", "pattern": "[domain-name:value = 'roldco.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--47b23b43-ccb4-4104-a633-3bb0907a2329", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: s0u.210.mytemp.website", "pattern": "[domain-name:value = 's0u.210.mytemp.website']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--65230cfe-341c-427c-98e8-ef6f099c64ff", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: saudi-bill-pay.com", "pattern": "[domain-name:value = 'saudi-bill-pay.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3432a3af-feb8-470d-8ee0-c9bf03d5f53d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: saudidigtalbank.com", "pattern": "[domain-name:value = 'saudidigtalbank.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b7a29b0c-795d-47d2-8c0f-c97736f4769f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: scan.aquasecurtiy.org", "pattern": "[domain-name:value = 'scan.aquasecurtiy.org']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--898fc3df-4230-44ad-ac89-a17fc1b24156", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: secretemirates.com", "pattern": "[domain-name:value = 'secretemirates.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9cce6af7-24aa-4e66-b611-19aee67dec66", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: server.com", "pattern": "[domain-name:value = 'server.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2b5dec25-cce1-496b-8e00-219c55889929", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: sffifdsfsransupasdports.cyou", "pattern": "[domain-name:value = 'sffifdsfsransupasdports.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--89989da0-5f61-42d3-8079-77fe58bf86b6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: sfrclak.com", "pattern": "[domain-name:value = 'sfrclak.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--14e780ab-97fd-4cea-815c-a424935ea37f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: souls-entire-defined-routes.trycloudflare.com", "pattern": "[domain-name:value = 'souls-entire-defined-routes.trycloudflare.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4dfd816c-b468-41cf-9d83-23b22565d233", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: srv2.filehost37.sbs", "pattern": "[domain-name:value = 'srv2.filehost37.sbs']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--be1e9c71-0849-4531-b4d0-242fe3ac993a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: stardebug.app", "pattern": "[domain-name:value = 'stardebug.app']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PhantomCore Exploits TrueConf Vulnerabilities to Breach Russ", "url": "https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1d76d5a5-8246-4a41-bb1f-dd33551e2125", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: store.appleid-apple.com-confirmation.verif.emiratesbankgroup.info", "pattern": "[domain-name:value = 'store.appleid-apple.com-confirmation.verif.emiratesbankgroup.info']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02f8f8a0-1ede-4a36-b27f-a420a12928f3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: stub.com", "pattern": "[domain-name:value = 'stub.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--36b82124-589e-41e9-bc8d-0cf5eb97528a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: sudsmama.com", "pattern": "[domain-name:value = 'sudsmama.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8f6d48c2-25e4-4f68-b18c-b4659e1cd3e5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: superset.0111etisalat.com", "pattern": "[domain-name:value = 'superset.0111etisalat.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--824df751-580a-4f83-9f05-d4b73b850e07", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: sxsfcc.com", "pattern": "[domain-name:value = 'sxsfcc.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9056fbab-9ff5-4322-a6d9-689b9329f013", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "pattern": "[domain-name:value = 'tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5f91b7b6-1074-4cfd-9793-d0d84c987f0e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: tehran.t2.drproxy.pro", "pattern": "[domain-name:value = 'tehran.t2.drproxy.pro']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e5698b3-38a3-45de-ac7b-3d78c5326d98", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: telemetry.api-monitor.com", "pattern": "[domain-name:value = 'telemetry.api-monitor.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Self-Propagating Supply Chain Worm Hijacks npm Packages to S", "url": "https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3d23ef16-02c2-4fed-9a7a-45edd272e6eb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: test.dsc.wcsset.com", "pattern": "[domain-name:value = 'test.dsc.wcsset.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PlushDaemon compromises network devices for adversary-in-the", "url": "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--19995f32-d73d-43e2-afb1-ba37e555195e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: the-dubai-lifestyleapp.cryptocurrencies-offers.com", "pattern": "[domain-name:value = 'the-dubai-lifestyleapp.cryptocurrencies-offers.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02510e15-801f-42d7-bb65-a3be791b7ca4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: the1password.com", "pattern": "[domain-name:value = 'the1password.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "How password managers can be hacked \u2013 and how to stay safe", "url": "https://www.welivesecurity.com/en/cybersecurity/password-managers-under-attack-what-you-should-know/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9f06b91e-0877-4184-bd17-56386a8b050a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: tinyurl.com", "pattern": "[domain-name:value = 'tinyurl.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--39835648-9006-407c-b9f3-59ef4bb63f15", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: top1hbt.arm", "pattern": "[domain-name:value = 'top1hbt.arm']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b7123971-514e-4f2b-8f74-6306db176313", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: top1hbt.mips", "pattern": "[domain-name:value = 'top1hbt.mips']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5f5610ab-3f42-4b77-b928-c7052f361b82", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: top1hbt.mpsl", "pattern": "[domain-name:value = 'top1hbt.mpsl']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9bcb22e7-5152-4453-9144-70db802368e1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: tpcp.tar.gz", "pattern": "[domain-name:value = 'tpcp.tar.gz']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a2c10d2d-c329-4cc7-97cb-d9a256ddd3b0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: traz.top", "pattern": "[domain-name:value = 'traz.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6730d9f9-fc75-4519-bd13-ff295b9a3e94", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: trdfiransupport.cyou", "pattern": "[domain-name:value = 'trdfiransupport.cyou']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--17798f8a-7232-4558-8015-8eb7ceb6830b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: trumpvsirancoin.xyz", "pattern": "[domain-name:value = 'trumpvsirancoin.xyz']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dbfab292-e844-4e80-9215-ad4a660c663c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: tti.app.n8n.cloud", "pattern": "[domain-name:value = 'tti.app.n8n.cloud']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The n8n n8mare: How threat actors are misusing AI workflow a", "url": "https://blog.talosintelligence.com/the-n8n-n8mare/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2a81371a-c73e-46ca-a607-ecfba8e315bc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: ubiquitarianism.drilto.com", "pattern": "[domain-name:value = 'ubiquitarianism.drilto.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Email threat landscape: Q1 2026 trends and insights", "url": "https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/" } ], "x_severity": "crit", "x_sources": [ "Microsoft Security Blog" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4ddc983b-6cf2-4d3b-a1b8-b7d2b3ab0b90", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: us-docker.pkg.dev", "pattern": "[domain-name:value = 'us-docker.pkg.dev']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Double Agents: Exposing Security Blind Spots in GCP Vertex A", "url": "https://unit42.paloaltonetworks.com/double-agents-vertex-ai/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--289e706e-ae15-4809-84ac-8add5427493f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: vnc.kcii2.com", "pattern": "[domain-name:value = 'vnc.kcii2.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b4b44894-4758-44e4-8c7a-1f525db9914f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: wcsset.com", "pattern": "[domain-name:value = 'wcsset.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PlushDaemon compromises network devices for adversary-in-the", "url": "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fb9b50bc-d2ae-45ae-9588-5be0bb1e9218", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: www.emirates-post.ae-payapp.com", "pattern": "[domain-name:value = 'www.emirates-post.ae-payapp.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--43162c2a-5288-4d4e-acdb-049695885ee1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: www.forever-iran.net", "pattern": "[domain-name:value = 'www.forever-iran.net']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--49983a0f-c273-4368-a337-842e1213ba6a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: www.gxzhrc.cn", "pattern": "[domain-name:value = 'www.gxzhrc.cn']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1030adfa-55a6-415f-9437-bf4dd61dcd5f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: www.hyperfilevault2.mom", "pattern": "[domain-name:value = 'www.hyperfilevault2.mom']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8dbbdaab-1db6-4e00-bbc5-595cc21024bf", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: www.iran2026.org", "pattern": "[domain-name:value = 'www.iran2026.org']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--de06b898-a761-493a-8689-0597a35c916d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: www.portal.0111etisalat.com", "pattern": "[domain-name:value = 'www.portal.0111etisalat.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8e7f5f98-b78b-402a-9ad7-99a20146e6f5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: www.shirideitch.com", "pattern": "[domain-name:value = 'www.shirideitch.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--61441330-5f6d-4d05-ab78-4d33570eb152", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: www.superset.0111etisalat.com", "pattern": "[domain-name:value = 'www.superset.0111etisalat.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3b17552d-149d-468a-82b3-0db558534642", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: xz.apps-store.im", "pattern": "[domain-name:value = 'xz.apps-store.im']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2104244e-f1c3-4f30-8485-4beb03034791", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: yjzhengruol.com", "pattern": "[domain-name:value = 'yjzhengruol.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--78917bb2-e18f-4911-83ac-5f1cc25f04f7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: yoshi.0111etisalat.com", "pattern": "[domain-name:value = 'yoshi.0111etisalat.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Escalation of Cyber Risk Related to Iran (Upda", "url": "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1056e274-628c-48b1-ae3b-67a6898758f1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: zdrhnmjjndu.ulbcl.com", "pattern": "[domain-name:value = 'zdrhnmjjndu.ulbcl.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0a9d9ec2-536c-46eb-a095-30bb3bbafd2b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: zmx6f.com", "pattern": "[domain-name:value = 'zmx6f.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dbfbaf78-8ff1-4add-b3e9-ac09d50406c1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 101.99.88.113", "pattern": "[ipv4-addr:value = '101.99.88.113']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0529ef9b-71b0-44b0-bd2f-6081366ed7f0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 101.99.88.188", "pattern": "[ipv4-addr:value = '101.99.88.188']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e921a2e8-10be-49c8-9dbb-83d293660899", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 103.116.72.119", "pattern": "[ipv4-addr:value = '103.116.72.119']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Di", "url": "https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--91df3b6d-7545-442f-bfd9-cef692f3c11b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 103.159.132.30", "pattern": "[ipv4-addr:value = '103.159.132.30']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a746eb4a-d392-483e-ae76-2902f4f61c48", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 104.21.91.170", "pattern": "[ipv4-addr:value = '104.21.91.170']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "New NGate variant hides in a trojanized NFC payment app", "url": "https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--84358920-e8cd-470b-b1c6-d87d4379c9fd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 104.238.149.198", "pattern": "[ipv4-addr:value = '104.238.149.198']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Understanding Current Threats to Kubernetes Environments", "url": "https://unit42.paloaltonetworks.com/modern-kubernetes-threats/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ed9137a1-dc7e-4198-9e55-d2fff51e7a60", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 108.165.230.223", "pattern": "[ipv4-addr:value = '108.165.230.223']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "New NGate variant hides in a trojanized NFC payment app", "url": "https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--68a83a14-24b1-4d4f-adf2-f948e82a3d7f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 108.187.37.85", "pattern": "[ipv4-addr:value = '108.187.37.85']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--506493c1-71f5-40cc-a271-047a9feff832", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 108.187.41.221", "pattern": "[ipv4-addr:value = '108.187.41.221']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--82330c4e-29bc-453c-9691-f9a375c5f949", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 108.187.42.63", "pattern": "[ipv4-addr:value = '108.187.42.63']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--afdb3c84-c80b-4208-be19-06dc60a61f73", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 118.107.234.26", "pattern": "[ipv4-addr:value = '118.107.234.26']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6355bd7d-2896-4c60-aa43-813653030798", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 118.107.234.29", "pattern": "[ipv4-addr:value = '118.107.234.29']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fe2241c2-6b39-497b-8672-5d4a83682ede", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 135.125.255.55", "pattern": "[ipv4-addr:value = '135.125.255.55']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "EtherRAT Distribution Spoofing Administrative Tools via GitH", "url": "https://thehackernews.com/2026/04/etherrat-distribution-spoofing.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e2d22586-4e59-4db5-965e-349c410d351c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 139.180.128.251", "pattern": "[ipv4-addr:value = '139.180.128.251']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa42bdb3-50d6-470b-8341-c27c37093103", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 139.180.139.209", "pattern": "[ipv4-addr:value = '139.180.139.209']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--62c03df1-38b5-4db4-8174-4626d556e846", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 142.11.206.73", "pattern": "[ipv4-addr:value = '142.11.206.73']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--976e56e9-ea2e-467c-bc4e-afe4cc0fe7c1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 154.82.81.192", "pattern": "[ipv4-addr:value = '154.82.81.192']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a760459a-92f7-424d-9e75-43e821e763c6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 154.82.81.205", "pattern": "[ipv4-addr:value = '154.82.81.205']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c7644199-5e3d-4726-bf99-a5593ef088a2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 158.247.193.100", "pattern": "[ipv4-addr:value = '158.247.193.100']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Depl", "url": "https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2636ab03-087b-41a7-97cd-b066fa51e317", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 192.163.167.14", "pattern": "[ipv4-addr:value = '192.163.167.14']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3535b1c1-b6a7-4718-b280-a9b5f417c33f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 192.229.115.229", "pattern": "[ipv4-addr:value = '192.229.115.229']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c5a45003-85df-4ac1-85a2-73bff5cfd942", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 192.238.205.47", "pattern": "[ipv4-addr:value = '192.238.205.47']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a3835b89-4f18-478c-9bc5-6293f3e492dc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 195.5.171.242", "pattern": "[ipv4-addr:value = '195.5.171.242']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2961c076-5485-488b-b78c-59c5411c9af5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 207.56.119.216", "pattern": "[ipv4-addr:value = '207.56.119.216']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--087c37d6-1b20-4b70-8fa6-bdc56c94497c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 207.56.138.28", "pattern": "[ipv4-addr:value = '207.56.138.28']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--36946463-22b9-4930-93ef-a5c7549d6561", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 209.34.235.18", "pattern": "[ipv4-addr:value = '209.34.235.18']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--333411ba-d56d-43b0-9f71-c5ad79b649c3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 212.71.124.188", "pattern": "[ipv4-addr:value = '212.71.124.188']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4904a49a-0dd3-4284-95c2-bf8ae4cc201e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 216.126.237.71", "pattern": "[ipv4-addr:value = '216.126.237.71']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake ", "url": "https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--922cbeab-9242-4a47-8bfb-6d684aa64064", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 23.142.184.129", "pattern": "[ipv4-addr:value = '23.142.184.129']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--76cfe42a-69c8-4ed2-8c53-7cdf214a474c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 23.235.188.3", "pattern": "[ipv4-addr:value = '23.235.188.3']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Understanding Current Threats to Kubernetes Environments", "url": "https://unit42.paloaltonetworks.com/modern-kubernetes-threats/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--34ed400b-b026-49c5-95db-2f1395356f98", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 24.152.36.241", "pattern": "[ipv4-addr:value = '24.152.36.241']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Brazilian LofyGang Resurfaces After Three Years With Minecra", "url": "https://thehackernews.com/2026/04/brazilian-lofygang-resurfaces-after.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d82f5043-d37f-499c-9306-48303e7002d9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 31.172.71.5", "pattern": "[ipv4-addr:value = '31.172.71.5']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "DynoWiper update: Technical analysis and attribution", "url": "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d0361133-648f-42b6-9307-d07f9c87685e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 38.54.17.131", "pattern": "[ipv4-addr:value = '38.54.17.131']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a77f7848-cbc5-409e-8cca-7bcbd18e5b92", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 45.118.133.203", "pattern": "[ipv4-addr:value = '45.118.133.203']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d4b7f2ba-3c1d-4154-8788-cc7a13156183", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 45.148.10.212", "pattern": "[ipv4-addr:value = '45.148.10.212']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8fcd6fb1-da8b-4190-871a-4f128cd417f4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 45.192.219.60", "pattern": "[ipv4-addr:value = '45.192.219.60']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--eaf6d92b-059c-4fc4-afb0-9d231ba6383f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 45.32.108.178", "pattern": "[ipv4-addr:value = '45.32.108.178']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a4db29b2-768c-4a57-a61c-1dd348e101fc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 45.76.155.14", "pattern": "[ipv4-addr:value = '45.76.155.14']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Understanding Current Threats to Kubernetes Environments", "url": "https://unit42.paloaltonetworks.com/modern-kubernetes-threats/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--19284c7f-1fda-4d7f-8800-19e5db80dd60", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 47.242.198.250", "pattern": "[ipv4-addr:value = '47.242.198.250']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PlushDaemon compromises network devices for adversary-in-the", "url": "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--23ff6081-8d03-4c46-8ef0-16fc52c0f1aa", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 51.38.137.113", "pattern": "[ipv4-addr:value = '51.38.137.113']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f5fd061a-23a9-407c-b422-b69101e16715", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 57.133.212.106", "pattern": "[ipv4-addr:value = '57.133.212.106']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5371438b-3d38-4a48-b30e-b58e61e99084", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 63.251.162.11", "pattern": "[ipv4-addr:value = '63.251.162.11']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--960ae6fb-0219-47e6-a8fe-6985e108f166", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 65.111.25.67", "pattern": "[ipv4-addr:value = '65.111.25.67']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hou", "url": "https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b66b8357-b53a-44d6-809e-2f96ed002c79", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 65.111.27.132", "pattern": "[ipv4-addr:value = '65.111.27.132']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hou", "url": "https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html" } ], "x_severity": "crit", "x_sources": [ "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7dfc8be5-19a1-441d-ae86-6b59fa263f68", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 8.212.132.120", "pattern": "[ipv4-addr:value = '8.212.132.120']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "PlushDaemon compromises network devices for adversary-in-the", "url": "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--00103a27-66e3-4a8d-bae5-cbc4bb1eaaf8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 83.142.209.11", "pattern": "[ipv4-addr:value = '83.142.209.11']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b6bc7bc5-3d78-4164-8337-39a3ca55fea8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 83.142.209.203", "pattern": "[ipv4-addr:value = '83.142.209.203']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bc214126-2868-41ea-9d58-848c7a91067e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 91.195.240.123", "pattern": "[ipv4-addr:value = '91.195.240.123']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" }, { "source_name": "Malicious KICS Docker Images and VS Code Extensions Hit Chec", "url": "https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d773f30-6446-485f-a7bc-f1875bf63d4a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 94.154.172.43", "pattern": "[ipv4-addr:value = '94.154.172.43']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" }, { "source_name": "Malicious KICS Docker Images and VS Code Extensions Hit Chec", "url": "https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)", "The Hacker News" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6c667c8e-b122-40d1-bffc-4bf0a7439166", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 039E93B98EF5E329F8666A424237AE73", "pattern": "[file:hashes.MD5 = '039E93B98EF5E329F8666A424237AE73']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--98b261e5-da00-4bb7-8ebc-078ef9e06fb5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 04194f8ddd0518fd8005f0e87ae96335", "pattern": "[file:hashes.MD5 = '04194f8ddd0518fd8005f0e87ae96335']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6854536d-d87a-4130-8b06-32eac72091ef", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 043e457726f1bbb6046cb0c9869dbd7d", "pattern": "[file:hashes.MD5 = '043e457726f1bbb6046cb0c9869dbd7d']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0c1fbbf8-c438-47b4-ac05-d5da8bf19820", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 0565364633b5acdd24a498a6a9ab4eca", "pattern": "[file:hashes.MD5 = '0565364633b5acdd24a498a6a9ab4eca']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--23192573-e3f0-49bf-90b0-37f1803329b6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 06130DC648621E93ACB9EFB9FABB9651", "pattern": "[file:hashes.MD5 = '06130DC648621E93ACB9EFB9FABB9651']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cade2aac-2684-4c34-8586-fe0ef26284a5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 075b4aa105e728f2b659723e3f36c72c", "pattern": "[file:hashes.MD5 = '075b4aa105e728f2b659723e3f36c72c']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cf0b80e5-e3e0-4b41-a421-e68f36e4e8bc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 0B9B420E3EDD2ADE5EDC44F60CA745A2", "pattern": "[file:hashes.MD5 = '0B9B420E3EDD2ADE5EDC44F60CA745A2']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1cb24bfd-12f3-498e-8c23-39969cb80fde", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 0C3B60FFC4EA9CCCE744BFA03B1A3556", "pattern": "[file:hashes.MD5 = '0C3B60FFC4EA9CCCE744BFA03B1A3556']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0d105ff3-e316-4680-85ac-f7a2ef177189", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 0ff6abe0252d4f37a196a1231fae5f26", "pattern": "[file:hashes.MD5 = '0ff6abe0252d4f37a196a1231fae5f26']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3edb332a-b7bd-4fa5-8dc3-fc29949ba09e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 1020497BEF56F4181AEFB7A0A9873FB4", "pattern": "[file:hashes.MD5 = '1020497BEF56F4181AEFB7A0A9873FB4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4b9b3dae-fffe-4602-bb3a-8a92920375ae", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 114721fbc23ff9d188535bd736a0d30e", "pattern": "[file:hashes.MD5 = '114721fbc23ff9d188535bd736a0d30e']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5837cc1f-f532-424e-96ac-14c176be6cd5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 11705121f64fa36f1e9d7e59867b0724", "pattern": "[file:hashes.MD5 = '11705121f64fa36f1e9d7e59867b0724']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a1a8423a-2e37-4c2f-92dc-5bf114e3f4e7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 13669b8f2bd0af53a3fe9ac0490499e5", "pattern": "[file:hashes.MD5 = '13669b8f2bd0af53a3fe9ac0490499e5']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c5663755-a57d-42e0-891a-77dc02b58d4b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 19733e0dfa804e3676f97eff90f2e467", "pattern": "[file:hashes.MD5 = '19733e0dfa804e3676f97eff90f2e467']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--35d4ef9a-c7d0-4d54-8eab-136edde3265b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 1AA72CD19E37570E14D898DFF3F2E380", "pattern": "[file:hashes.MD5 = '1AA72CD19E37570E14D898DFF3F2E380']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1ee848fe-c5de-426d-8a0e-7f47d102ffcf", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 1D1F71936DB05F67765F442FEB95F3FD", "pattern": "[file:hashes.MD5 = '1D1F71936DB05F67765F442FEB95F3FD']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b3bb8542-33b5-4b7e-b804-bf08a0375a8d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 1d2f32c57ae2f2013f513d342925e972", "pattern": "[file:hashes.MD5 = '1d2f32c57ae2f2013f513d342925e972']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c8bff35e-e37e-4ed5-9fe8-53da7fac1326", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 202A5BCB87C34993318CFA3FA0C7ECB0", "pattern": "[file:hashes.MD5 = '202A5BCB87C34993318CFA3FA0C7ECB0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--82a9c655-6217-4643-9a1c-9841225abb16", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 2375193669e243e830ef5794226352e7", "pattern": "[file:hashes.MD5 = '2375193669e243e830ef5794226352e7']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1a92a20d-d957-4706-ad8d-061a640aa967", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 2717b58246237b35d44ef2e49712d3a2", "pattern": "[file:hashes.MD5 = '2717b58246237b35d44ef2e49712d3a2']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ebd8bc43-cefb-4353-ac44-32b8fb8c53b2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 2740a703859cbd8b43425d4a2cacb5ec", "pattern": "[file:hashes.MD5 = '2740a703859cbd8b43425d4a2cacb5ec']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588753bd-130c-4e00-89c1-886968eb4cf9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 27A3C439308F5C4956D77E23E1AAD1A9", "pattern": "[file:hashes.MD5 = '27A3C439308F5C4956D77E23E1AAD1A9']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bccb3bbf-7cb0-4324-b0f1-6d15e24354cf", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 2915b3f8b703eb744fc54c81f4a9c67f", "pattern": "[file:hashes.MD5 = '2915b3f8b703eb744fc54c81f4a9c67f']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6097fa2e-ce8b-490b-ba05-2f58d4855c05", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 2b92e125184469a0c3740abcaa10350c", "pattern": "[file:hashes.MD5 = '2b92e125184469a0c3740abcaa10350c']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0bc47cfc-50c2-4fc2-a5b6-29e669800d7a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 2c5a1dd4cb53287fe0ed14e0b7b7b1b7", "pattern": "[file:hashes.MD5 = '2c5a1dd4cb53287fe0ed14e0b7b7b1b7']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3d8694b4-2861-4e5b-ad2b-ba94975dc572", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 31d25ddf2697b9e13ee883fff328b22f", "pattern": "[file:hashes.MD5 = '31d25ddf2697b9e13ee883fff328b22f']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4ac7c40b-86a6-4152-9f57-294e78e57201", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 32407207e9e9a0948d167dca96c41d1a", "pattern": "[file:hashes.MD5 = '32407207e9e9a0948d167dca96c41d1a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--94f9be2b-73f7-4f47-94e0-552fea366eda", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 3279307508F3E5FB3A2420DEC645F583", "pattern": "[file:hashes.MD5 = '3279307508F3E5FB3A2420DEC645F583']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--162c1747-3183-4da3-8e94-295e62ba7914", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 3417B9CF7ACB22FAE9E24603D4DE1194", "pattern": "[file:hashes.MD5 = '3417B9CF7ACB22FAE9E24603D4DE1194']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--17cf01cb-6aa9-4f87-bd99-b98991a772c4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 3C6AEC25EBB2D51E1F16C2EEF181C82A", "pattern": "[file:hashes.MD5 = '3C6AEC25EBB2D51E1F16C2EEF181C82A']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8086fc26-902b-4dfe-bd55-a953b0dc364f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 410eddfc19de44249897986ecc8ac449", "pattern": "[file:hashes.MD5 = '410eddfc19de44249897986ecc8ac449']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e1387122-2075-4b1d-a267-c539f2ee4ad4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 4126348d783393dd85ede3468e48405d", "pattern": "[file:hashes.MD5 = '4126348d783393dd85ede3468e48405d']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6af82bf4-5c6c-46d7-b348-cde99bf55d9e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 41444d7018601b599beac0c60ed1bf83", "pattern": "[file:hashes.MD5 = '41444d7018601b599beac0c60ed1bf83']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--10f33223-a3b8-4c3f-a3a9-2307f4654490", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 417ae7f384c49de8c672aec86d5a2860", "pattern": "[file:hashes.MD5 = '417ae7f384c49de8c672aec86d5a2860']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4663cfd0-6fba-4ff9-a30f-9be1f82ee476", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 44299A368000AE1EE9E9E584377B8757", "pattern": "[file:hashes.MD5 = '44299A368000AE1EE9E9E584377B8757']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4218004f-b106-4b36-9591-b00a07ea5727", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 49a8934ccd34e2aaae6ea1e6a6313ffe", "pattern": "[file:hashes.MD5 = '49a8934ccd34e2aaae6ea1e6a6313ffe']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--525df98c-646e-471b-a240-d7d8cf70a8d8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 4a5195a38a458cdd2c1b5ab13af3b393", "pattern": "[file:hashes.MD5 = '4a5195a38a458cdd2c1b5ab13af3b393']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4247583e-223a-4cc1-badb-c438b1f8a6f2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 4d343515f4c87b9a2ffd2f46665d2d57", "pattern": "[file:hashes.MD5 = '4d343515f4c87b9a2ffd2f46665d2d57']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--97a3953a-ea69-4210-9d51-1c2af5845f68", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 4FC5EC1DE89CE3FCDD3E70DB4A9C39D1", "pattern": "[file:hashes.MD5 = '4FC5EC1DE89CE3FCDD3E70DB4A9C39D1']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--35698ed1-1872-410a-9f7c-5c3575e699b6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 4FC8C78516A8C2130286429686E200ED", "pattern": "[file:hashes.MD5 = '4FC8C78516A8C2130286429686E200ED']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9fc1b78a-8701-486d-ad47-51222dbcd2c4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 5390E8BF7131CAAAA98A5DD63E27B2BC", "pattern": "[file:hashes.MD5 = '5390E8BF7131CAAAA98A5DD63E27B2BC']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--52187bd9-f396-447e-9524-028c7a9962ed", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 53B68CA8D7A54C15700CF9500AE4A4E2", "pattern": "[file:hashes.MD5 = '53B68CA8D7A54C15700CF9500AE4A4E2']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4afef471-e30e-4f4a-84bc-521b0936e1ac", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 5b998a5bc5ad1c550564294034d4a62c", "pattern": "[file:hashes.MD5 = '5b998a5bc5ad1c550564294034d4a62c']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--063718be-5338-42b9-941e-4ef932066ffa", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 5bdae6cb778d002c806bb7ed130985f3", "pattern": "[file:hashes.MD5 = '5bdae6cb778d002c806bb7ed130985f3']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0695de88-2886-422f-acfa-497532e1eab5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 5ED84B2099E220D645934E1FD552AE3A", "pattern": "[file:hashes.MD5 = '5ED84B2099E220D645934E1FD552AE3A']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7e7f682e-c6d6-4e94-89de-abb10352d521", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 6495c409b59deb72cfcb2b2da983b3bb", "pattern": "[file:hashes.MD5 = '6495c409b59deb72cfcb2b2da983b3bb']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--67df6bf8-294a-4bd8-8e79-71ca53c8b6f3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 6611E902945E97A1B27F322A50566D48", "pattern": "[file:hashes.MD5 = '6611E902945E97A1B27F322A50566D48']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c4d5d06c-fcdf-4e1f-aa31-afca21e8363f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 686989d97cf0d70346cbde2031207cbf", "pattern": "[file:hashes.MD5 = '686989d97cf0d70346cbde2031207cbf']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--92da0d42-4004-400d-86b9-8b167dd4f5cd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 6cf382d3a0eae57b8baaa263e4ed8d00", "pattern": "[file:hashes.MD5 = '6cf382d3a0eae57b8baaa263e4ed8d00']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6b83080f-a09d-4e73-a198-f8d6df7c8ec4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 70016DDBCB8543BDB06E0F8C509EE980", "pattern": "[file:hashes.MD5 = '70016DDBCB8543BDB06E0F8C509EE980']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7357f295-7a6c-4a94-b209-16e253813bc5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 70AE9CA2A285DA9005A8ACB32DD31ACE", "pattern": "[file:hashes.MD5 = '70AE9CA2A285DA9005A8ACB32DD31ACE']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7c1045ca-5b7e-48ed-a04e-0b528112de5f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 79CD56FC9ABF294B9BA8751E618EC642", "pattern": "[file:hashes.MD5 = '79CD56FC9ABF294B9BA8751E618EC642']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--799cbc50-6f7e-4c5e-bfac-96c237e18e63", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 79fe383f0963ae741193989c12aefacc", "pattern": "[file:hashes.MD5 = '79fe383f0963ae741193989c12aefacc']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa509b18-4846-400b-9357-6c8cc6dccd7b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 7b4c61ff418f6fe80cf8adb474278311", "pattern": "[file:hashes.MD5 = '7b4c61ff418f6fe80cf8adb474278311']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--759d443b-affb-4e6e-bb15-65fd0ff70ef5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 7bdbd180c081fa63ca94f9c22c457376", "pattern": "[file:hashes.MD5 = '7bdbd180c081fa63ca94f9c22c457376']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--93a790b0-9a6a-4cec-9199-e07317ef7940", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 7e678ca2f01dc853e85d13924e6c8a45", "pattern": "[file:hashes.MD5 = '7e678ca2f01dc853e85d13924e6c8a45']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--198f7502-bc7d-4216-b770-1ad8029dee96", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 7F27818E4244310A645984CCC41EA818", "pattern": "[file:hashes.MD5 = '7F27818E4244310A645984CCC41EA818']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--60fecdfb-db7c-48b3-ab2e-16ffa81898fa", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 808c87015194c51d74356854dfb10d9e", "pattern": "[file:hashes.MD5 = '808c87015194c51d74356854dfb10d9e']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "JanelaRAT: a financial threat targeting users in Latin Ameri", "url": "https://securelist.com/janelarat-financial-threat-in-latin-america/119332/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8c96d8d8-fe9e-45d2-806d-5ad5095688ac", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 814032eec3bc31643f8faa4234d0e049", "pattern": "[file:hashes.MD5 = '814032eec3bc31643f8faa4234d0e049']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--19b44158-9695-47b4-ab17-ae7f2e571e8c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 84c81a5e49291fe60eb9f5c1e2ac184b", "pattern": "[file:hashes.MD5 = '84c81a5e49291fe60eb9f5c1e2ac184b']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cbca6ed0-fc42-4502-835b-7e1c9fd24f3b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 84E54C3602D8240ED905B07217C451CD", "pattern": "[file:hashes.MD5 = '84E54C3602D8240ED905B07217C451CD']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b478c27e-f3c0-45ba-8f48-fcaece5c8a63", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 891DE2FF486A1824F2DB01C1BDF1D2E9", "pattern": "[file:hashes.MD5 = '891DE2FF486A1824F2DB01C1BDF1D2E9']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1d63267e-eb55-410f-a062-e4811d8a91fd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 8AC5BEE89436B29F9817E434507FEF55", "pattern": "[file:hashes.MD5 = '8AC5BEE89436B29F9817E434507FEF55']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2398ee71-ae2f-4a92-8734-9228030f250d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 8cbd34393d1d54a90be3c2b53d8fc17a", "pattern": "[file:hashes.MD5 = '8cbd34393d1d54a90be3c2b53d8fc17a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9a957d81-8687-4234-b793-ed78cd9b820e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 8d45a67b648d2cb46292ff5041a5dd44", "pattern": "[file:hashes.MD5 = '8d45a67b648d2cb46292ff5041a5dd44']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--01e29159-1129-43b1-a86c-47748404bfbd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 8f51f82393c6467f9392fb9eb46f9301", "pattern": "[file:hashes.MD5 = '8f51f82393c6467f9392fb9eb46f9301']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6cb6acb0-afb2-4e6c-9053-997456b5600f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 8FC911CA37F9F451A213B967F016F1F8", "pattern": "[file:hashes.MD5 = '8FC911CA37F9F451A213B967F016F1F8']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f15cdeb1-bc9c-4afa-a913-de6e36468c0a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 90257aa1e7c9118055c09d4a978d4bee", "pattern": "[file:hashes.MD5 = '90257aa1e7c9118055c09d4a978d4bee']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d30ebf16-6265-4c1c-a995-26c81d35ef84", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 933F1CB8ED2CED5D0DD2877C5EA374E8", "pattern": "[file:hashes.MD5 = '933F1CB8ED2CED5D0DD2877C5EA374E8']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1f8a40dc-56af-4192-98e3-96c7321580cd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 9bf9f635019494c4b70fb0a7c0fb53e4", "pattern": "[file:hashes.MD5 = '9bf9f635019494c4b70fb0a7c0fb53e4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--63c2c943-70c5-47f1-8a98-c134b0279a08", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: A083C546DC66B0F2A5E0E2E68032F62C", "pattern": "[file:hashes.MD5 = 'A083C546DC66B0F2A5E0E2E68032F62C']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a5e2af5d-18c2-4b33-91bf-a33733a5468e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: A0D1223CA4327AA5F7674BDA8779323F", "pattern": "[file:hashes.MD5 = 'A0D1223CA4327AA5F7674BDA8779323F']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4351c030-45ba-4a1f-bc88-92668f337a0e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: A234850DFDFD7EE128F648F9750DD2C4", "pattern": "[file:hashes.MD5 = 'A234850DFDFD7EE128F648F9750DD2C4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--be8ed5a5-95f9-437f-adbe-1f1bc80be274", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: a2cf85d22a54e26794cbc7be16840bb1", "pattern": "[file:hashes.MD5 = 'a2cf85d22a54e26794cbc7be16840bb1']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e3ff807-4b5c-4830-a576-8aaa1d2a0ac1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: a543b96b0938de798dd4f683dd92a94a", "pattern": "[file:hashes.MD5 = 'a543b96b0938de798dd4f683dd92a94a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fff8791e-4799-4341-a436-22002d15d530", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: A75713F0310E74FFD24D91E5731C4D31", "pattern": "[file:hashes.MD5 = 'A75713F0310E74FFD24D91E5731C4D31']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4268cc79-c9bd-4dd2-b1dc-4cd70c0f7004", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: aac3165ece2959f39ff98334618d10d9", "pattern": "[file:hashes.MD5 = 'aac3165ece2959f39ff98334618d10d9']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c9339d6d-735c-4546-9755-6c31de8bb79d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: AD39A5790B79178D02AC739099B8E1F4", "pattern": "[file:hashes.MD5 = 'AD39A5790B79178D02AC739099B8E1F4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--90ca0841-5698-4d43-b64d-5942f491a688", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: af4461a149bfd2ba566f2abefe7dcde4", "pattern": "[file:hashes.MD5 = 'af4461a149bfd2ba566f2abefe7dcde4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da8b4c1-2674-4a65-9902-91d5f3bf5418", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: B0E06925DB5416DFC90BABF46402CD6F", "pattern": "[file:hashes.MD5 = 'B0E06925DB5416DFC90BABF46402CD6F']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2bb07430-d29a-4b26-be51-58f5d7ba8645", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: B23D302B7F23453C98C11CA7B2E4616E", "pattern": "[file:hashes.MD5 = 'B23D302B7F23453C98C11CA7B2E4616E']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4631a190-8ab2-4963-907c-f9d1156c860a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: b500e0a8c87dffe6f20c6e067b51afbf", "pattern": "[file:hashes.MD5 = 'b500e0a8c87dffe6f20c6e067b51afbf']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--13e89ac0-0904-42f6-b37f-2ae7186b93fc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: B53E3CC11947E5645DFBB19934B69833", "pattern": "[file:hashes.MD5 = 'B53E3CC11947E5645DFBB19934B69833']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7cfadb6e-fab7-4b5d-8a8b-c02c05c12105", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: B5CA812843570DCF8E7F35CACAB36D4A", "pattern": "[file:hashes.MD5 = 'B5CA812843570DCF8E7F35CACAB36D4A']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9fb95ee5-87c3-4b5c-a74e-612309646697", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: b639f7f81a8faca9c62fd227fef5e28c", "pattern": "[file:hashes.MD5 = 'b639f7f81a8faca9c62fd227fef5e28c']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a443e565-5a49-4bf4-a54e-24d101ebf322", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: B6DF7C59756AB655CA752B8A1B20CFFA", "pattern": "[file:hashes.MD5 = 'B6DF7C59756AB655CA752B8A1B20CFFA']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--db698314-9ce0-45f9-965c-db24e9db2cc6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: bafba3d044a4f674fc9edc67ef6b8a6b", "pattern": "[file:hashes.MD5 = 'bafba3d044a4f674fc9edc67ef6b8a6b']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bbd8220b-3efc-4219-8c63-22391c5a7e21", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: be9e0d516f59ae57f5553bcc3cf296d1", "pattern": "[file:hashes.MD5 = 'be9e0d516f59ae57f5553bcc3cf296d1']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--32935758-2b7d-42e3-b1a9-03f5ba304fa3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a", "pattern": "[file:hashes.MD5 = 'c2efb2dcacba6d3ccc175b6ce1b7ed0a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--485eb0ee-bb93-4623-af35-b791c7929f14", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: c50c980d3f4b7ed970f083b0d37a6a6a", "pattern": "[file:hashes.MD5 = 'c50c980d3f4b7ed970f083b0d37a6a6a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e7952e34-1bf8-4b11-b877-1bd4f55024f4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: CB3D86E3EC2736EE1C883706FCA172F8", "pattern": "[file:hashes.MD5 = 'CB3D86E3EC2736EE1C883706FCA172F8']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bfa354b9-66cc-46c6-9788-cbc84eb75658", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: cb66a4d52a30bfcd980fe50e7e3f73f0", "pattern": "[file:hashes.MD5 = 'cb66a4d52a30bfcd980fe50e7e3f73f0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f2f89d-9a18-49b6-93dc-273611792fdd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: cf859f164870d113608a843e4a9600ab", "pattern": "[file:hashes.MD5 = 'cf859f164870d113608a843e4a9600ab']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f819684f-1eeb-46c8-a094-b8bd1bbe377f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: d138a63436b4dd8c5a55d184e025ef99", "pattern": "[file:hashes.MD5 = 'd138a63436b4dd8c5a55d184e025ef99']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9e4a1119-9b4a-4ea8-9e8a-a21bfa941f43", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: d17caf6f5d6ba3393a3a865d1c43c3d2", "pattern": "[file:hashes.MD5 = 'd17caf6f5d6ba3393a3a865d1c43c3d2']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--453b61da-0562-4bdc-8a08-f0e28264a9cb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: D1D78CD1436991ADB9C005CC7C6B5B98", "pattern": "[file:hashes.MD5 = 'D1D78CD1436991ADB9C005CC7C6B5B98']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e0179467-c9c9-489c-95c4-da10d2a148cb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: d48b580718b0e1617afc1dec028e9059", "pattern": "[file:hashes.MD5 = 'd48b580718b0e1617afc1dec028e9059']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ecdf67f3-5163-4c0e-8aab-4b987a58c0dc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: d749e0f8f2cd4e14178a787571534121", "pattern": "[file:hashes.MD5 = 'd749e0f8f2cd4e14178a787571534121']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ccf8d731-de14-4b55-b001-b27ed023265a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: d7a68749635604d6d7297e4fa2530eb6", "pattern": "[file:hashes.MD5 = 'd7a68749635604d6d7297e4fa2530eb6']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "JanelaRAT: a financial threat targeting users in Latin Ameri", "url": "https://securelist.com/janelarat-financial-threat-in-latin-america/119332/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b8737-9ada-4c46-bc7d-59cd57fe2e51", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: daea40562458fc7ae1adb812137d3d05", "pattern": "[file:hashes.MD5 = 'daea40562458fc7ae1adb812137d3d05']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e736ae12-9295-4a44-a10a-5954d98c5931", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: dbd8dbecaa80795c135137d69921fdba", "pattern": "[file:hashes.MD5 = 'dbd8dbecaa80795c135137d69921fdba']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6948c462-cc47-4d9a-b1b4-6e82350a921b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: dbe51eabebf9d4ef9581ef99844a2944", "pattern": "[file:hashes.MD5 = 'dbe51eabebf9d4ef9581ef99844a2944']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c143bff6-cd14-498b-bfdf-ce49fb7f51cc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: DD0114FFACC6610B5A4A1CB0E79624CC", "pattern": "[file:hashes.MD5 = 'DD0114FFACC6610B5A4A1CB0E79624CC']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0e54342f-c2d5-46ab-b138-3ec3efd73a2a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: de8f0008b15f2404f721f76fac34456a", "pattern": "[file:hashes.MD5 = 'de8f0008b15f2404f721f76fac34456a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d35c4088-657f-4005-8e2f-cf8435cf1840", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: dfc64dd9d8f776ca5440c35fef5d406e", "pattern": "[file:hashes.MD5 = 'dfc64dd9d8f776ca5440c35fef5d406e']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5993c1b6-3525-4bbf-a12c-81ccbd5572a4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: e0c10106626711f287ff91c0d6314407", "pattern": "[file:hashes.MD5 = 'e0c10106626711f287ff91c0d6314407']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cf50f49a-6a11-4ce6-baae-68f59be791ef", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: E5E8EF65B4D265BD5FB77FE165131C2F", "pattern": "[file:hashes.MD5 = 'E5E8EF65B4D265BD5FB77FE165131C2F']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--08bac9c4-dd57-473c-b5d4-aa7f1cb14820", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: e6362a81991323e198a463a8ce255533", "pattern": "[file:hashes.MD5 = 'e6362a81991323e198a463a8ce255533']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--df991377-d83b-4c7e-a338-4f85f1b8f900", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: e66bae6e8621db2a835fa6721c3e5bbe", "pattern": "[file:hashes.MD5 = 'e66bae6e8621db2a835fa6721c3e5bbe']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7d1567b9-c269-46de-901b-a67cd9c00eff", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: ebff5b7d4c5becb8715009df596c5a91", "pattern": "[file:hashes.MD5 = 'ebff5b7d4c5becb8715009df596c5a91']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f6dde82a-b092-48c0-9b05-961c10a3ab53", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: eefc28e9f2c0c0592af186be8e3570d2", "pattern": "[file:hashes.MD5 = 'eefc28e9f2c0c0592af186be8e3570d2']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--931187a8-d8b0-4556-8fcd-687805ead1c5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: f15a67899cfe4decff76d4cd1677c254", "pattern": "[file:hashes.MD5 = 'f15a67899cfe4decff76d4cd1677c254']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4e354a69-9c09-4b08-95a2-8f9f5a0d2ed6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: f4dbbb78979c1ee8a1523c77065e18a5", "pattern": "[file:hashes.MD5 = 'f4dbbb78979c1ee8a1523c77065e18a5']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7744f8a4-9e06-4ab2-b47a-16cf4adb20dc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: F7037CC9A5659D5A1F68E88582242375", "pattern": "[file:hashes.MD5 = 'F7037CC9A5659D5A1F68E88582242375']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c9f862aa-a497-4e74-915a-4eb4ab66819a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: f8371097121549feb21e3bcc2eeea522", "pattern": "[file:hashes.MD5 = 'f8371097121549feb21e3bcc2eeea522']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f3a94d1e-2096-495d-8ba5-ba8cf2796b57", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: fa08b243f12e31940b8b4b82d3498804", "pattern": "[file:hashes.MD5 = 'fa08b243f12e31940b8b4b82d3498804']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--072f8074-ad49-4afb-962f-77b03e5af734", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: fc546acf1735127db05fb5bc354093e0", "pattern": "[file:hashes.MD5 = 'fc546acf1735127db05fb5bc354093e0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Silver Fox uses the new ABCDoor backdoor to target organizat", "url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7a65deee-fbdb-4557-be69-fc340fb4431c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: fd0dc5d4bba740c7b4cc78c4b19a5840", "pattern": "[file:hashes.MD5 = 'fd0dc5d4bba740c7b4cc78c4b19a5840']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "FakeWallet crypto stealer spreading through iOS apps in the ", "url": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" } ], "x_severity": "crit", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bf811e59-3633-4e19-9637-34153792343b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 145ef372c3e9c352eaaa53bb0893749163e49892", "pattern": "[file:hashes.'SHA-1' = '145ef372c3e9c352eaaa53bb0893749163e49892']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3090d3a6-68d8-4a6f-a7e1-e71a9c67a6c2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 1ce1111702b765f5c4d09315ff1f0d914f7e5c70", "pattern": "[file:hashes.'SHA-1' = '1ce1111702b765f5c4d09315ff1f0d914f7e5c70']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a0dea5-216f-4475-875e-bf8f244eb9a6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 2fa28ef1c6744bdc2021abd4048eefc777dccf22", "pattern": "[file:hashes.'SHA-1' = '2fa28ef1c6744bdc2021abd4048eefc777dccf22']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ae768cd3-eaf4-44df-922b-ce574d496da7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 3ce5b358c2ddd116ac9582efbb38354809999cb5", "pattern": "[file:hashes.'SHA-1' = '3ce5b358c2ddd116ac9582efbb38354809999cb5']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0841f660-8aa9-417c-8f7a-897c5aaac438", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 586edef41c3b3fba87bf0f0346c7e402f86fc11e", "pattern": "[file:hashes.'SHA-1' = '586edef41c3b3fba87bf0f0346c7e402f86fc11e']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--71912cef-da46-4ddf-8e5f-0109c8ac08a5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 650fc6b3e4f62ecdc1ec5728f36bb46ba0f74d05", "pattern": "[file:hashes.'SHA-1' = '650fc6b3e4f62ecdc1ec5728f36bb46ba0f74d05']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--31730ba8-6af3-47fe-a554-5e0db24305d1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 675cb83cec5f25ebbe8d9f90dea3d836fcb1c234", "pattern": "[file:hashes.'SHA-1' = '675cb83cec5f25ebbe8d9f90dea3d836fcb1c234']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c2371904-faa9-42b2-b1ef-db65604bc20b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 829f8be65dfe159d2b0dc7ee7a61a017acb54b7b", "pattern": "[file:hashes.'SHA-1' = '829f8be65dfe159d2b0dc7ee7a61a017acb54b7b']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--306989db-a10a-4be7-a98f-de388528182b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 92e9dcaf7249110047ef121b7586c81d4b8cb4e5", "pattern": "[file:hashes.'SHA-1' = '92e9dcaf7249110047ef121b7586c81d4b8cb4e5']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dcfb62f3-052f-4779-8a5c-d2820966d0e5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 952ed694b60c34ba12df9d392269eae3a4f11be4", "pattern": "[file:hashes.'SHA-1' = '952ed694b60c34ba12df9d392269eae3a4f11be4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d58e53db-bc45-4328-9d77-c9809d2bcb9b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 99B454262DC26B081600E844371982A49D334E5E", "pattern": "[file:hashes.'SHA-1' = '99B454262DC26B081600E844371982A49D334E5E']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Sednit reloaded: Back in the trenches", "url": "https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ffad2970-bf23-4c02-8865-12fff1b5e84b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 9e089a733fb2740c0e408b2a25d8f5a451584cf6", "pattern": "[file:hashes.'SHA-1' = '9e089a733fb2740c0e408b2a25d8f5a451584cf6']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--df9c4261-f6de-46b4-b5af-5bc8e8fa2247", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: bc544f455d7c06c8a1f3446160a6d9a4a8236b11", "pattern": "[file:hashes.'SHA-1' = 'bc544f455d7c06c8a1f3446160a6d9a4a8236b11']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--83e3c6a4-4431-4660-8872-2e58425fca92", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: ca665b59bc590292f94c23e04fa458f90d7b20c9", "pattern": "[file:hashes.'SHA-1' = 'ca665b59bc590292f94c23e04fa458f90d7b20c9']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--192de5af-d358-468d-8968-5844eff48d05", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: D0DB619A7A160949528D46D20FC0151BF9775C32", "pattern": "[file:hashes.'SHA-1' = 'D0DB619A7A160949528D46D20FC0151BF9775C32']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Sednit reloaded: Back in the trenches", "url": "https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1d4ba2c9-824c-4788-a218-989a1d0fdc86", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: d475ace24b9aedebf431efc68f9db32d5ae761bd", "pattern": "[file:hashes.'SHA-1' = 'd475ace24b9aedebf431efc68f9db32d5ae761bd']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--69f064ef-c1ec-4557-843b-bcc819700f79", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: de584703c78a60a56028f9834086facd1401b355", "pattern": "[file:hashes.'SHA-1' = 'de584703c78a60a56028f9834086facd1401b355']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a380530a-fa14-47b2-99b3-0c116dc5bb6c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: e6018cd482c012de8b69c64dc3165337bc121b86", "pattern": "[file:hashes.'SHA-1' = 'e6018cd482c012de8b69c64dc3165337bc121b86']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f16d8980-9ac0-49d4-bf65-9b05dce60291", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 00078aeeaca54b5d3c1237e964e9f956690b782e4ea160d81edc3c6b44e7f620", "pattern": "[file:hashes.'SHA-256' = '00078aeeaca54b5d3c1237e964e9f956690b782e4ea160d81edc3c6b44e7f620']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--73a5adff-3551-4814-b417-add1a80f57c9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 01c9484abc948daa525516464785009d1e7a63ffd6012b9e85b56477acc3e624", "pattern": "[file:hashes.'SHA-256' = '01c9484abc948daa525516464785009d1e7a63ffd6012b9e85b56477acc3e624']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c968757c-eab8-40a2-8d0a-da14a1848efb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69", "pattern": "[file:hashes.'SHA-256' = '05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Understanding Current Threats to Kubernetes Environments", "url": "https://unit42.paloaltonetworks.com/modern-kubernetes-threats/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0d051dff-cbfa-4f40-8dc8-d1e284909876", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 06361562cc53d759fb5a4c2b7aac348e4d23fe59be3b2871b14678365283ca47", "pattern": "[file:hashes.'SHA-256' = '06361562cc53d759fb5a4c2b7aac348e4d23fe59be3b2871b14678365283ca47']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--077c858c-1fa3-4ccb-a20f-8a30bc405075", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529", "pattern": "[file:hashes.'SHA-256' = '07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e2d422ce-6619-4bc4-bb21-c011ce5b9720", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349", "pattern": "[file:hashes.'SHA-256' = '0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--de95c11c-ce90-4781-8655-2bd6d08ba0e4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 09ca719e06a526f70aadf34fb66b136ed20f923776e6b33a33a9059ef674da22", "pattern": "[file:hashes.'SHA-256' = '09ca719e06a526f70aadf34fb66b136ed20f923776e6b33a33a9059ef674da22']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--025546fb-6ca2-4eb2-a626-95b42a912e3b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a", "pattern": "[file:hashes.'SHA-256' = '0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bd84c750-639a-40c7-8514-29a1733951db", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 0c6a3555c4eb49f240d7e0e3edbfbb3c900f123033b4f6e99ac3724b9b76278f", "pattern": "[file:hashes.'SHA-256' = '0c6a3555c4eb49f240d7e0e3edbfbb3c900f123033b4f6e99ac3724b9b76278f']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d8975a13-1a4c-4235-b616-c87c460d7fc4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 0d83030ab8bfba675fc1661f0756b6770be7dd80b1b718de3d68a01f2e79a5f4", "pattern": "[file:hashes.'SHA-256' = '0d83030ab8bfba675fc1661f0756b6770be7dd80b1b718de3d68a01f2e79a5f4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f51085d7-0ecb-4972-aff5-1279c7b168b2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad", "pattern": "[file:hashes.'SHA-256' = '167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--773e9510-c866-45d5-8a59-cae5de53b690", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a", "pattern": "[file:hashes.'SHA-256' = '18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b23aea41-cb5c-4151-8932-69ab522dd9bb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb", "pattern": "[file:hashes.'SHA-256' = '18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b854f86d-71b9-42c5-ad2f-900efae323d9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 1e559c51f19972e96fcc5a92d710732159cdae72f407864607a513b20729decb", "pattern": "[file:hashes.'SHA-256' = '1e559c51f19972e96fcc5a92d710732159cdae72f407864607a513b20729decb']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3914dcf3-e9a1-41a8-aca4-480ea05c666c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 20df0909a3a0ef26d74ae139763a380e49f77207aa1108d4640d8b6f14cab8ca", "pattern": "[file:hashes.'SHA-256' = '20df0909a3a0ef26d74ae139763a380e49f77207aa1108d4640d8b6f14cab8ca']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ed8378f9-ac78-4ffe-b928-3fec0a048b26", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 30015DD1E2CF4DBD49FFF9DDEF2AD4622DA2E60E5C0B6228595325532E948F14", "pattern": "[file:hashes.'SHA-256' = '30015DD1E2CF4DBD49FFF9DDEF2AD4622DA2E60E5C0B6228595325532E948F14']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b9e10934-03a4-4722-9214-982eee3e43f1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 37414d9ca87a132ec5081f3e7590d04498237746f9a7479c6b443accee17a062", "pattern": "[file:hashes.'SHA-256' = '37414d9ca87a132ec5081f3e7590d04498237746f9a7479c6b443accee17a062']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--48a8bf7f-810d-43f0-8218-e8ede9c02018", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55", "pattern": "[file:hashes.'SHA-256' = '38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a53b0621-a6dd-4761-b2f4-4549722206b4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc", "pattern": "[file:hashes.'SHA-256' = '3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6549d77b-df30-4662-bc52-8906bfb90f8b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7", "pattern": "[file:hashes.'SHA-256' = '3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7932d3ae-c027-4be4-95cc-e9f69db3abc5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 41C4F2F37C0B257D1E20FE167F2098DA9D2E0A939B09ED3F63BC4FE010F8365C", "pattern": "[file:hashes.'SHA-256' = '41C4F2F37C0B257D1E20FE167F2098DA9D2E0A939B09ED3F63BC4FE010F8365C']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--facb299a-1ceb-4c56-866b-98cb396253b6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 4465bdeaddc8c049a67a3d5ec105b2f07dae72fa080166e51b8f487516eb8d07", "pattern": "[file:hashes.'SHA-256' = '4465bdeaddc8c049a67a3d5ec105b2f07dae72fa080166e51b8f487516eb8d07']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f75f6bdd-0ef2-48c4-b935-39a237770845", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da", "pattern": "[file:hashes.'SHA-256' = '4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--391dbff2-6351-4d17-b558-cd13b0256e16", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4", "pattern": "[file:hashes.'SHA-256' = '506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7a96496a-ccd6-4ebe-8965-82b84b9b3a5a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 526ab39d1f56732e4e926715aaa797feb13b1ae86882ec570a4d292e7fdc3699", "pattern": "[file:hashes.'SHA-256' = '526ab39d1f56732e4e926715aaa797feb13b1ae86882ec570a4d292e7fdc3699']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--95a8e258-b238-41e4-b65f-dc503a759ca0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b", "pattern": "[file:hashes.'SHA-256' = '534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3a92e283-59c9-49af-aa34-57615bd7772b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6", "pattern": "[file:hashes.'SHA-256' = '56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--77138100-e651-4e85-85e1-68ea549c03e5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668", "pattern": "[file:hashes.'SHA-256' = '58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f60ea044-42ed-410e-b497-c882c4123903", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f", "pattern": "[file:hashes.'SHA-256' = '59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--81327038-27e6-4294-a4ac-5562f45d5b85", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 5966513a12a5601b262c4ee4d3e32091feb05b666951d06431c30a8cece83010", "pattern": "[file:hashes.'SHA-256' = '5966513a12a5601b262c4ee4d3e32091feb05b666951d06431c30a8cece83010']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e052affb-36d3-47c1-bc97-33c9a5fcf569", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 5b5fbc627502c5797d97b206b6dcf537889e6bea6d4e81a835e103e311690e22", "pattern": "[file:hashes.'SHA-256' = '5b5fbc627502c5797d97b206b6dcf537889e6bea6d4e81a835e103e311690e22']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02ac9251-5393-49cd-945a-2c589da3e2cd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd", "pattern": "[file:hashes.'SHA-256' = '5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0d70c33e-6993-4975-a710-a37419954b77", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 5e2ab672c3f98f21925bd26d9a9bba036b67d84fde0dfdbe2cf9b85b170cab71", "pattern": "[file:hashes.'SHA-256' = '5e2ab672c3f98f21925bd26d9a9bba036b67d84fde0dfdbe2cf9b85b170cab71']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--99875640-2de6-4fc0-a179-d3febbbce5ca", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956", "pattern": "[file:hashes.'SHA-256' = '5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--88dbef13-1b05-4898-ac63-9eb7d695d964", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe", "pattern": "[file:hashes.'SHA-256' = '5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bd3d243b-e6ad-49a1-a918-e081aa8af514", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101", "pattern": "[file:hashes.'SHA-256' = '617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1116c87f-0613-411d-97d8-492b2c66f60e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba", "pattern": "[file:hashes.'SHA-256' = '61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bed299d3-aac9-40aa-81c6-19f0b836d340", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 6328a34b26a63423b555a61f89a6a0525a534e9c88584c815d937910f1ddd538", "pattern": "[file:hashes.'SHA-256' = '6328a34b26a63423b555a61f89a6a0525a534e9c88584c815d937910f1ddd538']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bc55ab65-cae7-4305-a92c-6982204fe04d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 66fe485f29a6405265756aaf7f822b9ceb56e108afabd414ee222ee9657dd7e2", "pattern": "[file:hashes.'SHA-256' = '66fe485f29a6405265756aaf7f822b9ceb56e108afabd414ee222ee9657dd7e2']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6dbdc73b-7c9b-448d-92a0-83b0dea7ded0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9", "pattern": "[file:hashes.'SHA-256' = '7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e74a46cd-cc77-43a7-a076-fba34b21f3d5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 7b47ed28e84437aee64ffe9770d315c1b984135105f7f608a8b9579517bc0695", "pattern": "[file:hashes.'SHA-256' = '7b47ed28e84437aee64ffe9770d315c1b984135105f7f608a8b9579517bc0695']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--38d595fd-1e16-4bd6-81c6-cb0bebfbafed", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 7b5cc85e82249b0c452c66563edca498ce9d0c70badef04ab2c52acef4d629ca", "pattern": "[file:hashes.'SHA-256' = '7b5cc85e82249b0c452c66563edca498ce9d0c70badef04ab2c52acef4d629ca']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f749fd68-2cc0-44a8-a88b-a4b2851ac30e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20", "pattern": "[file:hashes.'SHA-256' = '7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--34d08842-6304-4396-8f52-38f763530d43", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0", "pattern": "[file:hashes.'SHA-256' = '7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Understanding Current Threats to Kubernetes Environments", "url": "https://unit42.paloaltonetworks.com/modern-kubernetes-threats/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--63a00e10-da4c-4a65-96a0-2e47fe7df2e1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7", "pattern": "[file:hashes.'SHA-256' = '7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a43bbc6f-077a-450f-b0bd-2251604577a9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 7e00030a35504de5c0d16020aa40cbaf5d36561e0716feb8f73235579a7b0909", "pattern": "[file:hashes.'SHA-256' = '7e00030a35504de5c0d16020aa40cbaf5d36561e0716feb8f73235579a7b0909']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--13e6b4c4-5b94-491d-9db0-a0f55654f1ad", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0", "pattern": "[file:hashes.'SHA-256' = '7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The n8n n8mare: How threat actors are misusing AI workflow a", "url": "https://blog.talosintelligence.com/the-n8n-n8mare/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5be58ca0-e7d6-4dac-b74d-e2d2bde9e9bd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0", "pattern": "[file:hashes.'SHA-256' = '822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--249ae992-1d49-4834-a22d-f3d9b66be374", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 8449341ddc3f7fcc2547639e21e704400ca6a8a6841ae74e57c04445b1276a10", "pattern": "[file:hashes.'SHA-256' = '8449341ddc3f7fcc2547639e21e704400ca6a8a6841ae74e57c04445b1276a10']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fda7d53d-ed5b-420d-a789-b41094b03146", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 887e1f5b5b50162a60bd03b66269e0ae545d0aef0583c1c5b00972152ad7e073", "pattern": "[file:hashes.'SHA-256' = '887e1f5b5b50162a60bd03b66269e0ae545d0aef0583c1c5b00972152ad7e073']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cfad9950-b273-4ecc-9e3e-f0deb797e76b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 8b018452fdd64c346af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0", "pattern": "[file:hashes.'SHA-256' = '8b018452fdd64c346af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--17a53a8e-7758-4b1e-ab3b-9023e363b867", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9", "pattern": "[file:hashes.'SHA-256' = '8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9b4df916-1139-4ef5-9cec-e90a54b14ff5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59", "pattern": "[file:hashes.'SHA-256' = '90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--69ab5e57-2544-4eff-820a-8cef961698ce", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4", "pattern": "[file:hashes.'SHA-256' = '919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6d5d17c4-d88a-4512-af83-2a37aee4a875", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a", "pattern": "[file:hashes.'SHA-256' = '92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2e7e5142-669c-4528-92f8-96431392d018", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a", "pattern": "[file:hashes.'SHA-256' = '93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The n8n n8mare: How threat actors are misusing AI workflow a", "url": "https://blog.talosintelligence.com/the-n8n-n8mare/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b117c877-a9cf-47f9-a518-74259ca8cc38", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974", "pattern": "[file:hashes.'SHA-256' = '96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c36ac141-8ad3-4624-84c6-79c16dcee37e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525", "pattern": "[file:hashes.'SHA-256' = '9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--17144cce-feac-48a0-af7e-c8a175b1d9c5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 9c64f1c7eba080b4e5ff17369ddcd00b9fe2d47dacdc61444b4cbfebb23a166c", "pattern": "[file:hashes.'SHA-256' = '9c64f1c7eba080b4e5ff17369ddcd00b9fe2d47dacdc61444b4cbfebb23a166c']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--60acd346-b360-4bfd-9b36-a7c4bd7014e1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402", "pattern": "[file:hashes.'SHA-256' = '9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8ce69c32-ff93-47ea-a9a8-3e6282217fae", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507", "pattern": "[file:hashes.'SHA-256' = '9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "It pays to be a forever student", "url": "https://blog.talosintelligence.com/it-pays-to-be-a-forever-student/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--33e83b47-17a7-4df5-9d17-d237b2424ae0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: a224dd73b7ed33e0bf6a2ea340c8f8859dfa9ec5736afa8baea6225bf066b248", "pattern": "[file:hashes.'SHA-256' = 'a224dd73b7ed33e0bf6a2ea340c8f8859dfa9ec5736afa8baea6225bf066b248']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--18b0fd2d-01c6-4c8b-b29e-06e9098210d0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91", "pattern": "[file:hashes.'SHA-256' = 'a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" }, { "source_name": "The Q1 vulnerability pulse", "url": "https://blog.talosintelligence.com/the-q1-vulnerability-pulse/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575af69b-3c77-4c84-a88f-2b3e96ba403d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: a98e04dec3a7fe507eb30c72da808bad60bc14d9d80f9770ec99c438faa85a1a", "pattern": "[file:hashes.'SHA-256' = 'a98e04dec3a7fe507eb30c72da808bad60bc14d9d80f9770ec99c438faa85a1a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d7cd0a99-f3f0-4c68-8d81-c1666e64594b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7", "pattern": "[file:hashes.'SHA-256' = 'ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--eafd22ce-6daf-4812-8daa-132db441ed2b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: aeaa389453f04a9e79ff6c8b7b66db7b65d4aaffc6cac0bd7957257a30468e33", "pattern": "[file:hashes.'SHA-256' = 'aeaa389453f04a9e79ff6c8b7b66db7b65d4aaffc6cac0bd7957257a30468e33']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--883c75aa-4a12-458f-ba20-d965b44cc2f6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d", "pattern": "[file:hashes.'SHA-256' = 'bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Understanding Current Threats to Kubernetes Environments", "url": "https://unit42.paloaltonetworks.com/modern-kubernetes-threats/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa6116ab-1b24-49c5-a127-b0b164ab3d3d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: bd04715c5c43c862c38a4ad6c2167ad082a352881e04a35117af9bbfad8e5613", "pattern": "[file:hashes.'SHA-256' = 'bd04715c5c43c862c38a4ad6c2167ad082a352881e04a35117af9bbfad8e5613']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--44aac7a5-9ea5-415a-8cca-4304c05d86b6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: bef7e2c5a92c4fa4af17791efc1e46311c0f304796f1172fce192f5efc40f5d7", "pattern": "[file:hashes.'SHA-256' = 'bef7e2c5a92c4fa4af17791efc1e46311c0f304796f1172fce192f5efc40f5d7']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a9be0897-cf7e-4ea2-bb05-45161dc6a654", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: c11a210cb98095422d0d33cbd4e9ecc86b95024f956ede812e17c97e79591cfa", "pattern": "[file:hashes.'SHA-256' = 'c11a210cb98095422d0d33cbd4e9ecc86b95024f956ede812e17c97e79591cfa']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--73bda2dd-258f-46c3-8c94-de594f6708c0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: c321933e4e5970ba7299fe21778dab9398994c22ca0ba0422c6cbc3fbb95ea26", "pattern": "[file:hashes.'SHA-256' = 'c321933e4e5970ba7299fe21778dab9398994c22ca0ba0422c6cbc3fbb95ea26']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A Deep Dive Into Attempted Exploitation of CVE-2023-33538", "url": "https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2a38c977-cfb4-4d49-88e7-37164b7980fa", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926", "pattern": "[file:hashes.'SHA-256' = 'c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2400d0f6-3ce8-44f8-a09f-ca32d11b1b21", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3", "pattern": "[file:hashes.'SHA-256' = 'cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--63fec1a7-b303-40e2-9a94-55617d355183", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: cdc05cd30eb53315dadb081a7b942bb876f0d252d20e8ed4d2f36be79ee691fa", "pattern": "[file:hashes.'SHA-256' = 'cdc05cd30eb53315dadb081a7b942bb876f0d252d20e8ed4d2f36be79ee691fa']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--27425a7c-ae97-44d2-b5d9-39d23a84434e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: D53FCC01038E20193FBD51B7400075CF7C9C4402B73DA7B0DB836B000EBD8B1C", "pattern": "[file:hashes.'SHA-256' = 'D53FCC01038E20193FBD51B7400075CF7C9C4402B73DA7B0DB836B000EBD8B1C']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "LongNosedGoblin tries to sniff out governmental affairs in S", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" } ], "x_severity": "crit", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4cee9a99-2af9-48b0-be03-ef7a6ec448a7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c", "pattern": "[file:hashes.'SHA-256' = 'd5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02fd0b9f-72ee-4cd8-a36e-41b2a566e731", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: D8CAF4581C9F0000C7568D78FB7D2E595AB36134E2346297D78615942CBBD727", "pattern": "[file:hashes.'SHA-256' = 'D8CAF4581C9F0000C7568D78FB7D2E595AB36134E2346297D78615942CBBD727']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c78230fe-aa96-4601-839d-ff0b8a1ab8da", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: da2b170994031477091be89c8835ff9db1a5304f3f2f25344654f44d0430ced1", "pattern": "[file:hashes.'SHA-256' = 'da2b170994031477091be89c8835ff9db1a5304f3f2f25344654f44d0430ced1']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4e86a13a-a4a9-4542-a7f3-9adcb07dec96", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09", "pattern": "[file:hashes.'SHA-256' = 'e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d4315b67-61c3-4d45-9759-48431cbfceb8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff", "pattern": "[file:hashes.'SHA-256' = 'e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--240de701-f743-4e81-9f24-c856cd4210fd", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e4edd126e139493d2721d50c3a8c49d3a23ad7766d0b90bc45979ba675f35fea", "pattern": "[file:hashes.'SHA-256' = 'e4edd126e139493d2721d50c3a8c49d3a23ad7766d0b90bc45979ba675f35fea']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--75eafd7e-a3a4-4106-ba8d-0c6405b61f09", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba", "pattern": "[file:hashes.'SHA-256' = 'e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Great responsibility, without great power", "url": "https://blog.talosintelligence.com/great-responsibility-without-great-power/" } ], "x_severity": "crit", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d562cc49-412a-447f-9145-b9feda4408a6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e6310d8a003d7ac101a6b1cd39ff6c6a88ee454b767c1bdce143e04bc1113243", "pattern": "[file:hashes.'SHA-256' = 'e6310d8a003d7ac101a6b1cd39ff6c6a88ee454b767c1bdce143e04bc1113243']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d1ec34d0-21a5-4fad-b830-8464a0a5f6d2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf", "pattern": "[file:hashes.'SHA-256' = 'e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--819e8e3c-ca10-4c05-abea-e4228355dbdb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e775049d1ecf68dee870f1a5c36b2f3542d1182782eb497b8ccfd2309c400b3a", "pattern": "[file:hashes.'SHA-256' = 'e775049d1ecf68dee870f1a5c36b2f3542d1182782eb497b8ccfd2309c400b3a']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precis", "url": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" } ], "x_severity": "crit", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a5181064-5369-49ff-9574-478a18b744f8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e87a55d3ba1c47e84207678b88cacb631a32d0cb3798610e7ef2d15307303c49", "pattern": "[file:hashes.'SHA-256' = 'e87a55d3ba1c47e84207678b88cacb631a32d0cb3798610e7ef2d15307303c49']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--47d58eb8-02c1-446c-8a80-90a2d7af95fe", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b", "pattern": "[file:hashes.'SHA-256' = 'e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f3d35804-f82e-4946-a5de-0c289df1160c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c", "pattern": "[file:hashes.'SHA-256' = 'ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6d02901f-6142-451f-8103-362922d99824", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: f35475829991b303c5efc2ee0f343dd38f8614e8b5e69db683923135f85cf60d", "pattern": "[file:hashes.'SHA-256' = 'f35475829991b303c5efc2ee0f343dd38f8614e8b5e69db683923135f85cf60d']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The npm Threat Landscape: Attack Surface and Mitigations", "url": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2a3a0664-36d4-459f-8504-1a0dff9751e7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152", "pattern": "[file:hashes.'SHA-256' = 'f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dd19126a-2ba5-4c73-a6be-c1c12a09f002", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: f7084b0229dce605ccc5506b14acd4d954a496da4b6134a294844ca8d601970d", "pattern": "[file:hashes.'SHA-256' = 'f7084b0229dce605ccc5506b14acd4d954a496da4b6134a294844ca8d601970d']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Weaponizing the Protectors: TeamPCP\u2019s Multi-Stage Supply Cha", "url": "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5eeafaa7-ee65-4d13-8c34-5942be3669db", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd", "pattern": "[file:hashes.'SHA-256' = 'f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b9e918b5-673a-435f-931c-b2081042d86c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA256: fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf", "pattern": "[file:hashes.'SHA-256' = 'fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Threat Brief: Widespread Impact of the Axios Supply Chain At", "url": "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" } ], "x_severity": "crit", "x_sources": [ "Unit 42 (Palo Alto)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--89ed9bf2-ea55-4157-b924-684639749eea", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2008-0015", "pattern": "[vulnerability:name = 'CVE-2008-0015']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2008-0015 \u2014 Microsoft Windows Video ActiveX C", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bb3c6e86-528e-4b46-adc8-c80fb8c1c72d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2009-0238", "pattern": "[vulnerability:name = 'CVE-2009-0238']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2009-0238 \u2014 Microsoft Office Remote Code Execu", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f674e426-098b-4a71-8366-785f018fcd96", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2009-0556", "pattern": "[vulnerability:name = 'CVE-2009-0556']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2009-0556 \u2014 Microsoft Office PowerPoint Code I", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0774fb33-b856-4529-9060-16b6c563fb50", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2012-1854", "pattern": "[vulnerability:name = 'CVE-2012-1854']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2012-1854 \u2014 Microsoft Visual Basic for Applica", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3bd7e8ed-b86e-46fa-b14b-75e9956349b8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2014-6271", "pattern": "[vulnerability:name = 'CVE-2014-6271']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "AI-powered honeypots: Turning the tables on malicious AI age", "url": "https://blog.talosintelligence.com/ai-powered-honeypots-turning-the-tables-on-malicious-ai-agents/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--21fbde03-941f-4bc9-903c-855fb5e7ba13", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2017-7921", "pattern": "[vulnerability:name = 'CVE-2017-7921']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2017-7921 \u2014 Hikvision Multiple Products Improp", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ac20f301-4f16-4b27-a6c7-5473982a9bc5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2018-14634", "pattern": "[vulnerability:name = 'CVE-2018-14634']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2018-14634 \u2014 Linux Kernel Integer Overflow Vul", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cb6b3766-dfd0-41b2-a40c-4073eb2b8144", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2018-4063", "pattern": "[vulnerability:name = 'CVE-2018-4063']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2018-4063 \u2014 Sierra Wireless AirLink ALEOS Unre", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--330dc4d0-7d6a-4467-98d8-a3f6c655b8e5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2019-19006", "pattern": "[vulnerability:name = 'CVE-2019-19006']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2019-19006 \u2014 Sangoma FreePBX Improper Authent", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1a0c431e-3445-434e-9c92-c3a04ffb6c64", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2020-7796", "pattern": "[vulnerability:name = 'CVE-2020-7796']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2020-7796 \u2014 Synacor Zimbra Collaboration Suite", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e1aef1b5-b91e-4447-aaea-533c1f4f4d6e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2020-9715", "pattern": "[vulnerability:name = 'CVE-2020-9715']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2020-9715 \u2014 Adobe Acrobat Use-After-Free Vulne", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--213c487d-4911-4351-805e-e5ab4fd64fa3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2021-22054", "pattern": "[vulnerability:name = 'CVE-2021-22054']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2021-22054 \u2014 Omnissa Workspace ONE Server-Side", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--78f97e73-e376-4f34-8f48-888ffc184182", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2021-22175", "pattern": "[vulnerability:name = 'CVE-2021-22175']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2021-22175 \u2014 GitLab Server-Side Request Forger", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--af1c82bb-ba03-4627-9845-f0aca8f18311", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2021-22681", "pattern": "[vulnerability:name = 'CVE-2021-22681']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2021-22681 \u2014 Rockwell Multiple Products Insuff", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ac55378f-b0f9-494f-9648-e6fbc3e886ee", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2021-26828", "pattern": "[vulnerability:name = 'CVE-2021-26828']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2021-26828 \u2014 OpenPLC ScadaBR Unrestricted Uplo", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ec5d03c9-6260-4e21-b607-848ab117c04e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2021-26829", "pattern": "[vulnerability:name = 'CVE-2021-26829']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2021-26829 \u2014 OpenPLC ScadaBR Cross-site Script", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--040f0afd-5540-49b3-af86-2d0aaa9830c9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2021-30952", "pattern": "[vulnerability:name = 'CVE-2021-30952']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2021-30952 \u2014 Apple Multiple Products Integer O", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a63afb94-6681-4068-873d-dac6f860eb41", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2021-39935", "pattern": "[vulnerability:name = 'CVE-2021-39935']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2021-22175 \u2014 GitLab Server-Side Request Forger", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e7a329c-4ba7-401c-ab7e-b2bd93c78ebf", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2022-20775", "pattern": "[vulnerability:name = 'CVE-2022-20775']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2022-20775 \u2014 Cisco SD-WAN Path Traversal Vulne", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--14d150b5-2676-4032-bbe5-b392f63e865c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2022-37055", "pattern": "[vulnerability:name = 'CVE-2022-37055']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2022-37055 \u2014 D-Link Routers Buffer Overflow Vu", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c7979cff-0cb8-4641-bfe9-4b612bee569b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-21529", "pattern": "[vulnerability:name = 'CVE-2023-21529']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2023-21529 \u2014 Microsoft Exchange Server Deseria", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--73e34b7b-01e4-42ad-aebb-f67b7aa02629", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-27351", "pattern": "[vulnerability:name = 'CVE-2023-27351']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2023-27351 \u2014 PaperCut NG/MF Improper Authentic", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--21bacb04-c8dc-4be0-95f6-048ee48e28e6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-36424", "pattern": "[vulnerability:name = 'CVE-2023-36424']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2023-36424 \u2014 Microsoft Windows Out-of-Bounds R", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--db6f5e5d-3d9b-4e6b-a4f0-c08e22d83fd0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-43000", "pattern": "[vulnerability:name = 'CVE-2023-43000']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2023-43000 \u2014 Apple Multiple products Use-After", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2e0364dd-1c5f-40db-b9d2-bc06abb87c82", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2023-52163", "pattern": "[vulnerability:name = 'CVE-2023-52163']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2023-52163 \u2014 Digiever DS-2105 Pro Missing Auth", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f4567cc3-ebbf-4bcc-a616-68d7bbd870ff", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-27199", "pattern": "[vulnerability:name = 'CVE-2024-27199']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2024-27199 \u2014 JetBrains TeamCity Relative Path ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a171c65-75b7-429b-8cdb-9f8888528359", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-37079", "pattern": "[vulnerability:name = 'CVE-2024-37079']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2024-37079 \u2014 Broadcom VMware vCenter Server Ou", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e6b0c70a-67c7-4aa5-8939-e04d72c860a2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-43468", "pattern": "[vulnerability:name = 'CVE-2024-43468']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2024-43468 \u2014 Microsoft Configuration Manager S", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c96c46c-8a70-4a82-b95a-2844c417b7ab", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2024-7694", "pattern": "[vulnerability:name = 'CVE-2024-7694']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2024-7694 \u2014 TeamT5 ThreatSonar Anti-Ransomware", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a0f99dce-34e7-4070-b582-aa0f44f3343d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-11371", "pattern": "[vulnerability:name = 'CVE-2025-11371']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-11371 \u2014 Gladinet CentreStack and Triofox ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--29f84e81-b62c-4342-b625-ec2827f41bb8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-11953", "pattern": "[vulnerability:name = 'CVE-2025-11953']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-11953 \u2014 React Native Community CLI OS Com", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c37a41b8-5382-4587-be27-c1d2b38b902b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-13223", "pattern": "[vulnerability:name = 'CVE-2025-13223']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-13223 \u2014 Google Chromium V8 Type Confusion", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fe654822-acb1-4f4e-9563-f8ab4f3faa1e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-14174", "pattern": "[vulnerability:name = 'CVE-2025-14174']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-14174 \u2014 Google Chromium Out of Bounds Mem", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e6bcea3a-a9ed-43c3-972c-18a0f5efea82", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-14611", "pattern": "[vulnerability:name = 'CVE-2025-14611']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-14611 \u2014 Gladinet CentreStack and Triofox ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--72909209-12a6-444d-89e0-27a76eae4f7b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-14733", "pattern": "[vulnerability:name = 'CVE-2025-14733']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-14733 \u2014 WatchGuard Firebox Out of Bounds ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--003bfc5d-c253-4cbf-82ac-cee24ad35af1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-26399", "pattern": "[vulnerability:name = 'CVE-2025-26399']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-26399 \u2014 SolarWinds Web Help Desk Deserial", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--64f2e807-3f75-4197-b1b1-97f328be4c0f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-2749", "pattern": "[vulnerability:name = 'CVE-2025-2749']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-2749 \u2014 Kentico Xperience Path Traversal V", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--21731295-6585-47ad-a644-29be6817321b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-31125", "pattern": "[vulnerability:name = 'CVE-2025-31125']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-31125 \u2014 Vite Vitejs Improper Access Contr", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a790862b-dda6-48a1-88e4-6b2bfb4bb315", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-31277", "pattern": "[vulnerability:name = 'CVE-2025-31277']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-43510 \u2014 Apple Multiple Products Improper ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--925cf6f2-047c-43b6-998e-c6c9637ebd6b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-32432", "pattern": "[vulnerability:name = 'CVE-2025-32432']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-32432 \u2014 Craft CMS Code Injection Vulnerab", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d4f7b99-3382-4f51-b60d-5b48c833b5b1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-32975", "pattern": "[vulnerability:name = 'CVE-2025-32975']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-32975 \u2014 Quest KACE Systems Management App", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cfe66f74-7ec7-4c37-a710-e36675a2baad", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-34026", "pattern": "[vulnerability:name = 'CVE-2025-34026']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-34026 \u2014 Versa Concerto Improper Authentic", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--98aafc58-46c1-4761-81e6-7fe800b26080", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-37164", "pattern": "[vulnerability:name = 'CVE-2025-37164']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-37164 \u2014 Hewlett Packard Enterprise (HPE) ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--63739d47-bcb4-41b2-8ec3-f4473302477c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-40536", "pattern": "[vulnerability:name = 'CVE-2025-40536']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-40536 \u2014 SolarWinds Web Help Desk Security", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0f6a09f9-8506-417d-96ee-90c5ce7f89f7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-40551", "pattern": "[vulnerability:name = 'CVE-2025-40551']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-26399 \u2014 SolarWinds Web Help Desk Deserial", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5edb9161-8c2b-499a-b25e-baa385c94cf3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-40602", "pattern": "[vulnerability:name = 'CVE-2025-40602']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-40602 \u2014 SonicWall SMA1000 Missing Authori", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e40c1fbc-b8e8-485d-930d-50d07e5b34f1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-43510", "pattern": "[vulnerability:name = 'CVE-2025-43510']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-43510 \u2014 Apple Multiple Products Improper ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b1715eb9-26e9-4fb0-a339-7e7b09d1310d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-43520", "pattern": "[vulnerability:name = 'CVE-2025-43520']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-43520 \u2014 Apple Multiple Products Classic B", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9e874c0c-478e-4bf6-8e5e-d342bb790d8e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-43529", "pattern": "[vulnerability:name = 'CVE-2025-43529']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2023-43000 \u2014 Apple Multiple products Use-After", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1ea1e58e-a41f-44be-b63b-17662cbaa176", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-47813", "pattern": "[vulnerability:name = 'CVE-2025-47813']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-47813 \u2014 Wing FTP Server Information Discl", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4dd543a2-c88d-490c-aee6-ea8c61eb210b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-48572", "pattern": "[vulnerability:name = 'CVE-2025-48572']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-48572 \u2014 Android Framework Privilege Escal", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--234f5818-2bd3-4daf-af06-17f395f3bbc3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-48633", "pattern": "[vulnerability:name = 'CVE-2025-48633']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-48633 \u2014 Android Framework Information Dis", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9a84bf29-a159-4ddf-a3e3-072587d50dbc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-48700", "pattern": "[vulnerability:name = 'CVE-2025-48700']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-48700 \u2014 Synacor Zimbra Collaboration Suit", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d67885b-d7a6-443f-8222-344fcb44eaef", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-48703", "pattern": "[vulnerability:name = 'CVE-2025-48703']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-48703 \u2014 CWP Control Web Panel OS Command ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e1d11375-677c-4c6e-8be1-84eb777c0927", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-49113", "pattern": "[vulnerability:name = 'CVE-2025-49113']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-49113 \u2014 RoundCube Webmail Deserialization", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--66974a61-de91-49de-a490-511696cb8d49", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-50165", "pattern": "[vulnerability:name = 'CVE-2025-50165']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Revisiting CVE-2025-50165: A critical flaw in Windows Imagin", "url": "https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/" } ], "x_severity": "high", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e343d5b-e5a8-4a23-8f7f-a9c858ddee65", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-52691", "pattern": "[vulnerability:name = 'CVE-2025-52691']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-52691 \u2014 SmarterTools SmarterMail Unrestri", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--605884c0-ddd5-47ad-95f5-883c2b747255", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-53521", "pattern": "[vulnerability:name = 'CVE-2025-53521']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-53521 \u2014 F5 BIG-IP Stack-Based Buffer Over", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1ed4ee59-57ca-44cf-b710-a1619fcf635c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-54068", "pattern": "[vulnerability:name = 'CVE-2025-54068']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-54068 \u2014 Laravel Livewire Code Injection V", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2e492773-bd8a-42a7-946c-fb7b3a0336e4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-54313", "pattern": "[vulnerability:name = 'CVE-2025-54313']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-54313 \u2014 Prettier eslint-config-prettier E", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6bb46f29-def8-42a6-97b6-71e2939e4ac1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-58360", "pattern": "[vulnerability:name = 'CVE-2025-58360']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-58360 \u2014 OSGeo GeoServer Improper Restrict", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--96453da4-4478-4b79-8831-58902af27a24", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-59374", "pattern": "[vulnerability:name = 'CVE-2025-59374']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-59374 \u2014 ASUS Live Update Embedded Malicio", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--036e525a-af49-4593-af55-128e83365e24", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-59718", "pattern": "[vulnerability:name = 'CVE-2025-59718']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-59718 \u2014 Fortinet Multiple Products Improp", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--218c95c1-c0a9-4dda-8238-84ddc1cb38f1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-59719", "pattern": "[vulnerability:name = 'CVE-2025-59719']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-59718 \u2014 Fortinet Multiple Products Improp", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--029b0c0d-1d04-4b74-8764-89332dd5fd25", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-60710", "pattern": "[vulnerability:name = 'CVE-2025-60710']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-60710 \u2014 Microsoft Windows Link Following ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--828958d5-952e-408b-aaf2-e061dd875210", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-61757", "pattern": "[vulnerability:name = 'CVE-2025-61757']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-61757 \u2014 Oracle Fusion Middleware Missing ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d4864249-dafd-4e77-9d38-c5c2f19c0519", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-6218", "pattern": "[vulnerability:name = 'CVE-2025-6218']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-6218 \u2014 RARLAB WinRAR Path Traversal Vulne", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f25a1687-1f6b-435b-9f56-b14dedcdcfe1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-62215", "pattern": "[vulnerability:name = 'CVE-2025-62215']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-62215 \u2014 Microsoft Windows Race Condition ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--64cacb1e-0ce6-46bc-ae9b-e85acefbc28d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-62221", "pattern": "[vulnerability:name = 'CVE-2025-62221']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-62221 \u2014 Microsoft Windows Use After Free ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--82598d59-736c-4476-9ca9-8e726a3a986e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-64328", "pattern": "[vulnerability:name = 'CVE-2025-64328']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-64328 \u2014 Sangoma FreePBX OS Command Inject", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--df503b3d-f254-4cd4-8b10-027f9a33cd3d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-64446", "pattern": "[vulnerability:name = 'CVE-2025-64446']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-64446 \u2014 Fortinet FortiWeb Path Traversal ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a031b456-8ae9-4e39-9ed2-97e19771e5b3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-66644", "pattern": "[vulnerability:name = 'CVE-2025-66644']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-66644 \u2014 Array Networks ArrayOS AG OS Comm", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1479069a-61ef-4ef5-b7c1-6177592f9177", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-68461", "pattern": "[vulnerability:name = 'CVE-2025-68461']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-68461 \u2014 RoundCube Webmail Cross-site Scri", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--239f9179-4684-490b-ad59-9b243abf5883", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-68613", "pattern": "[vulnerability:name = 'CVE-2025-68613']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-68613 \u2014 n8n Improper Control of Dynamical", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a56620b6-fffe-48e4-95c0-530e7838bbe3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2025-68645", "pattern": "[vulnerability:name = 'CVE-2025-68645']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-68645 \u2014 Synacor Zimbra Collaboration Suit", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f2e2317d-506a-48c8-8247-20f337f52fe8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-0390", "pattern": "[vulnerability:name = 'CVE-2026-0390']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bb8b2cfa-9259-4848-bf34-3d44463e74f0", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-1603", "pattern": "[vulnerability:name = 'CVE-2026-1603']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-1603 \u2014 Ivanti Endpoint Manager (EPM) Auth", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e3cee8a3-b9b9-4f40-9b96-70ba90684812", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20045", "pattern": "[vulnerability:name = 'CVE-2026-20045']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-20045 \u2014 Cisco Unified Communications Prod", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ac608aef-06ec-4cca-9b82-91166211c7c7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20122", "pattern": "[vulnerability:name = 'CVE-2026-20122']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-20122 \u2014 Cisco Catalyst SD-WAN Manager Inc", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9caef6b1-9d54-4c04-badc-a7f37e2d764f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20127", "pattern": "[vulnerability:name = 'CVE-2026-20127']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-20127 \u2014 Cisco Catalyst SD-WAN Controller ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2dac3257-3683-445c-bdbe-9486ff0c28c1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20128", "pattern": "[vulnerability:name = 'CVE-2026-20128']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-20128 \u2014 Cisco Catalyst SD-WAN Manager Sto", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--82431605-db78-4ea8-9bf4-456a60f50cfc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20131", "pattern": "[vulnerability:name = 'CVE-2026-20131']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-20131 \u2014 Cisco Secure Firewall Management ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a34d0554-52af-47a4-a295-0047b49e0acc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20133", "pattern": "[vulnerability:name = 'CVE-2026-20133']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-20133 \u2014 Cisco Catalyst SD-WAN Manager Exp", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c333464e-9825-4dda-b354-e88a0d1967de", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20700", "pattern": "[vulnerability:name = 'CVE-2026-20700']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2025-43520 \u2014 Apple Multiple Products Classic B", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7284d1db-1034-4c5b-ab6b-776d3f06f0e6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20805", "pattern": "[vulnerability:name = 'CVE-2026-20805']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-20805 \u2014 Microsoft Windows Information Dis", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--eebb18cb-2a04-437c-8436-9f3c189eeb4a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20963", "pattern": "[vulnerability:name = 'CVE-2026-20963']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-20963 \u2014 Microsoft SharePoint Deserializat", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1457de16-d233-488c-8b58-1a6ef6699419", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21385", "pattern": "[vulnerability:name = 'CVE-2026-21385']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-21385 \u2014 Qualcomm Multiple Chipsets Memory", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--48a4001c-0d07-44f2-97d9-a3d2b68ee46b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21514", "pattern": "[vulnerability:name = 'CVE-2026-21514']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-21514 \u2014 Microsoft Office Word Reliance on", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d0d2d28a-c891-4c02-ad8e-7b7d96e0c882", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21519", "pattern": "[vulnerability:name = 'CVE-2026-21519']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-21519 \u2014 Microsoft Windows Type Confusion ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--90c7319d-8321-457c-9c8d-8bdda12b3f9d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21525", "pattern": "[vulnerability:name = 'CVE-2026-21525']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-21525 \u2014 Microsoft Windows NULL Pointer De", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d38544ac-931c-49e3-92c7-626c3737ecb9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21533", "pattern": "[vulnerability:name = 'CVE-2026-21533']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-21533 \u2014 Microsoft Windows Improper Privil", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--12e7ff55-f316-431e-b44b-e365848ddf68", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21643", "pattern": "[vulnerability:name = 'CVE-2026-21643']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-21643 \u2014 Fortinet FortiClient EMS SQL Inje", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a489bc87-a30a-4a96-b752-fd19ce8b760c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-22719", "pattern": "[vulnerability:name = 'CVE-2026-22719']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-22719 \u2014 Broadcom VMware Aria Operations C", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4f87f769-8b06-4029-86d1-7a0fd4eb220a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-22769", "pattern": "[vulnerability:name = 'CVE-2026-22769']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-22769 \u2014 Dell RecoverPoint for Virtual Mac", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a9dc351f-ba7e-4053-a358-c13d5e242c0c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-23666", "pattern": "[vulnerability:name = 'CVE-2026-23666']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8963c988-a77c-4107-a764-0f492bdecb0f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-23760", "pattern": "[vulnerability:name = 'CVE-2026-23760']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-24858 \u2014 Fortinet Multiple Products Authen", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1fd227b2-c0f3-430b-860e-aea4cb5369eb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-24061", "pattern": "[vulnerability:name = 'CVE-2026-24061']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-24061 \u2014 GNU InetUtils Argument Injection ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d53d5eb4-f36c-4645-a064-e2a2ec07e164", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-24423", "pattern": "[vulnerability:name = 'CVE-2026-24423']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-24423 \u2014 SmarterTools SmarterMail Missing ", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4e453d6f-c8e7-4c0d-8266-d95b651110c4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-24858", "pattern": "[vulnerability:name = 'CVE-2026-24858']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-24858 \u2014 Fortinet Multiple Products Authen", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d00c48e-c541-4396-898b-940d8393dfc1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-25108", "pattern": "[vulnerability:name = 'CVE-2026-25108']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-25108 \u2014 Soliton Systems K.K FileZen OS Co", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b1ccb19-7324-472e-9d52-6def1d41abbc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-26151", "pattern": "[vulnerability:name = 'CVE-2026-26151']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3794d41f-83ca-45db-9190-ce419c9c6538", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-26169", "pattern": "[vulnerability:name = 'CVE-2026-26169']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--16aad140-8905-4386-97e9-b9ce6fdc31f6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-26173", "pattern": "[vulnerability:name = 'CVE-2026-26173']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--19ada316-0948-414a-85c5-d14ea9223828", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-26177", "pattern": "[vulnerability:name = 'CVE-2026-26177']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3f37ca73-37ca-4270-80c3-0dc6c461360a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-26182", "pattern": "[vulnerability:name = 'CVE-2026-26182']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1c153541-5c8f-482b-a74d-002ace4f0da2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27906", "pattern": "[vulnerability:name = 'CVE-2026-27906']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--997c7528-d94d-4821-91b0-699c75fe40b5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27908", "pattern": "[vulnerability:name = 'CVE-2026-27908']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--05449bc2-0e06-4906-ae5a-8194fbea2334", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27909", "pattern": "[vulnerability:name = 'CVE-2026-27909']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1bdbeb2b-2369-4761-a33e-f8b7f8a6cf1e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27913", "pattern": "[vulnerability:name = 'CVE-2026-27913']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--39abe6b9-b1a0-45f1-b14f-788522363a54", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27914", "pattern": "[vulnerability:name = 'CVE-2026-27914']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f26cfc9e-9aaf-488b-ab80-1a0a45ca56ed", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27921", "pattern": "[vulnerability:name = 'CVE-2026-27921']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0750510c-3b87-4041-82cb-0ec4f3ddff85", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-27922", "pattern": "[vulnerability:name = 'CVE-2026-27922']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fbf466ed-58aa-4409-b64c-5c94446fbb62", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3055", "pattern": "[vulnerability:name = 'CVE-2026-3055']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-3055 \u2014 Citrix NetScaler Out-of-Bounds Rea", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9528ae87-1877-4854-8938-295936730244", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32070", "pattern": "[vulnerability:name = 'CVE-2026-32070']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--31d13fd4-376a-440d-8975-4ee03ebfe332", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32075", "pattern": "[vulnerability:name = 'CVE-2026-32075']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7964ef90-349a-47b0-b8cf-c9d1b57f3779", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32093", "pattern": "[vulnerability:name = 'CVE-2026-32093']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--077e260b-6cd2-4d96-bc11-b6bc4526cf59", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32152", "pattern": "[vulnerability:name = 'CVE-2026-32152']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--67a37a29-9be7-43b3-8ca4-bb17cd69534d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32154", "pattern": "[vulnerability:name = 'CVE-2026-32154']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e9ffa260-7ecf-4b12-b6e2-9bee0a6fa2d3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32155", "pattern": "[vulnerability:name = 'CVE-2026-32155']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f12b780d-8efb-4eb9-a736-16540ef68afa", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32157", "pattern": "[vulnerability:name = 'CVE-2026-32157']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1abf05-a2f7-4022-87ca-699d665633fe", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32162", "pattern": "[vulnerability:name = 'CVE-2026-32162']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6aeb8980-7fcd-4825-9474-12f1d15c76a4", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32190", "pattern": "[vulnerability:name = 'CVE-2026-32190']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c3111d0-e788-4039-9709-306ff4e3cadc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32201", "pattern": "[vulnerability:name = 'CVE-2026-32201']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" }, { "source_name": "CISA KEV: CVE-2026-32201 \u2014 Microsoft SharePoint Server Impro", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "Cisco Talos", "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--727f0296-89b9-4e1e-aa95-4de14231c35d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-32225", "pattern": "[vulnerability:name = 'CVE-2026-32225']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f051b23a-d7c6-4889-ac8e-1867cf241ac6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33017", "pattern": "[vulnerability:name = 'CVE-2026-33017']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-33017 \u2014 Langflow Code Injection Vulnerabi", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--053c6028-f948-4717-a09f-bc762649cc60", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33114", "pattern": "[vulnerability:name = 'CVE-2026-33114']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e42b95b1-f0d1-41b9-ae12-ca126cb2babe", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33115", "pattern": "[vulnerability:name = 'CVE-2026-33115']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--80c9982f-7803-4115-83e9-876c5e825e3f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33634", "pattern": "[vulnerability:name = 'CVE-2026-33634']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-33634 \u2014 Aquasecurity Trivy Embedded Malic", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9bf8d4bb-9913-4e3f-9308-762b1f460e95", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33825", "pattern": "[vulnerability:name = 'CVE-2026-33825']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-33825 \u2014 Microsoft Defender Insufficient G", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "CISA KEV", "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fb4f1266-e53a-4504-a8ea-7a45b37870f6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33826", "pattern": "[vulnerability:name = 'CVE-2026-33826']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3973c34a-ab46-4628-bea5-55d11cfac8f2", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-33827", "pattern": "[vulnerability:name = 'CVE-2026-33827']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Microsoft Patch Tuesday for April 2026 - Snort Rule and Prom", "url": "https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6ec547ba-027e-4497-899e-0da560c9e682", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-34621", "pattern": "[vulnerability:name = 'CVE-2026-34621']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-34621 \u2014 Adobe Acrobat and Reader Prototyp", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ee7290c-289a-4a46-a2b6-63a7993f1b16", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3502", "pattern": "[vulnerability:name = 'CVE-2026-3502']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-3502 \u2014 TrueConf Client Download of Code W", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ec36962d-c02d-46e4-8abf-ce02729321f5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-35616", "pattern": "[vulnerability:name = 'CVE-2026-35616']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-35616 \u2014 Fortinet FortiClient EMS Improper", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--64dd7152-e726-4808-83ec-f173bd920aa3", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3909", "pattern": "[vulnerability:name = 'CVE-2026-3909']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-3909 \u2014 Google Skia Out-of-Bounds Write Vu", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a4ba1f09-5780-42fe-8715-c3929738ed59", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3910", "pattern": "[vulnerability:name = 'CVE-2026-3910']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-3910 \u2014 Google Chromium V8 Improper Restri", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e98794bb-13a7-4b2f-94b0-30908dd9a3b5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-39987", "pattern": "[vulnerability:name = 'CVE-2026-39987']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-39987 \u2014 Marimo Remote Code Execution Vuln", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02f9591e-ac41-420a-a718-9ce7154c0861", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-5281", "pattern": "[vulnerability:name = 'CVE-2026-5281']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "CISA KEV: CVE-2026-5281 \u2014 Google Dawn Use-After-Free Vulnera", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "x_severity": "high", "x_sources": [ "CISA KEV" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--86c38054-6aaa-4fd6-affc-7cf75ca77878", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: chiaselinks.com", "pattern": "[domain-name:value = 'chiaselinks.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b149c1c7-029c-4fa8-874c-6e7275ff503c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: crystalxrat.top", "pattern": "[domain-name:value = 'crystalxrat.top']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5244aef8-8212-4f68-b7b3-c8a3b991a6a1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: git.parat.swiss", "pattern": "[domain-name:value = 'git.parat.swiss']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cdfc7558-2eff-4400-b162-64753f4f05ea", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: gofile.io", "pattern": "[domain-name:value = 'gofile.io']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A cunning predator: How Silver Fox preys on Japanese firms t", "url": "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" } ], "x_severity": "high", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b31be2f3-e04a-496c-8dce-226b49f3b22d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: maper.info", "pattern": "[domain-name:value = 'maper.info']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--86592cee-320a-438f-8e0b-a67e007b76fb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: paste.kealper.com", "pattern": "[domain-name:value = 'paste.kealper.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1bf0766a-1117-45a8-b3c2-28180763b640", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: pinhole.rootcode.ru", "pattern": "[domain-name:value = 'pinhole.rootcode.ru']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c3a7356d-5ecd-42b8-9663-74245c1e00d8", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: rlim.com", "pattern": "[domain-name:value = 'rlim.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7cb37772-2972-40c5-8333-9fbf663cd88c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: w.anadnet.com", "pattern": "[domain-name:value = 'w.anadnet.com']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Popular WordPress redirect plugin hid dormant backdoor for y", "url": "https://www.bleepingcomputer.com/news/security/popular-wordpress-redirect-plugin-hid-dormant-backdoor-for-years/" } ], "x_severity": "high", "x_sources": [ "BleepingComputer" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ce285a52-cd39-4440-9f47-a395967901e1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: webcrystal.lol", "pattern": "[domain-name:value = 'webcrystal.lol']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e056454d-40b3-4ad8-82d2-1233d2a94af9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "DOMAIN: webcrystal.sbs", "pattern": "[domain-name:value = 'webcrystal.sbs']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e39d9834-4cc0-4289-b634-a048b5ce51ca", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "IPV4: 1.3.6.1", "pattern": "[ipv4-addr:value = '1.3.6.1']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Bad Apples: Weaponizing native macOS primitives for movement", "url": "https://blog.talosintelligence.com/bad-apples-weaponizing-native-macos-primitives-for-movement-and-execution/" } ], "x_severity": "high", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a5ce1753-3cba-435a-9969-5ac2b5fa31de", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 05BACBE163EF0393C2416CBD05E45E74", "pattern": "[file:hashes.MD5 = '05BACBE163EF0393C2416CBD05E45E74']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "An AI gateway designed to steal your data", "url": "https://securelist.com/litellm-supply-chain-attack/119257/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--764989aa-8ff1-4fcc-82da-07f3bb869d8b", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 0FCCC8E3A03896F45726203074AE225D", "pattern": "[file:hashes.MD5 = '0FCCC8E3A03896F45726203074AE225D']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "An AI gateway designed to steal your data", "url": "https://securelist.com/litellm-supply-chain-attack/119257/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--448249ec-7683-40e8-aa37-9dc8ed177791", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 107484d66423cb601f418344cd648f12", "pattern": "[file:hashes.MD5 = '107484d66423cb601f418344cd648f12']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--76dc6109-e538-4078-8764-6c520fa683bb", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 1A68AE614FB2D8875CB0573E6A721B46", "pattern": "[file:hashes.MD5 = '1A68AE614FB2D8875CB0573E6A721B46']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d5f62d2c-ea0d-4ed1-8b7c-36d2190a747d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 2DBE6DE177241C144D06355C381B868C", "pattern": "[file:hashes.MD5 = '2DBE6DE177241C144D06355C381B868C']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--100e99c0-b3c2-4e74-a52e-669caa34fce6", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 2E3A4412A7A487B32C5715167C755D08", "pattern": "[file:hashes.MD5 = '2E3A4412A7A487B32C5715167C755D08']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "An AI gateway designed to steal your data", "url": "https://securelist.com/litellm-supply-chain-attack/119257/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1c773063-9651-47bb-a8d7-f9bf18b9371e", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 34a0f70ab100c47caaba7a5c85448e3d", "pattern": "[file:hashes.MD5 = '34a0f70ab100c47caaba7a5c85448e3d']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--73ef5c07-35e0-4644-bb3e-f8df7f58596a", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 47ACCB0ECFE8CCD466752DDE1864F3B0", "pattern": "[file:hashes.MD5 = '47ACCB0ECFE8CCD466752DDE1864F3B0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2064979c-595e-4e8b-855d-8eac4939ccb5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 49C74B302BFA32E45B7C1C5780DD0976", "pattern": "[file:hashes.MD5 = '49C74B302BFA32E45B7C1C5780DD0976']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f69631ee-1698-45f6-a59e-7f29fcc7c1dc", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 7528bf597fd7764fcb7ec06512e073e0", "pattern": "[file:hashes.MD5 = '7528bf597fd7764fcb7ec06512e073e0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--11cc3031-c2cd-4ae3-bf90-703779aafd36", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 8354223cd6198b05904337b5dff7772b", "pattern": "[file:hashes.MD5 = '8354223cd6198b05904337b5dff7772b']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--10adf3a3-4599-4876-abc5-5802704c990c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 85ED77A21B88CAE721F369FA6B7BBBA3", "pattern": "[file:hashes.MD5 = '85ED77A21B88CAE721F369FA6B7BBBA3']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "An AI gateway designed to steal your data", "url": "https://securelist.com/litellm-supply-chain-attack/119257/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d9671107-7eff-4ddd-ba12-39aeca7188f5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: 88C60DF2A1414CBF24430A74AE9836E0", "pattern": "[file:hashes.MD5 = '88C60DF2A1414CBF24430A74AE9836E0']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--71d4ad80-8646-4af8-b41b-943197d3510c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: CDE4951BEE7E28AC8A29D33D34A41AE5", "pattern": "[file:hashes.MD5 = 'CDE4951BEE7E28AC8A29D33D34A41AE5']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "An AI gateway designed to steal your data", "url": "https://securelist.com/litellm-supply-chain-attack/119257/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c3348cee-c619-44f0-8288-272c10f5aa19", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: E540E9797E3B814BFE0A82155DFE135D", "pattern": "[file:hashes.MD5 = 'E540E9797E3B814BFE0A82155DFE135D']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "A laughing RAT: CrystalX combines spyware, stealer, and pran", "url": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--03d2e307-3aed-4b98-94c9-6f23d72336e7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "MD5: F5560871F6002982A6A2CC0B3EE739F7", "pattern": "[file:hashes.MD5 = 'F5560871F6002982A6A2CC0B3EE739F7']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "An AI gateway designed to steal your data", "url": "https://securelist.com/litellm-supply-chain-attack/119257/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a7bc10fb-f6ba-4a1c-a772-f7e78d71e990", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 3F3767D05E5A91184005D98427074711F68D9950", "pattern": "[file:hashes.'SHA-1' = '3F3767D05E5A91184005D98427074711F68D9950']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Revisiting CVE-2025-50165: A critical flaw in Windows Imagin", "url": "https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/" } ], "x_severity": "high", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dfd8bd7-eab5-4658-9f89-25b63df97a37", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 4EC1DC0431432BC318E78C520387911EC44F84FC", "pattern": "[file:hashes.'SHA-1' = '4EC1DC0431432BC318E78C520387911EC44F84FC']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Revisiting CVE-2025-50165: A critical flaw in Windows Imagin", "url": "https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/" } ], "x_severity": "high", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3d01207c-0362-4cd0-9320-6d45980b2119", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6", "pattern": "[file:hashes.'SHA-1' = '4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "ESET Research: Sandworm behind cyberattack on Poland\u2019s power", "url": "https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/" } ], "x_severity": "high", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f2bfc3d2-ea9e-4482-aa7e-cf278307ea8d", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 5887D96565749067564BABCD3DC5D107AB6666BD", "pattern": "[file:hashes.'SHA-1' = '5887D96565749067564BABCD3DC5D107AB6666BD']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Revisiting CVE-2025-50165: A critical flaw in Windows Imagin", "url": "https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/" } ], "x_severity": "high", "x_sources": [ "ESET WeLiveSecurity" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--187e5554-a083-4d31-a354-620cbf2c670f", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 60c8128c48aac890a6d01448d1829a6edcdce0d2", "pattern": "[file:hashes.'SHA-1' = '60c8128c48aac890a6d01448d1829a6edcdce0d2']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Building an Adversarial Consensus Engine | Multi-Agent LLMs ", "url": "https://www.sentinelone.com/labs/building-an-adversarial-consensus-engine-multi-agent-llms-for-automated-malware-analysis/" } ], "x_severity": "high", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--00209b66-6a3a-4fdb-9855-4690142e886c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: 678aa572faa73f6873d24f24e423d315e7eb2c2d", "pattern": "[file:hashes.'SHA-1' = '678aa572faa73f6873d24f24e423d315e7eb2c2d']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Building an Adversarial Consensus Engine | Multi-Agent LLMs ", "url": "https://www.sentinelone.com/labs/building-an-adversarial-consensus-engine-multi-agent-llms-for-automated-malware-analysis/" } ], "x_severity": "high", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3f1ed2e9-3ad4-4686-a156-b503418b1bc1", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7", "pattern": "[file:hashes.'SHA-1' = 'd85cef60cdb9e8d0f3cb3546de6ab657f9498ac7']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "The long road to your crypto: ClipBanker and its marathon in", "url": "https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/" } ], "x_severity": "high", "x_sources": [ "Securelist (Kaspersky)" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--42d00c07-2fda-4697-8152-bc6d81bf3b8c", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "SHA1: f5149543014e5b1bd7030711fd5c7d2a4bef0c2f", "pattern": "[file:hashes.'SHA-1' = 'f5149543014e5b1bd7030711fd5c7d2a4bef0c2f']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Building an Adversarial Consensus Engine | Multi-Agent LLMs ", "url": "https://www.sentinelone.com/labs/building-an-adversarial-consensus-engine-multi-agent-llms-for-automated-malware-analysis/" } ], "x_severity": "high", "x_sources": [ "SentinelLabs" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b3578e0c-8dda-4dc0-9be7-17836d6c0c21", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20884", "pattern": "[vulnerability:name = 'CVE-2026-20884']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Foxit, LibRaw vulnerabilities", "url": "https://blog.talosintelligence.com/foxit-libraw-vulnerabilities/" } ], "x_severity": "med", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d2b82859-611d-425e-bcbb-101039e1b4b5", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20889", "pattern": "[vulnerability:name = 'CVE-2026-20889']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Foxit, LibRaw vulnerabilities", "url": "https://blog.talosintelligence.com/foxit-libraw-vulnerabilities/" } ], "x_severity": "med", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1d3e752a-9947-490b-b684-f21da1e2feab", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-20911", "pattern": "[vulnerability:name = 'CVE-2026-20911']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Foxit, LibRaw vulnerabilities", "url": "https://blog.talosintelligence.com/foxit-libraw-vulnerabilities/" } ], "x_severity": "med", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2e8a4ee3-d678-4d01-827e-6876aaede7b9", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-21413", "pattern": "[vulnerability:name = 'CVE-2026-21413']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Foxit, LibRaw vulnerabilities", "url": "https://blog.talosintelligence.com/foxit-libraw-vulnerabilities/" } ], "x_severity": "med", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d772cab2-b4e5-4710-84c4-edcf3e98ae22", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-24450", "pattern": "[vulnerability:name = 'CVE-2026-24450']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Foxit, LibRaw vulnerabilities", "url": "https://blog.talosintelligence.com/foxit-libraw-vulnerabilities/" } ], "x_severity": "med", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dedccd36-e2b9-459a-aefc-46f9a1a16b10", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-24660", "pattern": "[vulnerability:name = 'CVE-2026-24660']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Foxit, LibRaw vulnerabilities", "url": "https://blog.talosintelligence.com/foxit-libraw-vulnerabilities/" } ], "x_severity": "med", "x_sources": [ "Cisco Talos" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f164565c-9f4a-46b8-a618-41295adcc8b7", "created": "2026-04-30T20:25:54Z", "modified": "2026-04-30T20:25:54Z", "name": "CVE: CVE-2026-3779", "pattern": "[vulnerability:name = 'CVE-2026-3779']", "pattern_type": "stix", "valid_from": "2026-04-30T20:25:54Z", "labels": [ "malicious-activity" ], "external_references": [ { "source_name": "Foxit, LibRaw vulnerabilities", "url": "https://blog.talosintelligence.com/foxit-libraw-vulnerabilities/" } ], "x_severity": "med", "x_sources": [ "Cisco Talos" ] } ] }