{"meta":{"status":200,"terms-of-use":"All data returned by this API is confidential and proprietary information of Tidal Cyber Inc. ('Tidal Cyber'). Use of the data returned by this API is governed by the Tidal Cyber Terms of Use, available at https://www.tidalcyber.com/terms-of-use, or, if applicable, the agreement between Tidal Cyber and the organization on behalf of which you are using this API and the information returned by this API."},"data":[{"id":"96e367d0-a744-5b63-85ec-595f505248a3","name":"2015 Ukraine Electric Power Attack","description":"[2015 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/96e367d0-a744-5b63-85ec-595f505248a3) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) (specifically BlackEnergy3) and [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.","first_seen":"2015-12-01T05:00:00Z","last_seen":"2016-01-01T05:00:00Z","created":"2023-11-07T00:35:51.419764Z","modified":"2023-11-07T00:35:51.419770Z","campaign_attack_id":"C0028","source":"MITRE","owner_name":null,"tags":[{"id":"0363b729-1dff-4c99-a3a0-4694254e9843","tag":"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"}],"tidal_id":"322837cc-528f-5951-b26d-76a7c5fc0351"},{"id":"06197e03-e1c1-56af-ba98-5071f98f91f1","name":"2016 Ukraine Electric Power Attack","description":"[2016 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/06197e03-e1c1-56af-ba98-5071f98f91f1) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666).<sup>[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)]</sup><sup>[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]</sup>","first_seen":"2016-12-01T05:00:00Z","last_seen":"2016-12-01T05:00:00Z","created":"2023-05-26T01:20:56.206588Z","modified":"2023-05-26T01:20:56.206591Z","campaign_attack_id":"C0025","source":"MITRE","owner_name":null,"tags":[{"id":"f8a4dd4f-588a-4ee9-808a-c7624ccd5066","tag":"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"}],"tidal_id":"414e4f59-67d8-50a0-ba52-d80d30679942"},{"id":"2c744e73-70c5-40f8-878c-89bb923a30f0","name":"2021 Sri Lanka .lk Domain DNS Hijack","description":"A campaign involving DNS cache poisoning and defacement of multiple .lk domains, including google.lk, to redirect users to a propaganda page and potentially deliver malware.<sup>[[Roar Media Archive February 26 2021](/references/d5307024-13fb-43ce-9c90-0957c77c50ee)]</sup>","first_seen":"2021-02-06T00:00:00Z","last_seen":"2021-02-06T00:00:00Z","created":"2026-01-23T20:31:38.923017Z","modified":"2026-01-23T20:31:38.923022Z","campaign_attack_id":"C3280","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b392cb33-4a77-4ef1-9f19-7d3eacce91da","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"c9d189c8-65fc-49b0-ae49-06a9ef20c8c9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ea229e6f-24cd-56a2-aedd-3cefb8bb2abe"},{"id":"a79e06d1-df08-5c72-9180-2c373274f889","name":"2022 Ukraine Electric Power Attack","description":"The [2022 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/a79e06d1-df08-5c72-9180-2c373274f889) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://app.tidalcyber.com/software/62d0ddcd-790d-4d2d-9d94-276f54b40cf0), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.<sup>[[Mandiant-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/7ad64744-2790-54e4-97cd-e412423f6ada)]</sup><sup>[[Dragos-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/a17aa1b1-cda4-5aeb-b401-f4fd47d29f93)]</sup> ","first_seen":"2022-06-01T04:00:00Z","last_seen":"2022-10-01T04:00:00Z","created":"2024-04-25T13:28:23.538583Z","modified":"2024-04-25T13:28:23.538586Z","campaign_attack_id":"C0034","source":"MITRE","owner_name":null,"tags":[{"id":"584ae36d-f3c7-451f-a4ab-1f72b58989e9","tag":"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"}],"tidal_id":"72c6c1bd-f257-5cc4-bbe2-f5e6532c0cc9"},{"id":"87e14285-b86f-4f50-8d60-85398ba728b1","name":"2023 Increased Truebot Activity","description":"In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup><sup>[[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]</sup>\n\n**Related Vulnerabilities**: CVE-2022-31199<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>","first_seen":"2022-08-01T00:00:00Z","last_seen":"2023-05-31T00:00:00Z","created":"2023-07-14T12:56:42.148041Z","modified":"2023-07-14T12:56:42.148045Z","campaign_attack_id":"C3003","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"14a9f443-fa84-44d1-a303-592ff1ca176a","tag":"1dc8fd1e-0737-405a-98a1-111dd557f1b5"},{"id":"a9b86c67-9c0e-4e01-9c18-74b0167009d0","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"4c260379-4933-430e-8ff6-d0cca36d4603","tag":"7cc57262-5081-447e-85a3-31ebb4ab2ae5"}],"tidal_id":"cb82b467-f168-5695-9eed-44fbda3f31d8"},{"id":"33fd2417-0a9c-4748-ab99-0e641ab29fbc","name":"2023 Ivanti EPMM APT Vulnerability Exploits","description":"In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.\n\nIvanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a).<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-35078<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>, CVE-2023-35081<sup>[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]</sup>","first_seen":"2023-04-01T00:00:00Z","last_seen":"2023-07-28T00:00:00Z","created":"2023-08-04T16:40:35.612810Z","modified":"2023-08-04T16:40:35.612818Z","campaign_attack_id":"C3007","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0e47b1fc-efdc-404f-b0eb-3eeb5a306eb1","tag":"2d80c940-ba2c-4d45-8272-69928953e9eb"},{"id":"82b707e2-3dc6-4924-b2fe-4ca9f28d22cc","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"d699e2a5-f2c5-4e41-8e4b-1409279ed63a","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"ae0d38c4-9d89-4a2e-a705-345a73b120a0","tag":"81e948b3-5ec0-4df8-b6e7-1b037b1b2e67"},{"id":"f8c1814d-13a8-404f-bf8f-1f16631377c6","tag":"7551097a-dfdd-426f-aaa2-a2916dd9b873"}],"tidal_id":"8de52096-cc18-57b3-b137-b68d3bc6693a"},{"id":"d25f0485-fdf3-4b85-b2ec-53e98e215d0b","name":"2023 Zoho ManageEngine APT Exploits","description":"In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.\n\nAfter gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>\n\nIn addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a).\n\n**Related Vulnerabilities**: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228<sup>[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]</sup>","first_seen":"2023-01-01T00:00:00Z","last_seen":"2023-04-01T00:00:00Z","created":"2023-09-08T15:49:58.374353Z","modified":"2023-09-08T15:49:58.374357Z","campaign_attack_id":"C3009","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9392e1d3-af26-420d-9778-686b5239d084","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"d239af16-8d52-4312-851a-1a387635e8eb","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"0780af65-4166-4cd5-b29a-b44834dd5102","tag":"7e6ef160-8e4f-4132-bdc4-9991f01c472e"},{"id":"d57472b4-8247-4b65-80ca-c48da87ba033","tag":"793f4441-3916-4b3d-a3fd-686a59dc3de2"},{"id":"24598215-9fd5-4e1f-bcd2-cc5a49dc517a","tag":"532b7819-d407-41e9-9733-0d716b69eb17"}],"tidal_id":"d3dc3202-003f-5f83-b8a5-90ea63bda374"},{"id":"f919d539-50b1-4175-a5bd-30e5d547e2f6","name":"2024-25 State-Sponsored Actor ClickFix Use","description":"An object that represents a collection of MITRE ATT&CK® Techniques and other objects referenced in Proofpoint's [April 2025 report](https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix), \"Around the World in 90 Days: State-Sponsored Actors Try ClickFix\".<sup>[[Proofpoint April 16 2025](/references/2fa6240b-ff2a-4d4b-93f2-901e15cffd5f)]</sup>","first_seen":"2024-10-01T00:00:00Z","last_seen":"2025-01-31T00:00:00Z","created":"2025-05-06T16:29:23.289758Z","modified":"2025-05-06T16:29:23.289760Z","campaign_attack_id":"C3102","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7055db1b-8623-4dcd-9960-a819fd98fc4a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"c8131257-2a84-4e73-82c7-7e829a120ea8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3849046d-4593-56f9-bba9-2ec367ee0685"},{"id":"5edd80c1-6843-4b16-85fe-2148c6314c90","name":"2024 Increased ClickFix Activity","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-07-01T00:00:00Z","last_seen":"2024-10-31T00:00:00Z","created":"2025-02-11T18:20:48.733075Z","modified":"2025-02-11T18:20:48.733080Z","campaign_attack_id":"C3086","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"415e9469-f166-4b2a-97e0-e57cf06de87d","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4f665cd0-c258-4dd3-8c26-a482992aa105","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b40bda30-a5ab-5dcc-a1d7-10d2f81df1bf"},{"id":"cfb3bfe9-07d3-40ac-8056-7634a4057e75","name":"2025 Bluenoroff Cryptocurrency Foundation Targeting","description":"Actors attributed to North Korean APT Bluenoroff targeted an employee at a cryptocurrency foundation, social engineering the user into downloading a malicious file that enabled a complex attack chain that used keylogging and screen captures to harvest sensitive information. Initial access involved convincing the target to join a Zoom meeting that featured suspected \"deepfake\" personas that impersonated senior leaders at the victim's employer.<sup>[[huntress.com June 18 2025](/references/5cc28485-6d45-46b0-9798-e6e18dc6f772)]</sup>","first_seen":"2025-05-01T00:00:00Z","last_seen":"2025-06-11T00:00:00Z","created":"2025-06-23T13:54:12.794362Z","modified":"2025-06-23T13:54:12.794367Z","campaign_attack_id":"C3112","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"35a409ed-1caf-4df9-8625-19ee1ae4ce1c","tag":"cce5f564-f7f0-4aa6-a908-b857cb2cbfe4"},{"id":"06e794ba-73af-4452-9c72-2e868d26e834","tag":"3b73c532-ccfc-4d66-9830-ab76ef1bc47a"},{"id":"7d86068d-83fa-436a-834f-e43eb743f4a9","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"62840220-d574-4762-a13d-418f788cf449","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4444b7cc-06b5-5d79-b7bf-3743d0c2a209"},{"id":"89a1dc11-505f-404d-a978-1d2851dade0a","name":"2025 China-nexus Nezha/Ghost RAT Web Compromise Campaign","description":"A campaign beginning in August 2025 involving the use of log poisoning to deploy web shells, AntSword for remote control, Nezha agent for persistence and management, and Ghost RAT for full compromise, targeting over 100 systems globally with a focus on East Asia.<sup>[[Huntress October 08 2025](/references/2d5f20a7-9086-4c32-9e13-000f310b45d7)]</sup>","first_seen":"2025-08-06T00:00:00Z","last_seen":"2025-10-08T00:00:00Z","created":"2025-10-13T17:29:37.072191Z","modified":"2025-10-13T17:29:37.072195Z","campaign_attack_id":"C3142","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"4453c854-5f30-401f-b709-d78455dd2ffc","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"66736d33-8843-43d1-b6c0-c0c0865eff67","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"cf1f5dad-0bce-5c3e-b46d-3e76a7f1ea41"},{"id":"3754008e-6b5b-4c0a-85d1-210399e1ebcf","name":"2025 HoneyMyte Kernel-Mode Rootkit Campaign","description":"A cyberespionage campaign by HoneyMyte in 2025 targeting government organizations in Southeast and East Asia, notably Myanmar and Thailand, using a kernel-mode rootkit to deliver and protect the ToneShell backdoor.<sup>[[Securelist December 29 2025](/references/efddf678-b17a-47f3-8750-602a82acac05)]</sup>","first_seen":"2025-02-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2026-01-06T18:05:32.902398Z","modified":"2026-01-06T18:05:32.902402Z","campaign_attack_id":"C3250","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"133287a1-5d32-4c8c-8253-23e5ecd8c6f4","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"35e83fce-b60f-4ed8-81fa-ad902ae2f4f6","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f25b2cb3-8a45-57cd-ad50-65d6c0f2541c"},{"id":"0765be72-a6d5-4836-b4ec-3e6f1fd8dfb6","name":"2025 npm Package Compromises","description":"Researchers discovered that more than a dozen popular software packages being pushed to the npm JavaScript package manager had been compromised. A package maintainer reported that he fell victim to a phishing email that tricked him into clicking a malicious link and disclosing his credentials. Attackers inserted malicious code into the packages designed to harvest cryptocurrency-related victim browser activity. The incident received attention due to its potential scale (in total, the affected packages account for more than two billion downloads per week), although it was relatively quickly identified and contained.<sup>[[BleepingComputer September 8 2025](/references/c2b3a32f-0041-481b-b32e-7901764bd11c)]</sup>","first_seen":"2025-09-08T00:00:00Z","last_seen":"2025-09-09T00:00:00Z","created":"2025-09-10T16:39:40.994285Z","modified":"2025-09-10T16:39:40.994289Z","campaign_attack_id":"C3126","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8789693f-53ac-4a90-b803-6e310655c337","tag":"cce5f564-f7f0-4aa6-a908-b857cb2cbfe4"},{"id":"7404cc49-fb3b-48ea-bedd-7668a617effd","tag":"4a457eb3-e404-47e5-b349-8b1f743dc657"},{"id":"b4698974-95f4-470d-9d60-6eea35b4bcd9","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"a6d8f86b-d461-4b9a-8bb0-b4119c9cba7b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6c645035-6f95-565a-b164-63e8110bcf57"},{"id":"504ca99d-63dd-40e3-8301-0b1283e1cbff","name":"2025 Ukraine Business Services and Local Government Intrusions","description":"A two-month intrusion against a large business services organization and a week-long attack against a local government organization in Ukraine, attributed to Russian actors, focused on harvesting sensitive information and maintaining persistence.<sup>[[Symantec Ukraine Targeting October 29 2025](/references/08b6d849-2837-4af9-bb8a-e0425e6a02e4)]</sup>","first_seen":"2025-06-27T00:00:00Z","last_seen":"2025-08-20T00:00:00Z","created":"2025-12-10T14:15:25.112598Z","modified":"2025-12-10T14:15:25.112604Z","campaign_attack_id":"C3186","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"3deee558-88e4-43f3-8383-f53f4a1545d7","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7c6d85eb-821f-41c9-88e3-ee1e63a09eee","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9e76bdcc-6c8e-5be0-bcd0-2a2749c5d434"},{"id":"ddf71cb7-ea77-4a43-9ab6-65d4dce2e2bb","name":"2026 Multi-stage AiTM Phishing and BEC Campaign Abusing SharePoint","description":"A multi-stage adversary-in-the-middle phishing and business email compromise campaign targeting organizations in the energy sector, leveraging compromised trusted vendor accounts and abusing SharePoint to deliver phishing payloads, steal credentials and session cookies, and propagate further BEC activity.<sup>[[Microsoft Security Blog January 22 2026](/references/9dc18a57-b5f0-4231-b851-eeb872121407)]</sup>","first_seen":"2026-01-01T00:00:00Z","last_seen":"2026-01-21T00:00:00Z","created":"2026-01-23T20:31:40.245301Z","modified":"2026-01-23T20:31:40.245304Z","campaign_attack_id":"C3288","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c4c582f0-5365-4462-94b7-7d8478403d09","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"3f516a8c-54b6-4c86-ae84-b759dac1a067","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"a2a1a948-c510-5d35-9af2-c5de09ab6a15"},{"id":"3eb71c99-977f-5ee8-943e-67ce4ba2bf02","name":"3CX Supply Chain Attack","description":"The [3CX Supply Chain Attack](https://app.tidalcyber.com/campaigns/3eb71c99-977f-5ee8-943e-67ce4ba2bf02) was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized, end-of-life version of the X_Trader trading software from Trading Technologies. This provided UNC4736, a threat cluster associated with [AppleJeus](https://app.tidalcyber.com/groups/e3f8e995-04b8-5158-945d-3d2f11a6d87c), access to the 3CX environment. From there UNC4736 compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.<sup>[[Mandiant 3cx UNC4736 2023](https://app.tidalcyber.com/references/40761128-2550-56fe-8960-2c6f6e5944b0)]</sup> While 3CX serves more than 600,000 customers and 12 million users, only a subset of systems were affected. Subsequent targeting focused on victims in the defense and cryptocurrency sectors, where attackers deployed secondary payloads such as Gopuram for credential theft and persistence.<sup>[[Kaspersky 3CX Gopuram 2023](https://app.tidalcyber.com/references/82479890-0b04-51d6-a4ac-87cbddbea502)]</sup> The campaign began in late 2022 and was disrupted after security vendors publicly reported the compromise in March 2023.<sup>[[3cx official statement 2023](https://app.tidalcyber.com/references/7775e295-c3b4-54da-9e60-d34fc8dbf7b8)]</sup><sup>[[Krebs 3cx overview 2023](https://app.tidalcyber.com/references/73746010-11b7-5c8a-8ec6-10680266e0c6)]</sup>","first_seen":"2022-11-01T06:00:00Z","last_seen":"2023-03-01T05:00:00Z","created":"2025-10-29T21:08:48.054439Z","modified":"2025-10-29T21:08:48.054440Z","campaign_attack_id":"C0057","source":"MITRE","owner_name":null,"tags":[{"id":"db53d520-14ae-46fe-a9d0-d103313c183a","tag":"cce5f564-f7f0-4aa6-a908-b857cb2cbfe4"}],"tidal_id":"3eb71c99-977f-5ee8-943e-67ce4ba2bf02"},{"id":"fb88b46b-fd69-43a6-b164-f2b42f2a2bd4","name":"Actor-Claimed Compromise & Exfiltration from Oracle Cloud Servers","description":"*Note: This object includes Technique relationships related to the original alleged server compromise activity as well as related to unconfirmed follow-on behavior. Note too that most details here are based on threat actor claims (as well as research based on those claims).*\n\nOn March 20, 2025, the threat actor with the BreachForums username \"rose87168\" claimed to have compromised Oracle Cloud federated SSO login servers and offered 6 million data records for sale, which the actor allegedly exfiltrated from the compromised servers. Oracle representatives denied that a breach occurred or that a sample of credentials leaked by the actor are associated with Oracle Cloud.<sup>[[BleepingComputer March 21 2025](/references/cd23fb70-d507-4b22-8254-6f0f39ea54c1)]</sup>\n\nThe actor claimed to have stolen encrypted SSO passwords and key files from compromised servers.<sup>[[BleepingComputer March 21 2025](/references/cd23fb70-d507-4b22-8254-6f0f39ea54c1)]</sup> Researchers indicated that the actor likely accessed servers via an exploit of CVE-2021-35587 in Oracle Access Manager (OpenSSO Agent) software. They also suggested that more than 140,000 Oracle Cloud customer tenants were affected.<sup>[[CloudSEK March 21 2025](/references/3689def4-9eb1-4e74-b7f0-c2873252eb25)]</sup>","first_seen":"2025-02-08T00:00:00Z","last_seen":"2025-03-20T00:00:00Z","created":"2025-03-31T15:01:58.295132Z","modified":"2025-03-31T15:01:58.295136Z","campaign_attack_id":"C3098","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"90ce1766-112f-48fc-b826-d16626dc2748","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"4224804f-d1f6-4296-bf43-1f79df0528a5","tag":"39e1f80f-f099-4602-a307-866a8caaf0d9"},{"id":"720d82e0-d15b-49e2-9ff2-864c337f69de","tag":"e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"},{"id":"a3e9517d-b388-42b7-ba2e-813ca729c103","tag":"291c006e-f77a-4c9c-ae7e-084974c0e1eb"},{"id":"e1df7a02-ee24-449d-b675-1889fc03a58f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"68e94b40-0d72-4e68-86b9-37c73209333a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e398720c-3f61-5e9b-97d1-8c851240a112"},{"id":"59eb14d1-ceb3-410b-b26f-2d14c25e96ec","name":"AdaptixC2 AI-Generated Script Campaign","description":"A campaign where threat actors used AI-generated PowerShell scripts to deploy AdaptixC2 beacons via in-memory shellcode injection and DLL hijacking, with enhanced persistence and evasion techniques.<sup>[[Unit 42 September 10 2025](/references/9374c0c2-b80a-4722-b396-c9d886a45a0c)]</sup>","first_seen":"2025-05-01T00:00:00Z","last_seen":"2025-05-31T00:00:00Z","created":"2025-10-24T16:14:03.174447Z","modified":"2025-10-24T16:14:03.174449Z","campaign_attack_id":"C3154","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"18bb34f8-255b-4771-9956-2bec7b5e9cf1","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"812464b7-cea4-49af-be6f-893188814adf","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"978d3a4d-876c-5ac3-ba0e-e82fd1b7ceae"},{"id":"54c813fc-0769-43e4-a35f-c548392c38f7","name":"AdaptixC2 Social Engineering and Fileless Intrusion Campaign","description":"A campaign observed in May 2025 where threat actors used social engineering (fake IT support via Microsoft Teams) and fileless PowerShell loaders to deploy AdaptixC2 beacons, establish persistence, and conduct post-exploitation activities.<sup>[[Unit 42 September 10 2025](/references/9374c0c2-b80a-4722-b396-c9d886a45a0c)]</sup>","first_seen":"2025-05-01T00:00:00Z","last_seen":"2025-05-31T00:00:00Z","created":"2025-10-24T16:14:03.354170Z","modified":"2025-10-24T16:14:03.354173Z","campaign_attack_id":"C3155","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"693638b4-b66d-4036-a8cf-d9b9e1abdbc5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"53eb7efd-5c0a-4d12-a03e-595c6824c976","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"77703b50-a69d-5e67-a2fb-cd4459b158e0"},{"id":"a8c324fe-27d8-4f03-be9b-97d2679ce1cf","name":"AI-facilitated commodity tradecraft attacks (2025)","description":"A series of attacks in 2025 where adversaries leveraged AI-generated scripts and tools to accelerate traditional tradecraft, including credential theft, browser data harvesting, and malicious Chrome extension deployment.<sup>[[Www.huntress.com January 12 2026](/references/88ccd20a-70ed-4cc2-87e1-644201feb4a4)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-12-31T00:00:00Z","created":"2026-01-14T13:32:10.442766Z","modified":"2026-01-14T13:32:10.442770Z","campaign_attack_id":"C3275","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7abbce60-271b-4183-a780-98bcb4eb9c4c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"22ffbcba-d091-4abb-807f-b0395dae2f24","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4c4d1789-159b-591a-9d34-1b0ce20be720"},{"id":"85659655-d715-48e2-82c7-869f5a98b5d7","name":"Aisuru hyper-volumetric DDoS campaign","description":"A campaign of record-setting, hyper-volumetric DDoS attacks conducted by the Aisuru botnet, primarily targeting telecommunications, technology, gaming, and cybersecurity sectors, with a focus on the United States, China, and Hong Kong. The campaign escalated in scale and sophistication from early October 2025, peaking at 29.7 Tbps on October 31, 2025.<sup>[[None December 10 2025](/references/8dcd43e9-e28f-4536-93d3-9823aa064cdb)]</sup>","first_seen":"2025-09-01T00:00:00Z","last_seen":"2025-11-01T00:00:00Z","created":"2025-12-29T17:41:32.097384Z","modified":"2025-12-29T17:41:32.097387Z","campaign_attack_id":"C3240","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"bf92718a-cf55-4307-946e-8a3cdf219f48","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2aaa3f48-9113-475e-a5df-a6c15f2e2684","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4ba5c43f-e91b-5745-b33a-e44a78d7dff7"},{"id":"54f108b8-6f93-4e4b-9f86-56f6ff3b7bb1","name":"Akira Ransomware Actors SonicWall VPN Exploits","description":"Incident responders observed a series of incidents involving organizations with SonicWall seventh-generation VPN/firewall appliances, which researchers suspected involved exploitation of likely zero-day vulnerabilities for initial access. Actors were seen ultimately deploying Akira ransomware in compromised networks.<sup>[[huntress.com August 4 2025](/references/4d88aa79-a912-4aa6-ba5e-fdb4c2718a7b)]</sup>","first_seen":"2025-07-25T00:00:00Z","last_seen":"2025-08-03T00:00:00Z","created":"2025-08-06T14:57:26.386634Z","modified":"2025-08-06T14:57:26.386637Z","campaign_attack_id":"C3117","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a1f36eb9-aabb-43c1-be3d-9203b119cf81","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"75e49350-b5c2-41d9-8312-7f05aa44ebf8","tag":"91a95724-7c53-4397-859a-1aebe1704ca9"},{"id":"c0877849-8b53-4be4-8a0d-bfc8a02a35db","tag":"9768aada-9d63-4d46-ab9f-d41b8c8e4010"},{"id":"ca7f00d9-9af3-4498-8285-e43bcd4b659f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"0e61e575-3246-4fec-a92c-c4a051f71203","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"a71f9a34-ccd0-5b8b-b1f3-6b33fdde0f91"},{"id":"cf42d51a-8002-4f04-a930-21c15115769f","name":"AMBERSQUID","description":"AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.<sup>[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]</sup>","first_seen":"2022-05-01T00:00:00Z","last_seen":"2023-03-31T00:00:00Z","created":"2024-06-13T20:12:39.082013Z","modified":"2024-06-13T20:12:39.082017Z","campaign_attack_id":"C3030","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"12e95565-0020-452c-af5c-0ff897a74c0e","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"cc824d79-3059-4b04-8b60-45c467ea695e","tag":"2e5f6e4a-4579-46f7-9997-6923180815dd"},{"id":"84411175-95e5-40c4-b882-374335178ecf","tag":"8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e"},{"id":"a2597c9b-1d3c-41ec-b59c-12a227830e33","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4e665c23-d4e8-57ed-b0d0-f11e840a2475"},{"id":"7c2fafc0-c628-4c71-9848-976aef6f6c08","name":"AMOS Stealer AI/SEO Poisoning Campaign","description":"A campaign in which AMOS Stealer is delivered via poisoned AI-generated conversations (ChatGPT, Grok) surfaced through SEO manipulation, targeting users searching for macOS troubleshooting advice and tricking them into executing malicious Terminal commands.<sup>[[Huntress December 09 2025](/references/daa411cf-b40b-445a-81f8-7b851ef15e00)]</sup>","first_seen":"2025-12-05T00:00:00Z","last_seen":"2025-12-09T00:00:00Z","created":"2025-12-24T14:57:52.414787Z","modified":"2025-12-24T14:57:52.414790Z","campaign_attack_id":"C3231","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e6555732-30fe-4ef4-ad5b-620ed4340bd8","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"681e639c-c161-4b40-9b9e-6dffb75f4c06","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bcdaecb8-5b9a-50c8-a3ee-79b5d4fbd999"},{"id":"38157c08-e78b-446b-911a-3951848c5345","name":"AMOS Stealer Campaign Targeting macOS via Cracked Apps","description":"A campaign distributing Atomic macOS Stealer (AMOS) via cracked software and social engineering, targeting macOS users with credential theft, data exfiltration, and persistence techniques. The campaign uses rotating domains, malvertising, and SEO poisoning.<sup>[[Trend Micro September 04 2025](/references/a8f04ece-adbd-4319-b62f-2554d287a61e)]</sup>","first_seen":"2025-07-20T00:00:00Z","last_seen":"2025-07-22T00:00:00Z","created":"2025-12-17T14:19:15.613013Z","modified":"2025-12-17T14:19:15.613017Z","campaign_attack_id":"C3218","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"439813c8-58b9-40b9-98e2-2eea647fe7e4","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"acc9335a-00c3-4e36-8f8c-192c3186c7d7","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4a3b363f-a2e1-55d2-b6c2-271a8a82dd57"},{"id":"458dc371-5dc2-4e6c-8157-3a872dd29726","name":"Andariel Espionage Activity","description":"In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.<sup>[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]</sup>","first_seen":"2021-03-01T00:00:00Z","last_seen":"2024-05-30T00:00:00Z","created":"2024-08-02T14:59:37.996456Z","modified":"2024-08-02T14:59:37.996461Z","campaign_attack_id":"C3048","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"61138e30-b069-4b03-be1d-d7004d62a632","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"3d950642-1ae1-4bd2-ae13-06747a53d2e5","tag":"27a117ce-bb19-4f79-9bc2-a851b69c5c50"},{"id":"44fcabcf-da4a-4309-83cc-02d229f0393a","tag":"6070668f-1cbd-4878-8066-c636d1d8659c"},{"id":"3babd5d4-548e-4870-88b1-a2bf5668fc1a","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"b1ad8302-d61d-4af0-beb1-1d450ffd2c89","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"ce10b724-1865-44ba-b68d-288142dc8c53","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"4ad3db22-420e-4e76-ae67-ab58b87c352d","tag":"4f4744b0-8401-423c-9ed0-3cb2985d9fd3"},{"id":"529a7d4e-97f0-4842-8df4-35435aa50726","tag":"ddfaecd0-bd3e-41ac-85c7-ca2156684343"},{"id":"9b3bdbf0-8165-49a3-8533-88ec4d466039","tag":"0dbed83d-af67-4ce0-a1ee-16f1165fdc0f"},{"id":"36dc2889-bef8-4faa-a13c-8aa02c7bc90f","tag":"6422a882-7606-4aa3-b994-f917f53c2ada"},{"id":"ed575b42-f5a8-423f-931b-dce259ebc65b","tag":"c1b123d2-ce58-4345-8482-d1da27b3c053"},{"id":"f54c454f-4dda-4b34-be12-7e3faefccfb8","tag":"f166e59e-9877-4102-a39b-fae38df4b790"},{"id":"6048607a-3913-4a3f-8102-249957f10b29","tag":"6a82d685-3f77-498d-91c3-a759292ec2da"},{"id":"2fd2283b-2c37-4333-8317-00164eabe08c","tag":"a32a757a-9d6b-43ca-ac4b-5f695dd0f110"},{"id":"07835f61-6dc2-4fa9-96c9-e6ef0d41ae4f","tag":"ac70560d-c3e7-4b40-a4d6-a3287e3d952b"},{"id":"42cbd867-f557-430b-8d1c-765e763e971c","tag":"75f62312-a7ee-4534-8c8a-e3b7366a3a4b"},{"id":"ca01602f-fdb4-4d33-970d-b21d669d369c","tag":"887d1cfe-d0c5-431c-8dce-0e1b9a2505aa"},{"id":"32e48d7b-1135-4faa-b1f9-9f2affaad374","tag":"96eec53f-355c-406c-87ba-18c3be4c69a1"},{"id":"fd861495-dc1d-42fe-b170-1ddc57be7981","tag":"54fafdbe-1ea0-4f48-99ad-757c8fe50df2"},{"id":"054895d5-16b1-43a7-8014-8a483b7007b7","tag":"35b334ec-4169-4898-ab90-487eea7feb69"},{"id":"fe66ca3a-9076-4b7e-b079-8e7f0f94160a","tag":"4ac4e1b9-2192-47ac-a4d1-3a31aa0f2140"},{"id":"387568b6-3e26-4671-953c-6144f1bf7b04","tag":"936a56f5-a4f1-42d8-83b7-c44399ead661"},{"id":"3af55844-69d4-4219-b516-87df5f07e1ad","tag":"0d19ceed-28f6-4258-b365-f6e6f296121d"},{"id":"d7e8b24e-0f55-4159-8ab3-14ccd0b20bef","tag":"037cc75c-9683-49db-aaa8-c8142763bb87"},{"id":"ecad5a6f-1170-48d1-b904-7f314b84091f","tag":"ff71ed89-8355-4abc-9da4-eb4768a38c9c"},{"id":"4035cc90-18cb-4ade-a3b7-b32bd56fd217","tag":"6fade0a3-0c26-4a11-b81e-25d20e38bdd3"},{"id":"68ca2dcc-6ecd-4fa9-a5a0-43c0f0cdf79b","tag":"3b54d8a5-580f-43bf-a12d-8e011f953bad"},{"id":"07d55690-8b3d-4aba-b866-65cb846ff786","tag":"0f6e72e1-ba8f-4d1d-920d-d8945a4fee59"},{"id":"66a35c34-19ce-44ea-bc7b-f42f4497ed64","tag":"7bbc5366-897a-4505-bc68-3a18e3d4cf44"},{"id":"71452f30-abb3-4bb1-8e72-375d677a9f33","tag":"4cd85398-c33a-4374-9a76-2bbf297cca63"},{"id":"d21a60e6-8e4f-4ac1-96d8-6780238b283b","tag":"5ec8231e-70e9-4675-b922-368bcb9e914a"},{"id":"f8f7cf97-ec01-4a85-a392-331affa9dd88","tag":"21c64d34-e52a-42ba-a8c7-85aa82dc0b3f"},{"id":"f5f0807c-296a-410f-969c-80a39d0bec26","tag":"cd9ab9e7-248f-4097-b120-a42834ce0f89"},{"id":"0eeae5c1-72cf-46ad-bfcb-80816f4a02d9","tag":"91ddbeac-b587-4978-a80d-543a5d96cb77"},{"id":"a51574ea-f612-4325-a0a4-fd4a57843339","tag":"b8448700-7ed0-48b8-85f5-ed23e0d9ab97"},{"id":"2e52fa39-d01e-43ed-a94d-a1b53460ddb0","tag":"12b074b9-6748-4ad7-880f-836cb80587e1"},{"id":"e82efd6e-cb92-4754-aa8e-455959e564d4","tag":"45f92502-0775-4fc6-8fcd-97b325ea49a9"},{"id":"22b43005-1d30-4612-8f08-de3896f9a299","tag":"cddb4563-fe90-4c72-be81-6256d175a698"},{"id":"7b04b220-9aef-4d27-8401-31113c92a1a6","tag":"69f278d7-194f-42d0-8f83-11de9f861264"},{"id":"6dea553d-60d8-474e-8a24-7baf20b0fe9c","tag":"f0c58aa3-5d21-4ade-95a0-b775dde7e8a3"},{"id":"80d102f4-fcd0-4552-a6cf-8d34718c0e69","tag":"5f9b1c23-81f8-4aa3-8d97-235302e77eec"},{"id":"9a9cb7ea-b9dc-4699-8760-a7d6fd5a085d","tag":"d842c7ff-e3d3-4534-9ed7-283752f4bbe2"},{"id":"a5d05b34-31b4-4650-83ef-631960039043","tag":"ecd84106-2a5b-4d25-854e-b8d1f57f6b75"},{"id":"eb71c482-1d01-43bd-bc42-f50483ba4bbf","tag":"7e6ef160-8e4f-4132-bdc4-9991f01c472e"},{"id":"f88e2f13-086b-4dc3-b77f-273db47a23ce","tag":"532b7819-d407-41e9-9733-0d716b69eb17"},{"id":"c2a5d190-38c5-4377-97c4-8c8d85aca9c9","tag":"e401022a-36ac-486d-8503-dd531410a927"},{"id":"10072d49-3fc4-4ae8-b253-7839e59081ee","tag":"173e1480-8d9b-49c5-854d-594dde9740d6"},{"id":"462693a4-2b31-4f93-9708-15e588aada19","tag":"7551097a-dfdd-426f-aaa2-a2916dd9b873"},{"id":"f8403e97-f81f-4b37-8094-428cf84701bb","tag":"c475ad68-3fdc-4725-8abc-784c56125e96"},{"id":"5a867999-400b-46d2-a056-7481c9768bec","tag":"08809fa0-61b6-4394-b103-1c4d19a5be16"},{"id":"a5ff7e54-b920-4c5f-9547-4f294e4bc2b8","tag":"4ac8dcde-2665-4066-9ad9-b5572d5f0d28"},{"id":"0a7db8fe-1a49-47c8-9a71-d39e2d6fefa1","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"ed1ad34b-52a5-40c6-a9de-025e6aac5ce7","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"}],"tidal_id":"fa675226-46cc-52a4-9936-bc115f02c1d8"},{"id":"2b869157-0b66-42fc-8ead-171160412660","name":"April 2024 FIN7 Malvertising Campaign","description":"Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).<sup>[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]</sup>","first_seen":"2024-04-01T00:00:00Z","last_seen":"2024-04-30T00:00:00Z","created":"2024-06-13T20:12:40.569688Z","modified":"2024-06-13T20:12:40.569691Z","campaign_attack_id":"C3038","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"112777b5-80dd-4d80-997d-307a75389a5a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f90c7daa-b3f4-4d8d-b145-e1a8a19f92c5","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"dd59a83d-f06c-5f64-8b4c-b6644ed0597e"},{"id":"7c32e782-610c-419e-99a9-0c893c19af68","name":"APT28 campaign targeting Polish government institutions","description":"A campaign attributed to APT28 involving the deployment of the NotDoor Outlook backdoor and targeting government institutions in Poland and other NATO member countries.<sup>[[None September 03 2025](/references/fd78818b-2d33-4dd8-93a1-4263e8ceeec9)]</sup>","first_seen":"2024-05-08T00:00:00Z","last_seen":"2024-05-08T00:00:00Z","created":"2025-11-26T19:38:34.543733Z","modified":"2025-11-26T19:38:34.543737Z","campaign_attack_id":"C3175","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f8d04ea9-75d7-41ab-b29d-7574ad6bbf9b","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"586ebf68-57aa-4675-8d33-142da2fd238a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"1c9feddd-1013-5804-9087-073591995347"},{"id":"ed8de8c3-03d2-4892-bd74-ccbc9afc3935","name":"APT28 Cisco Router Exploits","description":"In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742<sup>[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]</sup>","first_seen":"2021-01-01T00:00:00Z","last_seen":"2021-12-31T00:00:00Z","created":"2023-09-29T19:48:24.067942Z","modified":"2023-09-29T19:48:24.067950Z","campaign_attack_id":"C3008","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"08437d38-5cbf-41ff-bfef-56bde5904886","tag":"f01290d9-7160-44cb-949f-ee4947d04b6f"},{"id":"c4ca4317-892e-4b7b-abeb-d9c6257d146d","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"}],"tidal_id":"577099a8-8c96-5f8d-aedf-f4277897ddd6"},{"id":"1acf0182-79e6-5a89-b0cd-645a72094aac","name":"APT28 Nearest Neighbor Campaign","description":"[APT28 Nearest Neighbor Campaign](https://app.tidalcyber.com/campaigns/1acf0182-79e6-5a89-b0cd-645a72094aac) was conducted by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.<sup>[[Nearest Neighbor Volexity](https://app.tidalcyber.com/references/25b312ea-0d7a-5f05-9db1-14bbab909317)]</sup>","first_seen":"2022-02-01T05:00:00Z","last_seen":"2024-11-01T04:00:00Z","created":"2025-04-22T20:47:03.232475Z","modified":"2025-04-22T20:47:03.232479Z","campaign_attack_id":"C0051","source":"MITRE","owner_name":null,"tags":[{"id":"0b8d8051-5ce6-4c28-8177-70b86d73465e","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"c4d1245b-12ee-45f9-9164-e43d894d177e","tag":"74afe12f-2bde-486e-983f-97e223bbfb6f"}],"tidal_id":"1acf0182-79e6-5a89-b0cd-645a72094aac"},{"id":"2514a83a-3516-4d5d-a13c-2b6175989a26","name":"APT28 Router Compromise Attacks","description":"U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.<sup>[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)]</sup> According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.<sup>[[U.S. Justice Department GRU Botnet February 2024](/references/26a554dc-39c0-4638-902d-7e84fe01b961)]</sup>","first_seen":"2022-12-01T00:00:00Z","last_seen":"2024-01-01T00:00:00Z","created":"2024-03-01T20:23:49.908873Z","modified":"2024-03-01T20:23:49.908877Z","campaign_attack_id":"C3027","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"bcb752ea-189d-48d1-b940-61dc668a99fd","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"b70b2293-9045-4f51-9ee8-f7cc37d44cca","tag":"6070668f-1cbd-4878-8066-c636d1d8659c"},{"id":"9d61c04d-8042-4493-b9f9-1258e7f6f86b","tag":"d8f7e071-fbfd-46f8-b431-e241bb1513ac"},{"id":"02d2fe80-a500-458b-8afe-244556eeef32","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"2c2955ca-4852-452d-99a3-bb09ec4a00b7","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"480a44d9-d8d5-456c-9c81-53594ad9c8ad","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"bf09d5fb-d124-4329-a6c6-e31d13063c89","tag":"916ea1e8-d117-45a4-8564-0597a02b06e4"},{"id":"c29a2d92-7bc5-40e6-ad5f-490635ea0eb3","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"},{"id":"ce519797-b170-4b61-8e5c-56f2fd441fb5","tag":"e809d252-12cc-494d-94f5-954c49eb87ce"}],"tidal_id":"d91afd14-6c03-5fa5-9ca5-f9caf1260803"},{"id":"00fe06df-6ed6-44ed-8de4-8b33b508dbcf","name":"APT29 Abuses Cloud Storage Services for Malware Delivery","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2022-05-13T00:00:00Z","last_seen":"2022-06-30T00:00:00Z","created":"2025-03-10T18:06:29.870340Z","modified":"2025-03-10T18:06:29.870344Z","campaign_attack_id":"C3093","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6dd19ed6-00ef-433c-9e81-7c03da79eda9","tag":"82009876-294a-4e06-8cfc-3236a429bda4"},{"id":"fe1a1cf5-7b4b-4fe7-a2c5-5553dada1072","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"97022dc4-d15d-4aac-96d6-1d0faff3fd3a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0dc22b87-052f-51b6-b515-130144556050"},{"id":"c1257a02-716f-4477-9eab-c38827418ed2","name":"APT29 Cloud TTP Evolution","description":"UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.<sup>[[U.S. CISA APT29 Cloud Access](/references/e9e08eca-1e01-4ff0-a8ef-49ecf66aaf3d)]</sup>","first_seen":"2023-02-26T00:00:00Z","last_seen":"2024-02-26T00:00:00Z","created":"2024-03-01T20:23:50.249984Z","modified":"2024-03-01T20:23:50.249989Z","campaign_attack_id":"C3028","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"62a7ee34-833f-46cd-aa6f-c56f5618c270","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"381f3a07-d034-4e6c-afab-b7d163dd2301","tag":"291c006e-f77a-4c9c-ae7e-084974c0e1eb"}],"tidal_id":"8126a20c-64a7-5274-89b3-193ce3edca61"},{"id":"80ae546a-70e5-4427-be1d-e74efc428ffd","name":"APT29 TeamCity Exploits","description":"*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nIn December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.\n\nCVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.\n\nJetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a).<sup>[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]</sup>","first_seen":"2023-09-01T00:00:00Z","last_seen":"2023-12-14T00:00:00Z","created":"2023-12-14T19:26:32.331214Z","modified":"2023-12-14T19:26:32.331218Z","campaign_attack_id":"C3017","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"5a757325-01a9-4f42-8409-15dae0377139","tag":"08809fa0-61b6-4394-b103-1c4d19a5be16"},{"id":"d7030f5e-f294-4ef2-ab08-09b814c9c5d7","tag":"4a457eb3-e404-47e5-b349-8b1f743dc657"}],"tidal_id":"6fe00bb5-a2f4-5a0c-bd49-cf23588520da"},{"id":"dd4d3dfa-a777-4665-a21f-cd255fe4e049","name":"APT36 Multi-Stage LNK Malware Campaign Targeting Indian Government Entities","description":"A targeted cyber espionage campaign by APT36 using weaponized Windows shortcut (LNK) files, HTA loaders, and multi-stage, fileless malware to compromise Indian government and strategic sector entities.<sup>[[CYFIRMA December 30 2025](/references/f2cc063a-854f-4f13-8679-f862a018fa38)]</sup>","first_seen":"2025-12-15T00:00:00Z","last_seen":"2025-12-30T00:00:00Z","created":"2026-01-06T18:05:33.061998Z","modified":"2026-01-06T18:05:33.062003Z","campaign_attack_id":"C3251","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"2e712d9d-00c3-4cf8-b39a-cf44a79f74df","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"44e3eed7-f6cd-43fc-868f-526536243f76","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"10f4d9a9-6560-5211-bb80-c7e8320d9b9c"},{"id":"3db5682a-0b99-4653-b487-bd0d30292a19","name":"APT40 Recent Tradecraft (Deprecated)","description":"*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Leviathan Australian Intrusions\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nOn July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.<sup>[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]</sup>","first_seen":"2022-04-01T00:00:00Z","last_seen":"2022-09-30T00:00:00Z","created":"2024-07-10T18:01:21.879525Z","modified":"2024-07-10T18:01:21.879529Z","campaign_attack_id":"C3047","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"5f947e7c-bae9-4d53-a83e-361f2a5262df","tag":"96d58ca1-ab18-4e53-8891-d8ba62a47e5d"},{"id":"f13fe08e-a496-4c54-bbdc-cb55556cc692","tag":"6070668f-1cbd-4878-8066-c636d1d8659c"},{"id":"82a913b8-e2f6-438a-80de-656779572706","tag":"d8f7e071-fbfd-46f8-b431-e241bb1513ac"},{"id":"526c10e0-f4aa-43f6-90e9-2cb6286ad6a1","tag":"758c3085-2f79-40a8-ab95-f8a684737927"},{"id":"35f201cb-9905-4f37-9115-c63a66da66bf","tag":"1dc8fd1e-0737-405a-98a1-111dd557f1b5"},{"id":"eef44dfc-ec15-48ba-b3de-0ba6dde08557","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"99529b93-dd3e-4acb-b4e3-718f8affd3d0","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"99bfcc48-d04d-4341-929a-7b1f1af4e6a7","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"6fe57eaf-ad6a-47f4-a7e9-99f1416dabc6","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"54de8449-491d-47d7-8c12-58d519170eec","tag":"375983b3-6e87-4281-99e2-1561519dd17b"},{"id":"d7894810-e9ed-451a-a3ba-0bf2f9f5338b","tag":"3ed2343c-a29c-42e2-8259-410381164c6a"},{"id":"b5decb2f-53e9-42c0-b7b6-179250feadc2","tag":"a46c422c-5dad-49fc-a4ac-169a075a4d9a"},{"id":"2edc2bc7-c68d-4935-93d2-b5ca3544cb70","tag":"2eeef0b4-08b5-4d25-84f7-25d41fe6305b"},{"id":"5004ec12-7932-4c58-ba66-ba87c5248646","tag":"64d3f7d8-30b7-4b03-bee2-a6029672216c"},{"id":"a5c69e62-c7ef-4a18-b5f0-a2a1730df27b","tag":"7e6ef160-8e4f-4132-bdc4-9991f01c472e"},{"id":"c901b467-1017-435b-a3cc-3826b8f31694","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"}],"tidal_id":"fe285250-241e-52c2-aed0-e18b03e62c68"},{"id":"b90adbbd-0fe3-5c5f-9433-543a5f01b0ae","name":"APT41 DUST","description":"[APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae) was conducted by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. [APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae) targeted sectors such as shipping, logistics, and media for information gathering purposes. [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) used previously-observed malware such as [DUSTPAN](https://app.tidalcyber.com/software/78454d3f-fa12-5b6f-9390-6412064d7c8d) as well as newly observed tools such as [DUSTTRAP](https://app.tidalcyber.com/software/ed72d5bb-2cf7-51a4-9d76-97fbd11c54d0) in [APT41 DUST](https://app.tidalcyber.com/campaigns/b90adbbd-0fe3-5c5f-9433-543a5f01b0ae).<sup>[[Google Cloud APT41 2024](https://app.tidalcyber.com/references/33bb9f8a-db9d-5dda-b4ae-2ba7fee0a0ae)]</sup>","first_seen":"2023-01-31T23:00:00Z","last_seen":"2024-06-30T22:00:00Z","created":"2024-10-31T16:28:09.863939Z","modified":"2024-10-31T16:28:09.863942Z","campaign_attack_id":"C0040","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"b90adbbd-0fe3-5c5f-9433-543a5f01b0ae"},{"id":"04e7a8d6-c80f-5dab-979c-0c52969abe66","name":"ArcaneDoor","description":"[ArcaneDoor](https://app.tidalcyber.com/campaigns/04e7a8d6-c80f-5dab-979c-0c52969abe66) is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. [ArcaneDoor](https://app.tidalcyber.com/campaigns/04e7a8d6-c80f-5dab-979c-0c52969abe66) is associated with the deployment of the custom backdoors [Line Runner](https://app.tidalcyber.com/software/dd98310f-9824-5c75-944f-79b5eabbfe58) and [Line Dancer](https://app.tidalcyber.com/software/9781f766-1afc-517b-9b3e-1cbeed9c556e). [ArcaneDoor](https://app.tidalcyber.com/campaigns/04e7a8d6-c80f-5dab-979c-0c52969abe66) is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.<sup>[[Cisco ArcaneDoor 2024](https://app.tidalcyber.com/references/da99c764-8c3d-5a2c-9321-0f6fe4da141b)]</sup><sup>[[CCCS ArcaneDoor 2024](https://app.tidalcyber.com/references/904b6c9a-8ab9-572e-aa9a-90f840c8ff82)]</sup>","first_seen":"2023-07-01T06:00:00Z","last_seen":"2024-04-01T06:00:00Z","created":"2025-04-22T20:47:03.258603Z","modified":"2025-04-22T20:47:03.258606Z","campaign_attack_id":"C0046","source":"MITRE","owner_name":null,"tags":[{"id":"17813193-ff15-4ca8-84bc-12721a6d210c","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"cc85315a-ad8d-4daf-abbf-5d717a9c64ed","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"0a37ada6-c7b8-4b40-9265-a03079c37547","tag":"6bb2f579-a5cd-4647-9dcd-eff05efe3679"},{"id":"0fa89dc3-f65e-4635-8e45-19160163f28a","tag":"c25f341a-7030-4688-a00b-6d637298e52e"},{"id":"19a5956f-af50-400f-bda2-b89a7fd5acf7","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"5547c9de-751b-41b5-a518-b991c9e228a6","tag":"9768aada-9d63-4d46-ab9f-d41b8c8e4010"},{"id":"fa365b1e-7bcd-437a-b516-74554e4edcd2","tag":"2e85babc-77cd-4455-9c6e-312223a956de"},{"id":"446404c0-39f1-4519-9f8f-89937abc6d78","tag":"0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3"}],"tidal_id":"04e7a8d6-c80f-5dab-979c-0c52969abe66"},{"id":"ccc6401a-b79f-424b-8617-3c2d55475584","name":"ArcaneDoor (Deprecated)","description":"*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"ArcaneDoor\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.<sup>[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]</sup> The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>","first_seen":"2023-11-01T00:00:00Z","last_seen":"2024-02-29T00:00:00Z","created":"2024-05-07T16:51:47.591050Z","modified":"2024-05-07T16:51:47.591055Z","campaign_attack_id":"C3036","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9a9a6210-e0ab-46b4-b18b-c5576437f0a9","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"3e029334-279b-412b-afa3-b4e3586ad753","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"75584240-75cb-4c4d-8b03-04cffdd5eb57","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"a389f4eb-a048-4fe8-b4bd-76f9a20aecda","tag":"6bb2f579-a5cd-4647-9dcd-eff05efe3679"},{"id":"fe5d135e-f319-4eab-bcbf-d37ab7f64e1d","tag":"c25f341a-7030-4688-a00b-6d637298e52e"},{"id":"9356fa95-5786-4ff2-ac15-74b28363d356","tag":"9768aada-9d63-4d46-ab9f-d41b8c8e4010"},{"id":"d25b9927-ca7b-42d1-8ab7-2ab91f6b814a","tag":"2e85babc-77cd-4455-9c6e-312223a956de"},{"id":"e17784b4-2f22-43cb-a994-c398678ea197","tag":"0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3"}],"tidal_id":"26108235-1867-5c1b-bc1a-50ac8609c39c"},{"id":"2b934478-f3fd-462b-b50f-52fa5a0e341d","name":"A Series of Unfortunate (RMM) Events","description":"A series of attacks in 2025 involving the abuse of multiple remote monitoring and management (RMM) tools for initial access, persistence, and lateral movement across various sectors, leveraging phishing and social engineering lures.<sup>[[Huntress December 18 2025](/references/990fe0c2-253d-467c-a16f-0f006cdeb618)]</sup>","first_seen":"2024-09-01T00:00:00Z","last_seen":"2025-11-30T00:00:00Z","created":"2025-12-29T17:41:32.539491Z","modified":"2025-12-29T17:41:32.539494Z","campaign_attack_id":"C3243","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6f658e26-ef62-4c25-a03a-60cddc4ae36b","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e2eb7bf2-d65f-43a3-92a9-33a7fc47a645","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"aa41826e-9d0e-5975-b21d-4d9878b13384"},{"id":"94d350af-2930-4a90-8ae4-09c8d1b552f0","name":"Ashen Lepus 2025 Espionage Campaign","description":"A long-running espionage campaign by Ashen Lepus targeting governmental and diplomatic entities throughout the Middle East, using new versions of custom loaders and the AshTag malware suite. The campaign persisted through the Israel-Hamas conflict and expanded its victimology to additional Arabic-speaking countries.<sup>[[Unit 42 December 11 2025](/references/be18bd4b-38de-4be3-a67b-ec20f7070c3b)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-12-11T00:00:00Z","created":"2025-12-24T14:57:51.672108Z","modified":"2025-12-24T14:57:51.672112Z","campaign_attack_id":"C3226","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f6196d10-1d19-4e59-9d14-efff34d05f9e","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"74af7a97-edec-4d64-8a3f-0480fc78da1a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9af56ca5-7a81-5731-825b-45edd11fe8fb"},{"id":"b412120b-fd91-4d91-b703-855db4d53779","name":"Automated React2Shell-to-Weaxor ransomware campaign","description":"A campaign in which financially motivated threat actors exploited the React2Shell (CVE-2025-55182) vulnerability for initial access and rapidly deployed Weaxor ransomware in an automated fashion against vulnerable web servers.<sup>[[None December 16 2025](/references/77a0f06e-b16f-4d3d-998e-0af3e1789624)]</sup>","first_seen":"2025-12-05T00:00:00Z","last_seen":"2025-12-05T00:00:00Z","created":"2025-12-29T17:41:32.685273Z","modified":"2025-12-29T17:41:32.685276Z","campaign_attack_id":"C3244","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c0d98b6c-3705-45cd-a158-c6010a82af8f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"694fa537-feab-452f-95a6-564ff0cae69b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f7fb91a0-daec-58d4-8c94-71b0d86f6c2f"},{"id":"92455467-b6dc-403f-8588-c996e723c5fa","name":"Autumn Dragon Southeast Asia Espionage Campaign","description":"A sustained espionage campaign since early 2025 targeting government and media sectors in countries surrounding the South China Sea, using multi-stage DLL sideloading and custom backdoors.<sup>[[None November 28 2025](/references/d66a4368-9233-4628-9a05-014f6d58259b)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-11-18T00:00:00Z","created":"2025-12-24T14:57:51.085735Z","modified":"2025-12-24T14:57:51.085739Z","campaign_attack_id":"C3222","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"5ae03aef-33bc-465d-94da-564a8c437737","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"978dfd0c-012b-4957-afae-479d96350270","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ebd9c835-05d4-5fa5-8636-c1f2f733f08c"},{"id":"9779935d-e316-4482-bec8-3d0704a26dc0","name":"AWS Data Theft & Ransom Attack","description":"This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.<sup>[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]</sup>","first_seen":"2024-01-01T00:00:00Z","last_seen":"2024-01-01T00:00:00Z","created":"2024-06-13T20:12:39.941414Z","modified":"2024-06-13T20:12:39.941417Z","campaign_attack_id":"C3034","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"2d032b61-ea63-4c2d-b04f-e14d0796bfea","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"45d9e8d8-c745-4066-bb8c-cc018f3902ad","tag":"2e5f6e4a-4579-46f7-9997-6923180815dd"},{"id":"0b1a978a-b567-4d86-b8ed-5931f2a28f24","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"382488e9-fcb4-49a8-b1fc-7e0c98b8d5d0","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"51dba7a7-5a6e-4509-8f2c-74eb953f20c9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"be4ae04d-fc2c-52a8-b8ed-0375285abada"},{"id":"a94a5919-953e-4607-aaa4-dfccf6d938b5","name":"AWS Fargate Cryptojacking Activity","description":"Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.<sup>[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]</sup>","first_seen":"2023-12-01T00:00:00Z","last_seen":"2024-01-19T00:00:00Z","created":"2024-06-13T20:12:39.311684Z","modified":"2024-06-13T20:12:39.311687Z","campaign_attack_id":"C3031","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b622739d-356d-4793-8e02-f6de7d0c4cd0","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e24112ac-e74d-46ce-9a8a-60eb29313e0c","tag":"2e5f6e4a-4579-46f7-9997-6923180815dd"},{"id":"91ac2a0d-ded5-47a6-9ef9-dc6a9a8052e3","tag":"8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e"},{"id":"af68fc2f-fb94-4a94-a5ed-ddc751b300b8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"2f9ae33a-7a8f-5d84-97d0-709f88326740"},{"id":"64bddb9e-8bb4-481e-851a-0ddd7ba34615","name":"AWS Lambda Credential Theft & Phishing Attack","description":"This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.<sup>[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]</sup>","first_seen":"2022-05-20T00:00:00Z","last_seen":"2022-05-20T00:00:00Z","created":"2024-06-13T20:12:39.522671Z","modified":"2024-06-13T20:12:39.522675Z","campaign_attack_id":"C3032","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b06e3eef-f8d6-4c38-b1a1-21b0a1ee6f33","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"713376e1-b560-4018-9661-90e825198f2a","tag":"2e5f6e4a-4579-46f7-9997-6923180815dd"},{"id":"9c5767ba-d6b3-4e36-af04-5ebacd453105","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"8961a66c-5b77-581e-81e6-d69640709cc5"},{"id":"b68cbe16-1a2a-4199-975d-b1b96313d50c","name":"Azure 15.72 Tbps DDoS attack (2025)","description":"A record-breaking multi-vector DDoS attack measuring 15.72 Tbps and 3.64 billion pps, targeting a single Azure endpoint in Australia, launched by the Aisuru botnet.<sup>[[TECHCOMMUNITY.MICROSOFT.COM November 17 2025](/references/2a8948a9-f566-4ea0-898f-9b0734066d00)]</sup>","first_seen":"2025-10-24T00:00:00Z","last_seen":"2025-10-24T00:00:00Z","created":"2025-11-19T17:45:57.714069Z","modified":"2025-11-19T17:45:57.714072Z","campaign_attack_id":"C3170","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"090d6823-c9a5-4c3a-bdbc-170c1d2aa704","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"697a14ab-f669-4e7c-99c2-2fe9941714d5","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4df93c85-6042-56ff-9f0e-49a8823f189e"},{"id":"e9988ec3-fa0e-4f6f-b034-010025d54379","name":"BADAUDIO Campaign","description":"A multi-year cyber espionage campaign by APT24 involving the delivery of BADAUDIO malware through strategic web compromises, supply chain attacks on a Taiwanese digital marketing firm, and targeted phishing campaigns.<sup>[[Google Cloud Blog November 20 2025](/references/a99c8dce-a85b-404f-8b91-65135de27537)]</sup>","first_seen":"2022-11-01T00:00:00Z","last_seen":"2025-09-01T00:00:00Z","created":"2025-12-10T14:15:25.329440Z","modified":"2025-12-10T14:15:25.329446Z","campaign_attack_id":"C3187","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9d9e2329-aeb1-4eb4-92fe-6cd21218e6ef","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"25d832ec-78ab-4f7f-b657-7a1da40b0508","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"fcab2234-5eaf-50a0-9555-80a6e66d35e9"},{"id":"6cfae8c4-89d4-478c-a5cd-d192da68d9b0","name":"BadPilot","description":"Microsoft researchers identified activity tied to a subgroup of the Russian state actor Seashell Blizzard, referred to as the \"BadPilot campaign,\" which involved execution of prolonged initial access operations targeting Internet-facing infrastructure. This activity facilitated persistent access to high-value targets and supported customized network operations.<sup>[[Microsoft Security Blog February 12 2025](/references/300bf6cb-582b-4e15-8cca-cb68c8856e6f)]</sup>","first_seen":"2021-12-01T00:00:00Z","last_seen":"2025-02-12T00:00:00Z","created":"2025-03-04T15:55:32.995045Z","modified":"2025-03-04T15:55:32.995050Z","campaign_attack_id":"C3092","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"332dee8f-9c93-44ba-a44b-dcc692e653c5","tag":"916ea1e8-d117-45a4-8564-0597a02b06e4"},{"id":"d597f1b5-06cd-4483-9e84-f5d049a0b234","tag":"08809fa0-61b6-4394-b103-1c4d19a5be16"},{"id":"9ffab91a-566c-4196-90b5-bae2adca940a","tag":"f0c58aa3-5d21-4ade-95a0-b775dde7e8a3"},{"id":"7689c2a1-7121-43d3-8770-c07d2e5a1337","tag":"21c64d34-e52a-42ba-a8c7-85aa82dc0b3f"},{"id":"f47cf0ee-e087-4c12-a295-5aa655585dca","tag":"375983b3-6e87-4281-99e2-1561519dd17b"},{"id":"1738479e-c11c-4f9c-92c8-9cf8b96fdfd5","tag":"8046a757-48f0-4787-81ab-9dc8c1eb77cd"},{"id":"87741bd0-5cbc-42d7-9bc7-bb600fc69e55","tag":"d431939f-2dc0-410b-83f7-86c458125444"},{"id":"9f07059d-06e8-4c8f-bb53-9d70eec5fc30","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"31a7213e-3257-411a-b491-f1266c3ac400","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"97f0dbdb-8677-49af-83e1-9f0bfbc8af13","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3525141b-69af-5c41-898f-5e33725e10dd"},{"id":"b308f296-fcab-4cc5-8604-65a901cd3c0e","name":"Belgrade Security Conference Phishing Campaign","description":"A targeted phishing campaign in late 2025 where UTA0355 impersonated the Belgrade Security Conference to lure victims into providing OAuth tokens and credentials, using fake websites and rapport-building social engineering.<sup>[[Volexity December 04 2025](/references/766e12b5-5336-49c8-9466-997cce7c47fe)]</sup>","first_seen":"2025-10-01T00:00:00Z","last_seen":"2025-11-19T00:00:00Z","created":"2025-12-10T14:15:29.106990Z","modified":"2025-12-10T14:15:29.106993Z","campaign_attack_id":"C3201","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"24e98876-8bfc-43da-91ef-c38fb60a8a81","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"783595be-36e8-41c4-9051-93dd34592e8e","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"c63547ca-4043-557f-815d-d415f2921ffe"},{"id":"26148f1d-382a-4670-9b83-f6692e055588","name":"BianLian Group 2024 Activity","description":"This object represents a collection of the MITRE ATT&CK® Techniques added to joint Cybersecurity Advisory AA23-270A (originally published in May 2023) in November 2024, which focused on recent activity associated with BianLian, a ransomware & extortion actor group. The updated advisory highlighted BianLian TTPs observed by international cybersecurity authorities as recently as June 2024.\n\nTechnique Relationships originally associated with BianLian from advisory AA23-270A can be found in the \"BianLian Ransomware Group\" Group object. According to the 2024 advisory update, BianLian actors are believed to have shifted \"primarily\" to exfiltration-based extortion (as opposed to ransomware encryption-based attacks) around January 2023 and subsequently shifted \"exclusively\" to exfiltration-based extortion approximately one year later.<sup>[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]</sup>","first_seen":"2024-01-01T00:00:00Z","last_seen":"2024-06-30T00:00:00Z","created":"2024-11-25T18:01:29.684406Z","modified":"2024-11-25T18:01:29.684411Z","campaign_attack_id":"C3074","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"149d1c32-e041-4acf-ac39-5a214fde4cd7","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"ae9f7ca0-49a7-49e1-8cfc-31cb2f8b68aa","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"b1d2b801-0b45-405f-b50f-79837d401c3e","tag":"2743d495-7728-4a75-9e5f-b64854039792"},{"id":"88c9d694-30f6-4506-b1bd-dec22f49a3af","tag":"3ed2343c-a29c-42e2-8259-410381164c6a"},{"id":"12ca1635-d00a-408d-bfc6-2f415453486a","tag":"375983b3-6e87-4281-99e2-1561519dd17b"},{"id":"be3ba6c0-4f7d-4798-8564-3a557715a5be","tag":"64d3f7d8-30b7-4b03-bee2-a6029672216c"},{"id":"27068966-dbf2-47a2-aef3-59a57705da5f","tag":"b396ec0b-13bd-4c7c-82e5-038110fe3aae"},{"id":"62a748ad-8519-4c8d-b989-cd3eef499167","tag":"5e7433ad-a894-4489-93bc-41e90da90019"}],"tidal_id":"1ff917c5-8703-515d-a46a-ad53cd4d81a9"},{"id":"b6ce227e-7240-4591-a8b9-641822c1f9f4","name":"Black Basta Operator Social Engineering Campaign","description":"Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.<sup>[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)]</sup><sup>[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]</sup>","first_seen":"2024-04-15T00:00:00Z","last_seen":"2024-05-15T00:00:00Z","created":"2024-06-13T20:12:40.363869Z","modified":"2024-06-13T20:12:40.363873Z","campaign_attack_id":"C3037","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"3d3cc09a-4961-453c-8524-5fbaa8bbb163","tag":"e90b243c-99e2-46fe-8f04-eca9c7939250"},{"id":"b8d6aee0-b80d-4091-8b4f-86b66dc6074f","tag":"62bde669-3020-4682-be68-36c83b2588a4"},{"id":"88c43b59-19da-41d5-9df7-1c8f17ae2e2f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"81882bc9-a44f-4fc5-9d5f-4d88d2c2f164","tag":"562e535e-19f5-4d6c-81ed-ce2aec544f09"},{"id":"022a5df5-ad68-48af-9a6f-3d01b4aa703c","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"02bb5bec-36c7-4439-b82f-4afdbb9e8680","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"258c9d98-1d66-4344-9fd6-442c1d6d4bd8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"8a8ee3d5-6c87-59e0-8248-94ecd0d66fb4"},{"id":"a7f560b2-dbdb-4a39-94d3-359ae9760bbb","name":"BlindEagle BlotchyQuasar Activity","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-06-01T00:00:00Z","last_seen":"2024-09-05T00:00:00Z","created":"2025-02-11T18:20:49.112212Z","modified":"2025-02-11T18:20:49.112216Z","campaign_attack_id":"C3087","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"2d359e88-96bd-4f7c-8850-0e9c101ceb26","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f62b97f9-17f4-4f00-9d27-b967197e41d3","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"45d1b433-8135-55fc-9303-5223b97341df"},{"id":"9743fbe2-336f-422c-b2c8-31fed1cc76c3","name":"BlindEagle spear phishing campaign targeting Colombian government agency (September 2025)","description":"A spear phishing campaign attributed to BlindEagle targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT) using compromised internal email accounts, legal-themed lures, and a multi-stage malware delivery chain involving Caminho and DCRAT.<sup>[[None December 16 2025](/references/77a0f06e-b16f-4d3d-998e-0af3e1789624)]</sup>","first_seen":"2025-09-01T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-12-24T14:57:51.962867Z","modified":"2025-12-24T14:57:51.962870Z","campaign_attack_id":"C3228","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"60601ff0-e378-4c7b-b59e-93f83c948947","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7ba1e11f-cf9e-49ac-8804-b20b3ab27f0b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"92aa0308-aa06-50f3-9f4c-bedf762c8686"},{"id":"23d646e6-eacb-4845-ba56-48b6598d4548","name":"Bling Libra 2024 Cloud Extortion Campaign","description":"A campaign in 2024 where Bling Libra (ShinyHunters) shifted from selling stolen data to extorting victims by compromising AWS environments, deleting S3 buckets, and demanding ransom.<sup>[[Unit 42 August 23 2024](/references/d6c50145-2bf9-4f7c-97b9-81cc2e1575f2)]</sup>","first_seen":"2024-04-01T00:00:00Z","last_seen":"2024-08-23T00:00:00Z","created":"2025-11-19T17:45:57.431836Z","modified":"2025-11-19T17:45:57.431839Z","campaign_attack_id":"C3168","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"abbc6198-3fd9-4db3-afb2-1549db09795b","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d2a0eb0b-68c1-4b0b-861e-aa3d34065255","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"1c91a2fb-3a5b-5888-97b9-18c2691adf6c"},{"id":"93bde833-d56b-4ccc-8f04-13338804bd73","name":"BLOCKADE SPIDER cross-domain ransomware campaign","description":"A series of ransomware campaigns by BLOCKADE SPIDER since at least April 2024, leveraging cross-domain techniques to compromise endpoints, cloud, and identity systems, culminating in the deployment of Embargo ransomware.<sup>[[CrowdStrike.com November 18 2025](/references/64ae5734-c8cc-41e0-ba24-79e1d6ebc475)]</sup>","first_seen":"2024-04-01T00:00:00Z","last_seen":"2025-11-18T00:00:00Z","created":"2025-12-10T14:15:24.101182Z","modified":"2025-12-10T14:15:24.101189Z","campaign_attack_id":"C3180","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"813dd420-b1d5-486f-ae48-d6642320ba77","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"8c314875-e98b-4590-91b0-cfee97585ae9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f92e51b6-3ada-5a2b-baa8-cde604d8f700"},{"id":"0c1ce25b-661d-4134-879a-c2a229a62a86","name":"BlueAlpha Cloudflare Tunneling Activity","description":"BlueAlpha, a group overlapping with Russia's Gamaredon Group, was observed carrying out spearphishing attacks targeting Ukrainian-speaking individuals and organizations. Phishing attachments were used to download and execute malware including GammaDrop and GammaLoad. Infrastructure used to stage GammaDrop leveraged Cloudflare Tunnels, a freely available service, to conceal malicious traffic by proxying it via the Cloudflare network.<sup>[[Recorded Future BlueAlpha December 5 2024](/references/0baac037-864d-47d6-beb2-6243cd816036)]</sup>","first_seen":"2024-08-08T00:00:00Z","last_seen":"2024-08-28T00:00:00Z","created":"2024-12-10T14:33:21.982921Z","modified":"2024-12-10T14:33:21.982926Z","campaign_attack_id":"C3077","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"d6bf8c5e-6e47-412a-8ef7-9b0eb3541137","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"57194d77-3a0d-4446-8606-5f96899f9c33","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"62a04acf-f111-5e39-8019-be1c2ccfdc72"},{"id":"f2303daa-184b-4fec-ae38-434911c963ab","name":"BlueDelta Credential-Harvesting Campaigns (2025)","description":"A series of credential-harvesting campaigns by BlueDelta between February and September 2025, targeting energy, government, research, and think tank organizations in Türkiye, Europe, North Macedonia, and Uzbekistan using phishing pages themed as Microsoft OWA, Google, and Sophos VPN.<sup>[[Www.recordedfuture.com January 09 2026](/references/fb8ee1dd-bf96-4d28-9d9f-807cc351190b)]</sup>","first_seen":"2025-02-01T00:00:00Z","last_seen":"2025-09-11T00:00:00Z","created":"2026-01-14T13:32:08.742193Z","modified":"2026-01-14T13:32:08.742205Z","campaign_attack_id":"C3265","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c6d424d8-2c23-4bf2-aca5-67604abff412","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f3b0d9aa-a5e1-4c6e-94ab-6c10f1cecbf1","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"dd41dd79-539a-5773-9db6-03ca48b2225f"},{"id":"f2be12e6-10e2-4a21-b75b-2113d432c34d","name":"Booking.com-themed ClickFix Campaign","description":"A malware distribution campaign in September 2025 targeting the hospitality industry with fake booking.com lures and using Shanya-packed payloads to deliver CastleRAT.<sup>[[Sophos News December 07 2025](/references/d74c88c0-25fe-419a-bf69-1603d1b3a597)]</sup>","first_seen":"2025-09-01T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-12-17T14:19:14.136759Z","modified":"2025-12-17T14:19:14.136762Z","campaign_attack_id":"C3209","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7725b51e-7ceb-4b8e-ae13-55bcbb90a868","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"dfba0849-b563-48f9-a4a3-a30a91003997","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"cd0f708a-60db-509b-9c79-380175e51d5d"},{"id":"218800ed-04ae-4b45-85f9-77fe5f10d83a","name":"Boto Cor-de-Rosa","description":"A campaign in which Astaroth banking malware uses WhatsApp Web for worm-like propagation, targeting Brazilian users with credential theft and social engineering.<sup>[[Acronis January 08 2026](/references/67e63f34-e4c6-4c6c-9d79-758c8b1ca7ff)]</sup>","first_seen":"2026-01-08T00:00:00Z","last_seen":"2026-01-08T00:00:00Z","created":"2026-01-14T13:32:09.577758Z","modified":"2026-01-14T13:32:09.577762Z","campaign_attack_id":"C3270","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"beaa3455-3621-47a2-b37f-e47c0a705ef6","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"c48aca7c-7611-4380-8577-451a7f163792","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"07ea63c3-cf3f-5a67-9c5a-8f9c699fd505"},{"id":"9e31c69e-dcb0-4903-a403-8c9a0ec2d422","name":"BRICKSTORM Espionage Campaign","description":"A long-running cyber espionage campaign attributed to UNC5221, targeting US legal, SaaS, BPO, and technology sectors using the BRICKSTORM backdoor and related tools to maintain stealthy, persistent access and exfiltrate sensitive data.<sup>[[Google Cloud Blog 09 24 2025](/references/e1f48b82-07b0-4d68-92ed-2aa27db6702a)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-09-24T00:00:00Z","created":"2025-10-07T14:07:45.220654Z","modified":"2025-10-07T14:07:45.220657Z","campaign_attack_id":"C3130","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8ef2c03d-36b2-46c1-8544-5b2e6cabac64","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"3b9b97d5-6c8a-40c9-90b8-0eed67c900e5","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"5ca65a13-3cf9-5d3b-9e53-0f1d2b013a5c"},{"id":"31f65cfe-72f7-44b7-b07f-1266cc6eafcd","name":"Brussels Indo-Pacific Dialogue Phishing Campaign","description":"A campaign in late 2025 where UTA0355 impersonated the Brussels Indo-Pacific Dialogue event to target individuals in foreign policy and government, using spear-phishing and Device Code phishing workflows.<sup>[[Volexity December 04 2025](/references/766e12b5-5336-49c8-9466-997cce7c47fe)]</sup>","first_seen":"2025-11-01T00:00:00Z","last_seen":"2025-12-02T00:00:00Z","created":"2025-12-10T14:15:29.269290Z","modified":"2025-12-10T14:15:29.269293Z","campaign_attack_id":"C3202","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"71417073-ce85-47b5-bcb5-21d6d2d9b522","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9b739101-d9dd-4604-bbad-da47b14e7370","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"70cb5a54-c01d-5783-841b-7b3ee7a593a0"},{"id":"0e3a0fa7-78eb-4820-9881-d62b04fe6f92","name":"Bumblebee Distribution Campaigns 2023-24","description":"This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.","first_seen":"2023-03-01T00:00:00Z","last_seen":"2024-02-01T00:00:00Z","created":"2024-06-13T20:12:38.670711Z","modified":"2024-06-13T20:12:38.670715Z","campaign_attack_id":"C3025","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"20ea5c5e-2952-4074-b9ff-175e37c21dd6","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"08413faf-9ef1-4f71-9921-7825a4585ed7","tag":"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"},{"id":"1fae939c-d871-4432-823e-93d987961e7d","tag":"84615fe0-c2a5-4e07-8957-78ebc29b4635"},{"id":"ce4cc52d-4548-42a5-a8a1-e1495d2f6eaa","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"96314ba7-5e35-5a20-8e38-83df3ce4b6a8"},{"id":"22dea516-5d20-476e-a607-aa89d699aeb1","name":"BYO-VM Spam Bombing and Persistence Campaign","description":"A campaign in early 2025 where adversaries used aggressive spam bombing followed by social engineering and the deployment of a custom QEMU virtual machine for persistence and control within victim environments.<sup>[[Red Canary December 09 2025](/references/6d71e655-029e-49b0-8285-30e036e63140)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-03-31T00:00:00Z","created":"2025-12-24T14:57:52.560746Z","modified":"2025-12-24T14:57:52.560750Z","campaign_attack_id":"C3232","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"24bab46f-48f3-487f-b1a4-9cb17ded43e9","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f719b417-9dab-491b-b0b1-739239bbd220","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b4b3e9e6-f2ec-558c-b15e-c7a0e7b793a5"},{"id":"a1e33caf-6eb0-442f-b97a-f6042f21df48","name":"C0010","description":"[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.<sup>[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]</sup>","first_seen":"2020-12-01T07:00:00Z","last_seen":"2022-08-01T06:00:00Z","created":"2022-09-21T22:16:42.003000Z","modified":"2022-10-04T20:18:28.362000Z","campaign_attack_id":"C0010","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"1e968241-c1da-5f99-be15-47bc9c80ad97"},{"id":"4c7386a7-9741-4ae4-8ad9-def03ed77e29","name":"C0011","description":"[C0011](https://app.tidalcyber.com/campaigns/4c7386a7-9741-4ae4-8ad9-def03ed77e29) was a suspected cyber espionage campaign conducted by [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25)'s historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.<sup>[[Cisco Talos Transparent Tribe Education Campaign July 2022](https://app.tidalcyber.com/references/acb10fb6-608f-44d3-9faf-7e577b0e2786)]</sup> ","first_seen":"2021-12-01T06:00:00Z","last_seen":"2022-07-01T05:00:00Z","created":"2022-09-22T17:12:02.893000Z","modified":"2022-09-22T20:26:23.226000Z","campaign_attack_id":"C0011","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"a50fdb8b-6150-5fc3-8254-42f5f915ce0b"},{"id":"85bbff82-ba0c-4193-a3b5-985afd5690c5","name":"C0015","description":"[C0015](https://app.tidalcyber.com/campaigns/85bbff82-ba0c-4193-a3b5-985afd5690c5) was a ransomware intrusion during which the unidentified attackers used [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac), [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5), along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) ransomware playbook based on the observed pattern of activity and operator errors.<sup>[[DFIR Conti Bazar Nov 2021](https://app.tidalcyber.com/references/a6f1a15d-448b-41d4-81f0-ee445cba83bd)]</sup>","first_seen":"2021-08-01T05:00:00Z","last_seen":"2021-08-01T05:00:00Z","created":"2022-09-29T16:42:29.364000Z","modified":"2022-09-29T20:37:46.689000Z","campaign_attack_id":"C0015","source":"MITRE","owner_name":null,"tags":[{"id":"8f2b2426-7964-41b8-86f4-a43123d86006","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"7730b64e-7ec5-4b0e-b66f-879b0ac9b17d","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"}],"tidal_id":"175137b3-13fc-572a-9ea2-be1850e5b261"},{"id":"a56d7700-c015-52ca-9c52-fed4d122c100","name":"C0017","description":"[C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100) was an [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://app.tidalcyber.com/campaigns/a56d7700-c015-52ca-9c52-fed4d122c100) are unknown, however [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) was observed exfiltrating Personal Identifiable Information (PII).<sup>[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]</sup>","first_seen":"2021-05-01T04:00:00Z","last_seen":"2022-02-01T05:00:00Z","created":"2023-05-26T01:20:56.235798Z","modified":"2023-05-26T01:20:56.235802Z","campaign_attack_id":"C0017","source":"MITRE","owner_name":null,"tags":[{"id":"6a187983-f530-4dc7-ab74-e4ef376addbf","tag":"a98d7a43-f227-478e-81de-e7299639a355"}],"tidal_id":"fdaefd47-a86b-536c-808f-dc1139ecf23e"},{"id":"0452e367-aaa4-5a18-8028-a7ee136fe646","name":"C0018","description":"\n[C0018](https://app.tidalcyber.com/campaigns/0452e367-aaa4-5a18-8028-a7ee136fe646) was a month-long ransomware intrusion that successfully deployed [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0) onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0).<sup>[[Costa AvosLocker May 2022](https://app.tidalcyber.com/references/a94268d8-6b7c-574b-a588-d8fd80c27fd3)]</sup><sup>[[Cisco Talos Avos Jun 2022](https://app.tidalcyber.com/references/1170fdc2-6d8e-5b60-bf9e-ca915790e534)]</sup>","first_seen":"2022-02-01T05:00:00Z","last_seen":"2022-03-01T05:00:00Z","created":"2023-05-26T01:20:56.162338Z","modified":"2023-05-26T01:20:56.162342Z","campaign_attack_id":"C0018","source":"MITRE","owner_name":null,"tags":[{"id":"ff63712d-ae99-4d22-a60c-232c0a692988","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"b2c94ded-1f8a-48d2-9948-fa682d0deb0f","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"}],"tidal_id":"bb48df42-8285-50a6-a97f-69819c103541"},{"id":"86bed8da-4cab-55fe-a2d0-9214db1a09cf","name":"C0021","description":"[C0021](https://app.tidalcyber.com/campaigns/86bed8da-4cab-55fe-a2d0-9214db1a09cf) was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. [C0021](https://app.tidalcyber.com/campaigns/86bed8da-4cab-55fe-a2d0-9214db1a09cf)'s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity.<sup>[[Microsoft Unidentified Dec 2018](https://app.tidalcyber.com/references/896c88f9-8765-4b60-b679-667b338757e3)]</sup><sup>[[FireEye APT29 Nov 2018](https://app.tidalcyber.com/references/30e769e0-4552-429b-b16e-27830d42edea)]</sup>","first_seen":"2018-11-01T05:00:00Z","last_seen":"2018-11-01T05:00:00Z","created":"2023-05-26T01:20:56.167231Z","modified":"2023-05-26T01:20:56.167235Z","campaign_attack_id":"C0021","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"4b6110c4-d582-51db-9fca-4980724e6843"},{"id":"41f283a1-b2ac-547d-98d5-ff907afd08c7","name":"C0026","description":"[C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://app.tidalcyber.com/software/d09c4459-1aa3-547d-99f4-7ac73b8043f0) and [QUIETCANARY](https://app.tidalcyber.com/software/52d3515c-5184-5257-bf24-56adccb4cccd) malware to previous [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) malware victims in Ukraine through re-registered [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) C2 domains. Several tools and tactics used during [C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) were consistent with historic [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) operations.<sup>[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]</sup>","first_seen":"2022-08-01T05:00:00Z","last_seen":"2022-09-01T04:00:00Z","created":"2023-11-07T00:35:51.569268Z","modified":"2023-11-07T00:35:51.569273Z","campaign_attack_id":"C0026","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"a40a57a8-aa85-5eba-9732-e3dc1692362d"},{"id":"a9719584-4f52-5a5d-b0f7-1059e715c2b8","name":"C0027","description":"[C0027](https://app.tidalcyber.com/campaigns/a9719584-4f52-5a5d-b0f7-1059e715c2b8) was a financially-motivated campaign linked to [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://app.tidalcyber.com/campaigns/a9719584-4f52-5a5d-b0f7-1059e715c2b8) [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.<sup>[[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]</sup>\n","first_seen":"2022-06-01T04:00:00Z","last_seen":"2022-12-01T05:00:00Z","created":"2023-11-07T00:35:51.577704Z","modified":"2023-11-07T00:35:51.577709Z","campaign_attack_id":"C0027","source":"MITRE","owner_name":null,"tags":[{"id":"f3f631d6-045b-4652-849f-e06fdcc6a852","tag":"e90b243c-99e2-46fe-8f04-eca9c7939250"}],"tidal_id":"85a5a016-4d4c-54dc-9151-68885d0481f3"},{"id":"c26b3156-8472-5b87-971f-41a7a4702268","name":"C0032","description":"[C0032](https://app.tidalcyber.com/campaigns/c26b3156-8472-5b87-971f-41a7a4702268) was an extended campaign suspected to involve the [Triton](https://app.tidalcyber.com/software/) adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the [Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b).<sup>[[FireEye TRITON 2019](https://app.tidalcyber.com/references/49c97b85-ca22-400a-9dc4-6290cc117f04)]</sup>","first_seen":"2014-10-01T04:00:00Z","last_seen":"2017-01-01T05:00:00Z","created":"2024-04-25T13:28:23.416847Z","modified":"2024-04-25T13:28:23.416850Z","campaign_attack_id":"C0032","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"0c834a77-afa8-5bde-bba1-188fd151456c"},{"id":"c5d35d8d-fe96-5210-bb57-4692081a25a9","name":"C0033","description":"[C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was a [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) campaign during which they used [StrongPity](https://app.tidalcyber.com/software/ed563524-235e-4e06-8c69-3f9d8ddbfd8a) to target Android users. [C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was the first publicly documented mobile campaign for [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0), who previously used Windows-based techniques.<sup>[[welivesec_strongpity](https://app.tidalcyber.com/references/1b89df2c-e756-599a-9f7f-a5230db9de46)]</sup>","first_seen":"2016-05-01T07:00:00Z","last_seen":"2023-01-01T08:00:00Z","created":"2024-04-25T13:28:23.458475Z","modified":"2024-04-25T13:28:23.458478Z","campaign_attack_id":"C0033","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"e297e453-1957-55cc-82bd-a8617c07b87f"},{"id":"f4bc1154-11a1-46a0-9c2f-e463fa7b49ad","name":"Campaign Alpha","description":"A campaign observed from October 2023 to April 2024 targeting the Taiwanese government and a chemical company, involving the deployment of SNAPPYBEE, DEMODEX, and GHOSTSPIDER malware.<sup>[[Trend Micro November 25 2024](/references/8bf807bc-5103-4962-9a19-c12396cdb767)]</sup>","first_seen":"2023-10-01T00:00:00Z","last_seen":"2024-04-30T00:00:00Z","created":"2025-10-24T16:14:02.587073Z","modified":"2025-10-24T16:14:02.587076Z","campaign_attack_id":"C3151","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"58a3e2f0-6065-4ab6-8d95-05c5edba9490","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9d69641c-9906-42bb-89aa-07c56d1e04df","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e0987c23-5159-5812-bf73-fa928a9087a2"},{"id":"146ef2c8-1576-4c96-98f6-a941fab2f26d","name":"Campaign Beta","description":"A long-term campaign targeting telecommunications companies and government entities in Southeast Asia, involving the use of DEMODEX rootkit and the GHOSTSPIDER backdoor for persistent espionage.<sup>[[Trend Micro November 25 2024](/references/8bf807bc-5103-4962-9a19-c12396cdb767)]</sup>","first_seen":"2020-01-01T00:00:00Z","last_seen":"2024-10-31T00:00:00Z","created":"2025-10-24T16:14:02.796349Z","modified":"2025-10-24T16:14:02.796352Z","campaign_attack_id":"C3152","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b7807621-2de3-4ee5-bf90-3b390b4ed8df","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f6609723-9732-4c29-84bf-f067ced686c7","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9b51896b-fb70-5fc0-8fd3-643f51b2bc2d"},{"id":"dd7ee01a-afc1-423c-b0af-7225647ee3ea","name":"Campaign Chorus","description":"A more sophisticated campaign starting in May 2025, expanding impersonation to over 40 applications and using multi-stage infection chains, cloud-hosted payloads, and DLL side-loading to deliver Gh0st RAT.<sup>[[Unit 42 November 14 2025](/references/f58e28af-6c30-4186-879a-d64542f161bf)]</sup>","first_seen":"2025-05-15T00:00:00Z","last_seen":"2025-10-01T00:00:00Z","created":"2025-11-26T19:38:34.229631Z","modified":"2025-11-26T19:38:34.229635Z","campaign_attack_id":"C3173","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a5021027-6912-4833-ad87-dff70d5ab044","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"05de31d8-0697-43d0-a230-97162881d7aa","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"a922d029-1f1d-5692-8609-ac5f3757ec53"},{"id":"76a74b62-69d8-400d-8009-ecb756ec7950","name":"Campaign Trio","description":"An initial campaign active from February to March 2025, impersonating three software brands (i4tools, Youdao, DeepSeek) across over 2,000 domains to deliver Gh0st RAT to Chinese-speaking users via trojanized installers.<sup>[[Unit 42 November 14 2025](/references/f58e28af-6c30-4186-879a-d64542f161bf)]</sup>","first_seen":"2025-02-01T00:00:00Z","last_seen":"2025-03-31T00:00:00Z","created":"2025-11-26T19:38:34.387250Z","modified":"2025-11-26T19:38:34.387254Z","campaign_attack_id":"C3174","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"95a58fbc-8f07-40d2-a74a-f0e3e591a8b1","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7e9647c0-c0b9-484e-a749-e36426e2b8d7","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bfb33268-4b56-524c-b374-1dbdda31959a"},{"id":"d25e2560-43a6-461b-8279-bbe2eaf3a2b7","name":"Chinese APT Privileged Access Management Remote Support Compromise","description":"An announcement from privileged access management product vendor BeyondTrust indicated that threat actors compromised some of its remote support software-as-a-service (\"SaaS\") instances. The company indicated that actors gained access to an API token associated with the \"Remote Support SaaS\" capability, which allowed them to reset passwords for local application accounts. The incident involved a \"limited number\" of customers.<sup>[[BeyondTrust Announcement December 8 2024](/references/1d1347e2-56b6-4376-b2b6-7e3fc0a1ccde)]</sup>\n\nIn late December 2024, U.S. Treasury Department officials indicated that the agency was one of the customers using a compromised instance and attributed the compromise to an unspecified China state-sponsored advanced persistent threat (\"APT\") actor.<sup>[[BleepingComputer BeyondTrust December 30 2024](/references/98bd01e9-d976-4a45-82bf-895b5ea27fb7)]</sup>\n\nIn its announcement about its investigation into the incident, BeyondTrust also announced that it had discovered two vulnerabilities in Remote Support and Privileged Remote Access products (CVE-2024-12356 and CVE-2024-12686), although it did not explicitly link exploits of the vulnerabilities to the early December incident.<sup>[[BleepingComputer BeyondTrust December 19 2024](/references/20c92ad4-9481-48cd-8e72-2f720cd7c52b)]</sup> We are including Technique Relationships related to these vulnerabilities as part of this object for contextual awareness.","first_seen":"2024-12-02T00:00:00Z","last_seen":"2024-12-05T00:00:00Z","created":"2025-01-06T19:40:34.776170Z","modified":"2025-01-06T19:40:34.776176Z","campaign_attack_id":"C3079","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"26607a86-33c0-478f-a384-fa82ce2112cb","tag":"d0313ad4-3b22-4eb0-ac73-6d6caad7d35e"},{"id":"da7aa97a-cc54-4652-b189-3a18a71f6d18","tag":"46bc088d-e7c4-4f08-a2db-48cc99eaff32"},{"id":"8a370cbf-3420-4c30-8951-357b3567bed3","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"894e3aa6-76cc-44f3-899c-237c18d1bdfe","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"bdae4b25-01f4-43e0-8668-2982c3e5c016","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"89df7a1f-2afa-58eb-ab50-1f904ddf35bb"},{"id":"5cf7c58b-fdfb-4ab1-899b-ee686172b9d3","name":"Chinese State-Sponsored Global Network Compromises (Salt Typhoon Overlap)","description":"U.S. authorities and many international partners released cybersecurity advisory AA25-239A, which detailed a years-long, global campaign attributed to Chinese state-sponsored actors, who targeted network devices to compromise a large number and variety of entities for espionage purposes. Authorities indicated that the activity covered in advisory AA25-239A overlaps with activity reported by cybersecurity vendors as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.<sup>[[Cybersecurity and Infrastructure Security Agency CISA August 27 2025](/references/90d60b4c-7c10-4fb7-ac4b-3c2645f864e4)]</sup>","first_seen":"2021-08-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2025-09-04T13:58:31.522401Z","modified":"2025-09-04T13:58:31.522404Z","campaign_attack_id":"C3123","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6da9ef76-385b-4bfd-b52e-4c6af83dfbef","tag":"483a33e5-e6fb-49d8-b071-6d6d21706e15"},{"id":"dcde6b41-a66b-4f15-9b23-2462a21fc4d2","tag":"2185ed93-7e1c-4553-9452-c8411b5dca93"},{"id":"b27c0844-2fd2-4be6-b278-3d422f3ed73d","tag":"d8f7e071-fbfd-46f8-b431-e241bb1513ac"},{"id":"6435bfdb-aed4-4f92-9999-6a9a4c875ca4","tag":"758c3085-2f79-40a8-ab95-f8a684737927"},{"id":"c949bee0-8ab0-4c3b-a10d-1eeb98c3059d","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"503daeea-bc7b-4f75-9694-0de480562f0f","tag":"1dc8fd1e-0737-405a-98a1-111dd557f1b5"},{"id":"2a47c28f-5bc5-4040-acd4-e13cd0c2ed6d","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"e354399b-928b-4a96-a615-33940236051b","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"5ce3ddf1-d10d-489b-8d7c-9c5fb291e828","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"8d407349-e28b-4da6-8362-d6392c37baa9","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"f38813a3-805e-46b7-9b4f-cba64d4b9abc","tag":"9ed63cc4-ed9d-4e8f-8297-4a5b6bd66858"},{"id":"76d6335d-f410-4b2d-bd3b-37558607bf22","tag":"1b0321d7-4d9a-4977-bd2a-092c2693b328"},{"id":"a3d80a53-50ae-440b-be51-378322fb5a17","tag":"53335a97-79dd-4ea6-9e8f-24ec8380a7bf"},{"id":"ea3f3707-1eec-4578-85b1-6c593e4aecfd","tag":"07f09197-1847-411e-a451-d37211ead1b2"},{"id":"d61d0da0-19ad-4378-a98f-ce37ded63d86","tag":"1ff4614e-0ee6-4e04-921d-61abba7fcdb7"}],"tidal_id":"3e7bc6df-7985-5ee6-94a4-6c940c1778a0"},{"id":"3ecdd876-7e93-4877-9032-49170c65a864","name":"Citrine Sleet Chromium Zero-Day Exploit Activity (CVE-2024-7971)","description":"Actors associated with the North Korean threat group Citrine Sleet were observed exploiting a zero-day vulnerability (CVE-2024-7971) in Chromium web browser software to achieve remote code execution in target environments. Actors were observed delivering FudModule, an advanced rootkit tool, during the attacks.<sup>[[Microsoft Security Blog August 30 2024](/references/d7ef2e80-30c0-47ce-91d4-db1690c6c689)]</sup>","first_seen":"2024-08-19T00:00:00Z","last_seen":"2024-08-30T00:00:00Z","created":"2024-10-04T20:33:26.945529Z","modified":"2024-10-04T20:33:26.945534Z","campaign_attack_id":"C3055","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0d25472f-08a0-4131-b0a2-75a438ac15c3","tag":"a38ef717-4427-4aa0-9666-bb97c6ff45f3"},{"id":"d7e6c662-cdf7-48d4-8032-c0a59f1f80ca","tag":"b9c973c9-062d-4cbd-8bfe-98d0b4e547eb"},{"id":"7fb4ac5e-5b40-4c46-8d2f-549f80705cd8","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"01489c0a-cc03-4068-9345-ac2e16d55557","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2aca8e55-0ed1-4d0e-8cc5-fb1211559109","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9c693b0e-bcf4-58a8-9746-03e1ac16a7df"},{"id":"dd4f230d-198b-45d5-b0f9-55ee725cd836","name":"Citrine Sleet Cryptocurrency Industry Attack","description":"Microsoft researchers observed threat actors, believed to be members of the Citrine Sleet aka DEV-0139 group, launch an apparently targeted attack against an organization in the cryptocurrency industry.<sup>[[Microsoft DEV-0139 December 6 2022](/references/f9c070f1-aa83-45a3-bffb-c90f4caf5926)]</sup>","first_seen":"2024-06-18T00:00:00Z","last_seen":"2022-10-19T00:00:00Z","created":"2024-10-04T20:33:27.270447Z","modified":"2024-10-04T20:33:27.270456Z","campaign_attack_id":"C3056","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8410c119-0ce0-45d0-b372-e8cdb49384b2","tag":"cce5f564-f7f0-4aa6-a908-b857cb2cbfe4"},{"id":"98a52a0c-f293-4255-9759-c5d7630a7719","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d44a8b01-332c-4f98-8fe1-756c1f2f2c9b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"7f94edd1-249b-5673-892d-68f4eb84d7ef"},{"id":"3bbc4fbf-adfc-46e9-8c31-014e910c0e48","name":"CLEARFAKE","description":"A financially motivated campaign leveraging EtherHiding to distribute malware via deceptive overlays such as fake browser update prompts on compromised websites.<sup>[[Google Cloud Blog October 16 2025](/references/66fc30f1-2ace-4c63-9371-448827fdb719)]</sup>","first_seen":"2023-09-01T00:00:00Z","last_seen":"2025-10-16T00:00:00Z","created":"2025-10-24T16:14:02.974937Z","modified":"2025-10-24T16:14:02.974941Z","campaign_attack_id":"C3153","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e931ffaa-6bab-49a6-a1ee-d5f76ea587c5","tag":"cce5f564-f7f0-4aa6-a908-b857cb2cbfe4"},{"id":"bc06d828-d0b8-4304-aa7d-7ef275041a4c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"80d813e7-51ad-426f-b82a-fb51ba1b8871","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"429085f3-39a1-515d-853b-999dbacead8a"},{"id":"2c957f94-8b61-49b9-b914-74a06f8b91cd","name":"Cleo File Transfer Software Zero-Day Exploits (CVE-2024-50623 & CVE-2024-55956)","description":"Security researchers and incident responders observed actors exploiting vulnerabilities in the Cleo managed file transfer (\"MFT\") products LexiCom, VLTrader, and Harmony. Recent reports indicate that actors exploited CVE-2024-55956 in December 2024, while a similar vulnerability in the same products (CVE-2024-50623) had been exploited in October 2024.<sup>[[AttackerKB December 16 2024](/references/b8970cef-ddda-4a72-94ed-e2c911a20e18)]</sup> This Campaign object includes ATT&CK Technique relationships related to both sets of exploit activity.\n\nActors were observed writing and executing various code to ultimately ingress and execute payloads that included web shells and a modular tool with the ability to read and transfer files.<sup>[[AttackerKB December 16 2024](/references/b8970cef-ddda-4a72-94ed-e2c911a20e18)]</sup><sup>[[Binary Defense December 10 2024](/references/3fc33142-b596-46e9-b829-5c62734cdc3e)]</sup>News reports described the CVE-2024-50623 exploit activity as zero-day exploitation and linked attacks to Termite ransomware operators, while researchers drew parallels to Clop ransomware operators, who used a zero-day exploit to compromise a different vendor's MFT solution in mid-2023.<sup>[[DarkReading Termite Cleo December 10 2024](/references/e854ae37-3137-4cdd-a464-7e2328b1246e)]</sup><sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup> Reports indicate that Cleo software is used by more than 4,000 customers in a variety of industries, underscoring the size of the potential attack surface related to the latest campaigns.<sup>[[DarkReading Termite Cleo December 10 2024](/references/e854ae37-3137-4cdd-a464-7e2328b1246e)]</sup>","first_seen":"2024-10-01T00:00:00Z","last_seen":"2024-12-10T00:00:00Z","created":"2024-12-17T14:34:11.317745Z","modified":"2024-12-17T14:34:11.317749Z","campaign_attack_id":"C3078","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"37c81453-7ceb-447f-a991-c47b9e4b4f1e","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"3901a135-3410-45a3-bf3c-4f38b72d802f","tag":"f513f863-5910-4e32-ab1c-c7b118cb5f41"},{"id":"94d6c36a-e323-49cf-84a8-32e607edfbf0","tag":"d9c05db7-e2eb-45da-b468-17d8c5fb6394"},{"id":"d4a75a5c-e7da-4a8d-bc3a-7448ef3ed02a","tag":"241d20a1-bda4-469b-854a-10113e64387d"},{"id":"1d883987-b007-46e7-a4fb-6d54eda17b27","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"5b9540df-803c-4d9d-9fcc-c38b022ac55a","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"52abbb80-ef0d-49ee-9e3c-e61e42a3054f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"dca96c93-470d-4357-a78d-e2f05aab38d2","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"60650310-b4be-5ac7-8342-9ef09e16d8c1"},{"id":"fefa1fb0-7e12-4d88-be02-b3a1ba476947","name":"ClickFake Interview","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-03-21T00:00:00Z","created":"2025-05-06T16:29:23.477944Z","modified":"2025-05-06T16:29:23.477947Z","campaign_attack_id":"C3103","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f9e1ffec-91ce-4235-bac2-39f29800a475","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"24bfdb97-ce6c-4e15-a683-1a28eabfc1b6","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"52e9e01c-55dd-5efd-9389-6f479f79d8cb"},{"id":"919818bd-a68a-44b1-ace2-54f8be43e907","name":"ClickFix Campaign (Qilin Ransomware Deployment)","description":"A campaign leveraging fake human verification pages (ClickFix) on compromised websites to deliver NetSupport RAT, StealC infostealer, and ultimately Qilin ransomware.<sup>[[None December 18 2025](/references/5a6246f8-c78e-404e-9f77-eaa8639114d3)]</sup>","first_seen":"2025-12-18T00:00:00Z","last_seen":"2025-12-18T00:00:00Z","created":"2025-12-29T17:41:31.127422Z","modified":"2025-12-29T17:41:31.127426Z","campaign_attack_id":"C3234","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c033208a-a0d0-48c3-ae42-6ca8170418b9","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"17c4f369-03b1-49d6-b402-fbe3cec9dddc","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bdb25c00-7e70-5cf2-840b-02534db610d8"},{"id":"f20c935b-e0c5-4941-b710-73cf06dd2b4a","name":"Clop MOVEit Transfer Vulnerability Exploitation","description":"In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup> Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.<sup>[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-34362<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup>","first_seen":"2023-05-27T00:00:00Z","last_seen":"2023-06-16T00:00:00Z","created":"2023-07-28T16:33:37.377718Z","modified":"2023-07-28T16:33:37.377723Z","campaign_attack_id":"C3005","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8969e8d3-2f08-48ae-bf17-75413ad59247","tag":"241d20a1-bda4-469b-854a-10113e64387d"},{"id":"bb37ea73-a216-4c40-ba59-22c36e72088c","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"4586d692-00ea-4521-9943-be633915f138","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"ec42ca94-6899-4343-baff-2752a1451ee4","tag":"173e1480-8d9b-49c5-854d-594dde9740d6"}],"tidal_id":"1ff0f29f-c333-5587-9529-ced0e0fa73a3"},{"id":"c712e0f9-18fd-4946-84fd-e1747cd22bef","name":"Clop Oracle E-Business Suite Extortion Campaign","description":"A campaign in which actors apparently linked to the Clop ransomware group likely exploited a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite to steal large volumes of data from victim organizations. Actors sent extortion emails to Oracle E-Business Suite customers, claiming to have stolen data and demanding payment to prevent its disclosure.<sup>[[LinkedIn Austen Larsen Oracle CL0P 10 02 2025](/references/ab25e709-d6b4-4096-9366-8b04c6b95258)]</sup><sup>[[LinkedIn Austen Larsen Oracle CL0P Update 10 05 2025](/references/d45f111a-2300-49e6-96b8-72cb81b22543)]</sup><sup>[[CyberScoop 10 02 2025](/references/4fada70a-7191-40a0-a650-59ac060ff40c)]</sup><sup>[[Oracle Security Alerts CVE-2025-61882 10 05 2025](/references/f52483db-9d3f-4fdc-958f-a53a2c1fc4c1)]</sup><sup>[[CrowdStrike.com 10 06 2025](/references/b5630f1e-ea9c-4b8a-b31a-08e977f0c8ab)]</sup>","first_seen":"2025-08-09T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-10-07T14:07:45.504862Z","modified":"2025-10-07T14:07:45.504865Z","campaign_attack_id":"C3132","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a474e896-d35a-4569-bb48-46e86e896b86","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"aa5e5502-7d32-445c-8183-81a01fa17efa","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"c4465c0f-dfa7-52fd-9fcb-b63e30e115dc"},{"id":"d66106fb-fb4f-49c8-9c1e-a36112542c1a","name":"Cloud Atlas H1 2025 Campaign","description":"A campaign by the Cloud Atlas APT group in the first half of 2025, targeting organizations in Russia and Belarus across telecommunications, construction, government, and manufacturing sectors, using updated backdoors and cloud-based C2 infrastructure.<sup>[[Securelist December 19 2025](/references/5f6a0803-342f-4d82-a8d6-58c41f75956e)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2025-12-29T17:41:32.395686Z","modified":"2025-12-29T17:41:32.395689Z","campaign_attack_id":"C3242","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0be31db0-bc38-4745-8ba8-a79f7207606a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"60ed7d83-0fc1-46c4-a47b-19071f5a8834","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6a5df9be-7ccd-525e-a2ec-22e44f4544d8"},{"id":"bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4","name":"Cloudflare Thanksgiving 2023 security incident","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.","first_seen":"2023-11-14T00:00:00Z","last_seen":"2023-11-24T00:00:00Z","created":"2024-06-13T20:12:37.908542Z","modified":"2024-06-13T20:12:37.908546Z","campaign_attack_id":"C3022","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"23798e80-f95e-44af-a729-5655f4e4c855","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"c44b5c94-bbbe-44c9-bfd9-b6c40b298f3f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"76e2cb33-8929-438a-9a73-20c0fc40444e","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b7e3f9fb-9a84-5345-90d7-0ba0f0018a5c"},{"id":"aac357ca-ddeb-497d-842b-ba3bcec27923","name":"Cluster 3 Booking.com Impersonation Campaign","description":"A campaign impersonating Booking.com, using ClickFix techniques and Steam Community pages as dead drop resolvers to deliver CastleRAT via CastleLoader.<sup>[[None December 09 2025](/references/ea47bb34-cf65-4abe-ae24-a51fad15154e)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-11-10T00:00:00Z","created":"2025-12-17T14:19:14.457768Z","modified":"2025-12-17T14:19:14.457771Z","campaign_attack_id":"C3211","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b7f7f87d-cddb-46f6-a202-e3b73029ef50","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f7b64a8e-32f5-47d5-a476-72e43f06aa7f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"188dd0b9-ec6c-5ce6-88eb-795d48288975"},{"id":"7292a376-5115-4fcc-a11c-eb0de779c9ed","name":"Cluster 4 Malvertising and Fake Software Campaign","description":"A campaign distributing CastleLoader and NetSupport RAT via malvertising and fake software installers impersonating legitimate tools such as Zabbix and RVTools.<sup>[[None December 09 2025](/references/ea47bb34-cf65-4abe-ae24-a51fad15154e)]</sup>","first_seen":"2025-04-01T00:00:00Z","last_seen":"2025-11-10T00:00:00Z","created":"2025-12-17T14:19:14.613870Z","modified":"2025-12-17T14:19:14.613876Z","campaign_attack_id":"C3212","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"589b6f97-8070-420f-a68e-38ce51eeb78a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4db5e675-b70f-41f8-ab32-beaa395d08ba","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4454ecf8-de12-586c-8f6a-9837b2b2fb71"},{"id":"5d4ed86e-ada4-4cf7-9122-5bca4d207ac7","name":"COLDRIVER ROBOT-themed Malware Campaigns (2025)","description":"A series of aggressive malware campaigns by COLDRIVER in 2025, involving rapid development and deployment of NOROBOT, YESROBOT, and MAYBEROBOT malware families to target high-profile individuals in NGOs, policy advisors, and dissidents.<sup>[[Google Cloud Blog October 20 2025](/references/0b0042cc-bd54-4944-b09a-e028bf6b2c60)]</sup>","first_seen":"2025-05-20T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-10-24T16:14:01.966388Z","modified":"2025-10-24T16:14:01.966391Z","campaign_attack_id":"C3149","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"77f942bc-9efd-4195-b7c2-bac549b76125","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"fada22b0-5499-4102-b3d0-325efbf08de8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f85d5b3f-1be8-5972-8738-95f9b010e641"},{"id":"01d35d92-861c-483e-bdca-60d0c037d26e","name":"ConsentFix","description":"A phishing campaign using a browser-native ClickFix-style attack to hijack OAuth consent grants, targeting Microsoft accounts by abusing the Azure CLI OAuth app. Victims are lured via Google Search to compromised websites, where they are tricked into pasting OAuth authorization codes, granting attackers access to their accounts.<sup>[[Push Security December 11 2025](/references/4a5fd7d3-1124-42af-ac0c-5e0e0f6fddb3)]</sup>","first_seen":"2025-12-11T00:00:00Z","last_seen":"2025-12-11T00:00:00Z","created":"2025-12-17T14:19:15.776984Z","modified":"2025-12-17T14:19:15.776988Z","campaign_attack_id":"C3219","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e78ff5c1-3a5a-4d82-8454-d00afbd26eb0","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"dd0a8186-e7a7-4e29-beea-257395d7d927","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"15876074-df75-5122-9d55-a81f151ffd44"},{"id":"92748129-528d-4ac4-bd36-2c3f6fe40e49","name":"Contagious Interview","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to threat activity dubbed \"Contagious Interview\", a long-running campaign attributed to North Korea state-sponsored actors, likely linked to Lazarus Group. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2022-12-01T00:00:00Z","last_seen":"2025-03-21T00:00:00Z","created":"2025-05-06T16:29:23.671308Z","modified":"2025-05-06T16:29:23.671311Z","campaign_attack_id":"C3104","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"427d1256-177f-4298-b626-5a1888920ce4","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"397eef80-99b2-41cc-bac5-8fbabf7f72f0","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9b018f31-19ec-5a04-9d65-967d6a9a18e4"},{"id":"1944d651-f5e6-491f-ae20-0bf37eb81846","name":"Contagious Interview FlexibleFerret Activity (2025)","description":"A campaign leveraging fake job recruitment and staged hiring assessments to socially engineer victims into executing macOS malware, including FlexibleFerret, for credential theft and espionage.<sup>[[jamf FlexibleFerret November 25 2025](/references/9e21c538-cfd1-41c4-a188-443900b4fa19)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-11-25T00:00:00Z","created":"2025-12-10T14:15:25.946244Z","modified":"2025-12-10T14:15:25.946250Z","campaign_attack_id":"C3190","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b528f738-5862-429e-a4c0-3183bc31230f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4dceb608-580d-41b0-9206-3cc1fb70be03","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ca70aa75-f07d-53d2-bc9b-5b98ce9e4e79"},{"id":"219d6dc1-178d-4fc6-aaa4-362327526f9a","name":"Contagious Interview Q4 2025 Activity","description":"A DPRK-aligned campaign targeting software developers with fake job interviews, delivering trojanized code projects to steal sensitive data and cryptocurrency.<sup>[[NVISO Labs November 13 2025](/references/f298523a-6f0e-4699-8dd2-cd1d6b48297c)]</sup>","first_seen":"2023-01-01T00:00:00Z","last_seen":"2025-11-13T00:00:00Z","created":"2025-11-19T17:45:56.989616Z","modified":"2025-11-19T17:45:56.989619Z","campaign_attack_id":"C3165","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1b96c7a5-cfd8-4cca-b0b1-bafdef836a15","tag":"cce5f564-f7f0-4aa6-a908-b857cb2cbfe4"},{"id":"9c63d6f8-8eab-41fd-8da5-618c0514850b","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"fafb6314-04f1-4da4-8756-5c239c4ce485","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e5462220-d26b-51fd-a675-febaca7c69b0"},{"id":"4f1823b1-80ad-4f5d-ba04-a4d4baf37e72","name":"Corona Mirai Botnet Zero-Day Exploit Campaign","description":"Actors deploying a variant of the Mirai botnet, known as Corona, were observed exploiting a zero-day vulnerability (CVE-2024-7029) to achieve initial infection of new devices with the botnet. The vulnerability enables remote code execution on affected devices (AVTECH closed-circuit television (CCTV) cameras), which actors abused to ingress their main payloads.<sup>[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]</sup>","first_seen":"2024-03-18T00:00:00Z","last_seen":"2024-08-28T00:00:00Z","created":"2024-09-06T15:14:39.049958Z","modified":"2024-09-06T15:14:39.049962Z","campaign_attack_id":"C3051","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"830042a1-c67f-4ca9-9d7d-35521704d195","tag":"55cb344a-cbd5-4fd1-a1e9-30bbc956527e"},{"id":"a017879a-7262-4261-95c7-8773b6eb07a2","tag":"f925e659-1120-4b76-92b6-071a7fb757d6"},{"id":"6ac503f3-838f-4583-8dfe-b411cb448610","tag":"06236145-e9d6-461c-b7e4-284b3de5f561"},{"id":"9413785e-02f3-4598-90ca-6ce1bb5b7df2","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"bf4be0bf-906d-4acb-88e2-1322448bc7aa","tag":"33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a"},{"id":"638cf760-488c-4f93-977e-470a6638d89d","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"21e57c07-e9d5-4804-a65f-16b1cc327ca1","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0feedf89-ac74-51e8-bfd2-b7204c94c752"},{"id":"fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48","name":"CostaRicto","description":"[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.<sup>[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]</sup>","first_seen":"2019-10-01T04:00:00Z","last_seen":"2020-11-01T04:00:00Z","created":"2022-09-15T17:25:38.020000Z","modified":"2022-10-05T15:54:36.557000Z","campaign_attack_id":"C0004","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"a05cf989-d5a7-51e7-b554-22ef8ff67a7c"},{"id":"63527e66-0a2d-4aed-a10f-ed9a5c2f4bad","name":"CrashFix Campaign","description":"A campaign by KongTuke using the malicious NexShield browser extension, fake security warnings, and multi-stage payloads to target both enterprise and home users, with a focus on domain-joined corporate environments.<sup>[[Huntress January 16 2026](/references/98f6f667-388b-4317-ad3e-be1caa99b87c)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2026-01-16T00:00:00Z","created":"2026-01-23T20:31:40.396345Z","modified":"2026-01-23T20:31:40.396350Z","campaign_attack_id":"C3289","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"54b6a913-44e3-424d-8f09-8562a7660a4f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"fe4349b6-12ab-4dc3-a3fc-61709d4b4e4b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"64d72806-ce77-5584-87bd-be878fb8f6e2"},{"id":"7c0390b9-8545-49a4-acb1-bdfb0ba07d7c","name":"CrazyHunter ransomware campaign targeting Taiwan healthcare sector","description":"A campaign by the CrazyHunter Team targeting healthcare organizations in Taiwan with ransomware, using advanced lateral movement, privilege escalation, and extortion tactics.<sup>[[Www.trellix.com January 06 2026](/references/fbecafee-381c-40f6-bb75-dcad4233b070)]</sup>","first_seen":"2024-06-01T00:00:00Z","last_seen":"2026-01-06T00:00:00Z","created":"2026-01-14T13:32:07.507953Z","modified":"2026-01-14T13:32:07.507957Z","campaign_attack_id":"C3258","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1805cab0-1ead-48dc-b1a4-a8ee2d8fa3c0","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4002befc-7c72-412a-99f7-a91f478e78c7","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bb6b7fcd-c502-55c8-84e4-69d960611ad7"},{"id":"cb2ed455-d83c-4938-8461-2f8609b4bb6e","name":"Crimson Collective AWS Extortion Campaign","description":"A campaign observed in September 2025 where the Crimson Collective compromised AWS environments, exfiltrated data, and extorted victims, including a public claim of attacking Red Hat's GitLab repositories.<sup>[[Rapid7 October 07 2025](/references/4f936a29-51e4-4a28-b078-1a886284870f)]</sup>","first_seen":"2025-09-01T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-10-13T17:29:36.798182Z","modified":"2025-10-13T17:29:36.798186Z","campaign_attack_id":"C3140","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"19f99d71-28cb-4772-adea-d7a891383508","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"50eea666-cab1-44cc-83d2-fcd8b08adef4","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"10a55088-cb36-5cab-b66f-b9bf27f5bef7"},{"id":"443e9009-3cc7-48cc-b521-657cf00444b7","name":"Cuckoo Spear","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2022-01-01T00:00:00Z","last_seen":"2024-01-01T00:00:00Z","created":"2025-02-03T21:09:25.021973Z","modified":"2025-02-03T21:09:25.021978Z","campaign_attack_id":"C3085","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7590261e-290d-4845-8254-548b3a4b5a19","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"ffdf721d-6d31-4b1c-8694-f914439778e7","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0b7a7e15-4cc6-5d1f-a4ab-36a3df478498"},{"id":"4e605e33-57fe-5bb2-b0ad-ec146aac041b","name":"Cutting Edge","description":"[Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) targeted the U.S. defense industrial base and multiple sectors globally including  telecommunications, financial, aerospace, and technology. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.<sup>[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]</sup><sup>[[Volexity Ivanti Zero-Day Exploitation January 2024](https://app.tidalcyber.com/references/93eda380-ea21-59e0-97e8-5bec1f9a0e71)]</sup><sup>[[Volexity Ivanti Global Exploitation January 2024](https://app.tidalcyber.com/references/b96fa4f2-864d-5d88-9a29-b117da8f8c5c)]</sup><sup>[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)]</sup><sup>[[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]</sup>","first_seen":"2023-12-01T05:00:00Z","last_seen":"2024-02-01T05:00:00Z","created":"2024-04-25T13:28:23.376313Z","modified":"2024-04-25T13:28:23.376316Z","campaign_attack_id":"C0029","source":"MITRE","owner_name":null,"tags":[{"id":"5d7ff64c-f8dd-49b4-b289-910264add61d","tag":"fe984a01-910d-4e39-9c49-179aa03f75ab"},{"id":"9e463ce2-faf1-4f4d-a4d0-4d43522b89cd","tag":"9768aada-9d63-4d46-ab9f-d41b8c8e4010"},{"id":"ba63e87b-9349-481d-acb1-73c9a54e2253","tag":"758c3085-2f79-40a8-ab95-f8a684737927"},{"id":"ec4c679e-4e43-47b8-b88e-8c091158eb38","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"6bc468de-1708-4c3b-8601-6a226392e717","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"01bd8c8d-0903-4c80-9b34-5f9f674246b9","tag":"1dc8fd1e-0737-405a-98a1-111dd557f1b5"},{"id":"3e55c5e7-8106-453f-a738-fef703fc497d","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"76bc2768-8401-4a20-afcf-94ffe6059fc4","tag":"d1ab6bd6-2688-4e54-a1d3-d180bb8fd41a"},{"id":"5cd79ec1-10fe-4aa3-97f9-e1976e695aa7","tag":"1ff4614e-0ee6-4e04-921d-61abba7fcdb7"},{"id":"5361cd3a-f91e-45f9-89ac-647824c4105b","tag":"e00b65fc-8f56-4a9e-9f09-ccf3124a3272"}],"tidal_id":"829e7d0a-55bc-57c2-aeee-1002cfb07a72"},{"id":"8ee9d9f1-9906-4f0d-a4a7-0e6ed1aa4069","name":"DangerDev AWS Attack","description":"This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.<sup>[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]</sup>","first_seen":"2024-01-01T00:00:00Z","last_seen":"2024-01-31T00:00:00Z","created":"2024-06-13T20:12:39.724530Z","modified":"2024-06-13T20:12:39.724534Z","campaign_attack_id":"C3033","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e2b6a22a-ed64-4601-891f-210a1ef50dc1","tag":"2e5f6e4a-4579-46f7-9997-6923180815dd"}],"tidal_id":"2418caaf-c1f7-5fff-9a7a-9bc10a87efeb"},{"id":"bc8bbe17-635f-4947-a867-37f08184d443","name":"DarkMusical","description":"A Donot Team campaign in 2021 targeting military organizations in Bangladesh and Nepal using a variant of the yty malware framework with themed filenames.<sup>[[www.welivesecurity.com January 18 2022](/references/e6d5b908-3837-4f7e-93c8-378d4006db58)]</sup>","first_seen":"2021-06-01T00:00:00Z","last_seen":"2021-09-30T00:00:00Z","created":"2026-01-23T20:31:39.399029Z","modified":"2026-01-23T20:31:39.399034Z","campaign_attack_id":"C3283","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f98de764-7c59-43ad-8cc3-e7d11bd2791f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"a2ad230b-b899-486a-9277-ef5116885191","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bb552d66-459a-54d8-941a-ed27f8ac1fa7"},{"id":"861af6eb-0b9e-45b4-9a46-f6126674a496","name":"DarkVault Ransomware Attacks (2023-2024)","description":"A series of ransomware and extortion attacks conducted by the DarkVault group, targeting organizations across multiple sectors and countries, using double extortion tactics and publishing victim data on their darknet leak site.<sup>[[www.threatintelligence.com July 18 2024](/references/c0cb0ea8-28af-45c0-9233-5deac85a7c46)]</sup>","first_seen":"2023-11-01T00:00:00Z","last_seen":"2024-06-18T00:00:00Z","created":"2026-01-23T20:31:38.282673Z","modified":"2026-01-23T20:31:38.282677Z","campaign_attack_id":"C3276","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6d740d08-aa95-4082-a305-d33b74362120","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"93091bff-b1fd-4f5b-89c4-9a3f4c9e29e8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"926441ef-089b-5b7d-84b3-c0cb9b23abb4"},{"id":"1a2caf4c-658d-4117-a912-55f4d6bca899","name":"Defense Sector Supply Chain Compromise by North Korea-Linked Actors","description":"German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.<sup>[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]</sup>","first_seen":"2022-12-01T00:00:00Z","last_seen":"2022-12-31T00:00:00Z","created":"2024-03-01T20:23:49.556486Z","modified":"2024-03-01T20:23:49.556491Z","campaign_attack_id":"C3026","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"49d29c14-2e34-46cc-bbe9-529377c4e99a","tag":"6070668f-1cbd-4878-8066-c636d1d8659c"},{"id":"50702f6e-0e82-4576-8841-5599fff9cfbb","tag":"d8f7e071-fbfd-46f8-b431-e241bb1513ac"},{"id":"bec04a11-7a09-49fc-bb4a-1d83849c3afe","tag":"e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"}],"tidal_id":"72f7643c-4818-5ad4-ba2c-7f12bc191696"},{"id":"a30cd09d-1e17-4297-99df-3b50e5bbec7b","name":"DragonForce SimpleHelp Vulnerabilities MSP Attack","description":"Attackers are believed to have leveraged three vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) in the SimpleHelp remote monitoring and management tool (\"RMM\") to compromise SimpleHelp instances managed by an unnamed Managed Service Provider (\"MSP\"). The actors then used compromised RMM instances to deploy \"DragonForce ransomware\" to multiple endpoints managed by the MSP. The attackers also used unspecified means to exfiltrate victim data and attempted to extort targets into paying a ransom.<sup>[[Sophos DragonForce Attack May 27 2025](/references/edb4359f-f12a-4ab1-9116-9c4b3220120d)]</sup>","first_seen":"2025-05-01T00:00:00Z","last_seen":"2025-05-27T00:00:00Z","created":"2025-06-03T14:14:56.513379Z","modified":"2025-06-03T14:14:56.513382Z","campaign_attack_id":"C3108","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7b33d08d-b878-479b-b690-728aa411d5ea","tag":"e316d257-7351-4868-bae2-579f71282cc2"},{"id":"9d26d01c-ccb1-490a-8bec-319c77078c02","tag":"bce27095-6b06-4746-a8df-136ad13c7833"},{"id":"989bcf04-ca03-483a-a4e5-ec51ecb7dfad","tag":"27eaae77-7e2d-4ab3-8349-a24134c5f6a9"},{"id":"912133bd-b227-4f25-b33c-f476c4d59102","tag":"e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"},{"id":"215d1aa7-e113-444e-bddd-3bfbcab8be1a","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"d6535b38-7df6-4cd6-aa1a-e481accab647","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"69a58d20-79e7-44ff-836e-6b81a99186f8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"98f6c234-da7d-5ad0-bd0e-b2b04b48544b"},{"id":"dc4797d2-6607-4e94-916d-227092a992c9","name":"Earth Estries 2023-2024 Espionage Intrusions","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2023-10-01T00:00:00Z","last_seen":"2024-10-31T00:00:00Z","created":"2024-12-02T20:29:02.861417Z","modified":"2024-12-02T20:29:02.861421Z","campaign_attack_id":"C3075","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"225b166b-0678-4fbe-8367-8d3e35ea38cb","tag":"915e7ac2-b266-45d7-945c-cb04327d6246"},{"id":"6fececfa-6194-4df8-aba0-45fba16b3011","tag":"e499005b-adba-45bb-85e3-07043fd9edf9"},{"id":"a52fae78-4b5c-4e72-945a-25a3bc2094c7","tag":"8b1cb0dc-dd3e-44ba-828c-55c040e93b93"},{"id":"bd6a3e8b-c2c2-4a3e-8bc5-94f454aadc1f","tag":"5f5e40cd-0732-4eb4-a083-06940623c3f9"},{"id":"4d0b1cbc-e19c-490f-a975-57d15baae0ee","tag":"5b8371c5-1173-4496-82c7-5f0433987e77"},{"id":"a831f317-cd0d-4931-914a-f16911b23a15","tag":"8046a757-48f0-4787-81ab-9dc8c1eb77cd"},{"id":"13950181-bc5c-4cc9-80d6-604ac5afa48b","tag":"1ff4614e-0ee6-4e04-921d-61abba7fcdb7"},{"id":"0f124db4-874f-433e-8318-9211615b37a4","tag":"e00b65fc-8f56-4a9e-9f09-ccf3124a3272"},{"id":"ab56c98e-92e0-4d9c-af44-946d600dd4ca","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"61108d3c-8d82-4a11-a4e0-fcd9997b55ce","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"4a37663c-80f8-4cbb-8130-2f6e34f989b5","tag":"9768aada-9d63-4d46-ab9f-d41b8c8e4010"},{"id":"27bf2475-c591-4b52-9e8c-fb28787de64b","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"1c6a8e8a-7dc9-4839-834d-197bd681820c","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"35b90b61-bfd9-551c-b558-bdd33638ed23"},{"id":"45b2d60e-6eae-48a7-a5fa-29dc09428808","name":"Earth Estries Government & Technology Cyberespionage Campaign","description":"Trend Micro researchers reported about a campaign, which they attributed to the \"Earth Estries\" group, which targeted government and technology organizations in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the United States for suspected cyberespionage purposes.<sup>[[Trend Micro Earth Estries August 30 2023](/references/d3b71f80-4dd5-43d6-9522-9d8a83469109)]</sup> In a later report, the same researchers described Earth Estries as \"also known as\" Salt Typhoon, a China-backed espionage actor group.<sup>[[Trend Micro Earth Estries November 8 2024](/references/75e21136-ebd2-449a-8fd9-7379db7bdc64)]</sup>","first_seen":"2023-04-01T00:00:00Z","last_seen":"2023-08-30T00:00:00Z","created":"2024-11-15T17:29:24.994247Z","modified":"2024-11-15T17:29:24.994252Z","campaign_attack_id":"C3069","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7431a02d-8356-4f34-b178-5bbec931b6d6","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7333121f-7cc9-4e02-b87b-56fb77e886d0","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ad6982e8-5640-542f-8bb1-ed7a2bd56764"},{"id":"0e8b510d-c11d-4f6b-bb91-b53eafa5ada1","name":"Emerald Sleet PowerShell User Execution Activity","description":"Emerald Sleet actors were observed using a new method to compromise their traditional espionage targets in \"limited\" attacks since January 2025. After building a rapport with target users while posing as South Korean government officials, the actors sent victims spearphishing emails with PDF attachments. The attachments contained links that would instruct the victims to open PowerShell as an administrator and paste and execute code, which ultimately led to the installation of a browser-based remote desktop tool.<sup>[[Microsoft Emerald Sleet LinkedIn February 12 2025](/references/438acf7a-34c5-4981-9f88-4f36c4f4fe5c)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-02-12T00:00:00Z","created":"2025-02-18T15:18:40.805892Z","modified":"2025-02-18T15:18:40.805896Z","campaign_attack_id":"C3091","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6f502957-c9f1-42cc-b17f-c3104f14d34d","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d522e137-5518-4cea-9fb2-2d30188d56ce","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ee22a896-cd72-5ac0-8208-962a1b620c92"},{"id":"0ca317da-c8d6-4bd5-8c1e-5d581c9095ce","name":"Emmenhtal Loader Distribution Activity","description":"Security researchers observed consistent adversary use of Web Distributed Authoring and Versioning (WebDAV) technology to host malicious files related to Emmenhtal (aka PeakLight), a stealthy loader malware that was then used to ingress various final malicious payloads, including DarkGate, Amadey, and SelfAU3.<sup>[[Sekoia.io Blog September 19 2024](/references/df9ff358-4d1e-4094-92cd-4703c53a384c)]</sup>","first_seen":"2023-12-01T00:00:00Z","last_seen":"2024-09-19T00:00:00Z","created":"2024-10-14T19:20:50.697357Z","modified":"2024-10-14T19:20:50.697361Z","campaign_attack_id":"C3060","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"ee07a946-5045-430d-92f6-9abb073251f3","tag":"61085b71-eb19-46d8-a9e6-1ab9d2f3c08d"},{"id":"4d0a4694-4308-4f0c-9af8-29c99afd7750","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"773cfe5d-16ea-4e84-b4a6-7ebe60ce50c9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b1b6ee21-3b62-5145-8020-23a966231bbe"},{"id":"ce758ef7-9ffb-46cb-af3d-abad454f60de","name":"EVALUSION Campaign","description":"A malware campaign observed in November 2025 using ClickFix as an initial access vector to deliver Amatera Stealer and NetSupport RAT, targeting systems with valuable data such as crypto wallets or domain membership.<sup>[[eSentire November 13 2025](/references/f346f327-f0e4-4405-bf3c-c0723c23384f)]</sup>","first_seen":"2025-11-01T00:00:00Z","last_seen":"2025-11-13T00:00:00Z","created":"2025-12-10T14:15:24.686567Z","modified":"2025-12-10T14:15:24.686572Z","campaign_attack_id":"C3184","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b9ec4cc4-8cde-4418-b837-0ef5e28e6bc2","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"32b17a55-fa12-456d-9fda-35c3a126176f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"58374d3d-793f-5672-9f18-d1e67eab7a09"},{"id":"7ab1afc0-afdc-4a81-a679-7a10a3916f30","name":"Evasive Panda AitM and DNS Poisoning Campaign (2022-2024)","description":"A highly targeted campaign by Evasive Panda from November 2022 to November 2024, using adversary-in-the-middle and DNS poisoning attacks to deliver multi-stage loaders and the MgBot implant to victims in Türkiye, China, and India.<sup>[[Securelist December 24 2025](/references/f7f6c441-7b98-43fc-b173-2be753d6bf97)]</sup>","first_seen":"2022-11-01T00:00:00Z","last_seen":"2024-11-30T00:00:00Z","created":"2025-12-29T17:41:33.142396Z","modified":"2025-12-29T17:41:33.142400Z","campaign_attack_id":"C3247","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"711cf151-00a3-4960-9c6e-8b4cfd675a93","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"6d8f8918-f995-4302-921c-a563cac304b4","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"381f3d11-b7db-5813-b179-d836a0946e9d"},{"id":"e54fd456-b1a6-450b-9daa-91504b12d901","name":"Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287)","description":"A campaign observed in October 2025 where threat actors exploited a deserialization vulnerability in WSUS (CVE-2025-59287) to achieve remote code execution, enumerate sensitive information, and exfiltrate data via PowerShell and curl.<sup>[[Huntress October 24 2025](/references/f7581e7f-c95b-4ba4-baf9-9c039bf77c33)]</sup>","first_seen":"2025-10-23T00:00:00Z","last_seen":"2025-10-24T00:00:00Z","created":"2025-11-11T13:26:49.970202Z","modified":"2025-11-11T13:26:49.970207Z","campaign_attack_id":"C3159","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"ff10014e-a989-4a9d-a128-d534eda51307","tag":"60240f0b-e266-4868-9b24-b0ade8ce9a7b"},{"id":"6ec84d06-bcb4-4f26-8180-1d0bb488ffc3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7030928d-acfa-4b41-a032-37c2f48cf74d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"fe98b4a4-6a7f-586d-b5b2-635704427122"},{"id":"ef2eef71-e879-4b0f-8463-d97c13599994","name":"F5 BIG-IP Product Development Environment Intrusion (2025)","description":"A long-term, persistent cyber-espionage campaign by a nation-state actor targeting F5's BIG-IP product development and engineering knowledge management platforms, resulting in the exfiltration of source code and vulnerability information.<sup>[[F5 Security Incident October 15 2025](/references/719c1ed7-4375-456a-a0ca-875039f783b2)]</sup><sup>[[U.S. CISA Vulnerabilities in F5 Devices October 15 2025](/references/8d377896-9a11-4ac1-aad4-1d5ac4580cfa)]</sup>","first_seen":"2025-08-01T00:00:00Z","last_seen":"2025-08-31T00:00:00Z","created":"2025-10-17T17:10:09.245588Z","modified":"2025-10-17T17:10:09.245590Z","campaign_attack_id":"C3148","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"316dbae3-2538-42f2-96b0-08dc535a1f31","tag":"f2ae2283-f94d-4f8f-bbde-43f2bed66c55"},{"id":"4c34a720-b96c-4598-81d1-e6cd5869f1d5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"772c32aa-f29c-4e0f-a401-3fbb6b21f2fc","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"34bdd57c-f1c3-5c72-9606-8122a5fb1699"},{"id":"c43c2699-0787-4950-b675-42afa9b9aee8","name":"\"Fake CAPTCHA\" Lumma Stealer Distribution Campaign","description":"Researchers observed actors distributing Lumma Stealer malware via websites made to look like legitimate CAPTCHA forms. The fake, malicious forms were designed to trick users into copying and executing PowerShell code on their machines, which would ultimately fetch and deploy the infostealer payload. This campaign targeted victims in countries around the world, including Argentina, Colombia, the Philippines, and the United States specifically, and a range of industries were impacted, including healthcare, banking, and telecommunications.<sup>[[Netskope January 23 2025](/references/5dca9c19-772e-41e9-bbcc-5060586781b6)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-01-23T00:00:00Z","created":"2025-02-11T18:20:49.374391Z","modified":"2025-02-11T18:20:49.374395Z","campaign_attack_id":"C3088","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6cb77e45-a0d4-45e4-8b25-0dc1c5b850e3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"791ea8c8-41ae-44b3-be03-c92d7ea7defd","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"2a88ec74-0587-57c2-802e-e7e22ba56dc1"},{"id":"7fa02214-cd06-480d-af2d-5943be14c6bd","name":"FamousSparrow/GhostEmperor Vulnerability Exploit and Post-Compromise Activity","description":"ESET researchers observed cyberespionage activity that they linked to the FamousSparrow group, where actors used ProxyLogon and other vulnerability exploits to compromise hotel, legal, and other organizations worldwide and install a backdoor dubbed SparrowDoor, among other post-exploit tools.<sup>[[ESET FamousSparrow September 23 2021](/references/f91d6d8e-22a4-4851-9444-7a066e6b7aa5)]</sup>\n\nAt a similar time, Kaspersky researchers reported activity they linked to the GhostEmperor group, where ProxyLogon was also exploited and similar post-exploit tools were deployed, as well as a rootkit dubbed Demodex. The researchers further indicated that one of the command and control servers identified during their investigation correlated to the FamousSparrow activity that ESET had reported.<sup>[[Kaspersky September 30 2021](/references/8851f554-05c6-4fb0-807e-2ef0bc28e131)]</sup>","first_seen":"2021-03-03T00:00:00Z","last_seen":"2021-03-31T00:00:00Z","created":"2024-10-25T19:44:40.914732Z","modified":"2024-10-25T19:44:40.914740Z","campaign_attack_id":"C3064","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"59a90beb-475b-4af0-a897-dccb36538760","tag":"915e7ac2-b266-45d7-945c-cb04327d6246"},{"id":"333dce85-b3a4-4070-a175-cdab3cdb5727","tag":"e499005b-adba-45bb-85e3-07043fd9edf9"},{"id":"78978a59-29ca-4b79-98e7-ab80914bb5b1","tag":"8b1cb0dc-dd3e-44ba-828c-55c040e93b93"},{"id":"40475758-ab74-4737-b81b-90b4606f68b7","tag":"5f5e40cd-0732-4eb4-a083-06940623c3f9"},{"id":"e393453d-b663-43bd-a16f-41861bd8d388","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"88756aa3-b1fd-445e-8860-7f3a28bc30ee","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"01d93431-27ee-4a3c-8ec1-165384e87f02","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ed3cf00b-f2e0-5186-b3c7-820dc3474f98"},{"id":"129ffe04-ea90-45d1-a2fd-7ff0bffa0433","name":"FIN12 March 2023 Hospital Center Intrusion","description":"In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472<sup>[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]</sup>","first_seen":"2023-03-01T00:00:00Z","last_seen":"2023-03-31T00:00:00Z","created":"2023-09-22T15:01:33.867462Z","modified":"2023-09-22T15:01:33.867471Z","campaign_attack_id":"C3010","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"057cfd3d-87b9-4851-b092-ae7cd3846810","tag":"89c5b94b-ecf4-4d53-9b74-3465086d4565"},{"id":"cd10c237-ed8d-4e04-b4f1-0332551d8a79","tag":"2743d495-7728-4a75-9e5f-b64854039792"},{"id":"b189cb3b-5b32-4efb-be25-52a50d274653","tag":"ecd84106-2a5b-4d25-854e-b8d1f57f6b75"},{"id":"e5d2a697-846f-45a3-a423-f65de326992c","tag":"a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530"},{"id":"f87295d3-5e13-4585-b954-57d3a5003405","tag":"4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930"},{"id":"177a4fcf-7379-48e4-8fec-66485dce679a","tag":"d385b541-4033-48df-93cd-237ca6e46f36"}],"tidal_id":"29136326-e0ff-52c4-b805-88a1fd76bfd5"},{"id":"10495bfe-8434-47e4-812c-fd8b0339f4d8","name":"FIN7 Anubis Backdoor Activity","description":"Multiple security research teams observed suspected FIN7 actors deploying Anubis, a Python-based backdoor newly linked to the cybercriminal group. Actors gained initial access by delivering phishing emails with Python scripts attached within a ZIP archive file and tricking users into executing the attached file. Anubis then provided actors with a range of post-compromise capabilities, including obfuscation and other defense evasion abilities, remote access, file ingress features, and persistence mechanisms.<sup>[[The Hacker News April 2 2025](/references/22857eb3-b5f7-4677-bf5c-bc993f483450)]</sup><sup>[[G DATA CyberDefense AG March 20 2025](/references/a9b00314-5a02-4fa8-9d34-27f05a71ff3c)]</sup>","first_seen":"2025-03-12T00:00:00Z","last_seen":"2025-04-02T00:00:00Z","created":"2025-04-08T16:39:12.686308Z","modified":"2025-04-08T16:39:12.686313Z","campaign_attack_id":"C3099","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e7b84edd-1808-4cb4-b30a-241d01f7a846","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"07f81651-03e4-49bc-afda-fe98b9522df6","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"48b7aba5-f6a7-5500-83a1-c63808484eac"},{"id":"1c244c55-d0f7-5d58-8bc3-59b15a92bf3a","name":"FLORAHOX Activity","description":"[FLORAHOX Activity](https://app.tidalcyber.com/campaigns/1c244c55-d0f7-5d58-8bc3-59b15a92bf3a) is conducted using a hybrid operational relay box (ORB) network, which combines two types of infrastructure: compromised devices and leased Virtual Private Servers (VPS). The compromised devices include end-of-life routers and IoT devices, while VPS space is commercially leased and managed by ORB network administrators. This hybrid ORB network allows adversaries to proxy and obscure malicious traffic, making the source of the traffic more difficult to trace.\n\nThe FLORAHOX ORB network has been leveraged by multiple cyber threat actors, including China-nexus actors like [ZIRCONIUM](https://app.tidalcyber.com/groups/5e34409e-2f55-4384-b519-80747d02394c). These adversaries conduct espionage campaigns through [FLORAHOX Activity](https://app.tidalcyber.com/campaigns/1c244c55-d0f7-5d58-8bc3-59b15a92bf3a), relying on the ORB network's ability to funnel traffic through [Tor](https://app.tidalcyber.com/software/8c70d85b-b06d-423c-8bab-ecff18f332d6) nodes, provisioned VPS servers, and compromised routers to obfuscate malicious traffic.<sup>[[ORB Mandiant](https://app.tidalcyber.com/references/3852fe26-53ad-504f-9328-7e249d121ebd)]</sup>","first_seen":"2019-01-01T05:00:00Z","last_seen":"2024-05-01T04:00:00Z","created":"2025-04-22T20:47:03.389420Z","modified":"2025-04-22T20:47:03.389424Z","campaign_attack_id":"C0053","source":"MITRE","owner_name":null,"tags":[{"id":"71eb080d-c8a2-4773-a930-9ad2458c489a","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"}],"tidal_id":"1c244c55-d0f7-5d58-8bc3-59b15a92bf3a"},{"id":"50a2fbb8-e92e-4033-9dfc-d6b47aaab22d","name":"FortiManager Zero-Day Exploit Activity (CVE-2024-47575)","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-06-27T00:00:00Z","last_seen":"2024-10-23T00:00:00Z","created":"2024-10-25T19:44:41.319228Z","modified":"2024-10-25T19:44:41.319234Z","campaign_attack_id":"C3066","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c1acc233-29ff-4136-9594-b09e08f9168e","tag":"ef7715f8-526a-4df5-bad3-74b66170a52b"},{"id":"a917c001-21c5-4765-aa77-0ae7b8309d5e","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"740611a7-53e0-45d2-b1ac-452c26da169f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"271a24ee-2f9d-4ff6-876e-7ba119ebea24","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9ed1179b-8d27-56b1-8234-70f74b77fb7b"},{"id":"5e9e9b32-f491-4d87-a8db-ca948a137c84","name":"Fortinet FortiGate Vulnerability Zero-Day Exploit Campaign (CVE-2024-55591)","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-12-01T00:00:00Z","last_seen":"2024-12-27T00:00:00Z","created":"2025-01-28T15:54:17.726137Z","modified":"2025-01-28T15:54:17.726142Z","campaign_attack_id":"C3083","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"753fa85c-bbab-4ecf-ad4b-6c57a623ee14","tag":"abff87bf-5c28-489b-8fe6-e1fc74abb70a"},{"id":"f69b8fca-ae21-4681-8914-fc6d600d1b04","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"e4d4b035-088b-45c9-94b7-e1bb860f840b","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"b362bf08-52ec-43e4-9a15-8d2927016384","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"27c3b41b-aa21-4e8a-aa0e-08fa1f7e2caf","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ae3c08e1-57fc-51cf-b62a-bf7569425d28"},{"id":"2fab9878-8aae-445a-86db-6b47b473f56b","name":"Frankenstein","description":"[Frankenstein](https://app.tidalcyber.com/campaigns/2fab9878-8aae-445a-86db-6b47b473f56b) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.<sup>[[Talos Frankenstein June 2019](https://app.tidalcyber.com/references/a6faa495-db01-43e8-9db3-d446570802bc)]</sup>","first_seen":"2019-01-01T06:00:00Z","last_seen":"2019-04-01T05:00:00Z","created":"2022-09-07T13:40:09.750000Z","modified":"2022-09-21T15:15:43.055000Z","campaign_attack_id":"C0001","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"16528ed2-8c14-51a9-87d0-6095ce5cf4b7"},{"id":"6a06b418-9a4c-4d93-b909-76f2dedaf3f1","name":"From Armillaria loader to EDR killer","description":"A campaign involving the use of the Armillaria loader and EDR killer modules by Akira ransomware operators to disable endpoint security and prepare hosts for ransomware deployment.<sup>[[None December 10 2025](/references/8dcd43e9-e28f-4536-93d3-9823aa064cdb)]</sup>","first_seen":"2025-11-19T00:00:00Z","last_seen":"2025-12-10T00:00:00Z","created":"2025-12-24T14:57:52.264485Z","modified":"2025-12-24T14:57:52.264488Z","campaign_attack_id":"C3230","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e1542024-d813-482b-80fc-020f3619edc6","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"cd3b9735-04c7-4aa1-a5b1-964cf3fae8a2","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f9d459a7-9b4c-5e68-8388-2bc08c3f602e"},{"id":"1ca84953-7ba1-5449-a24b-4c6492201b77","name":"FrostyGoop Incident","description":"[FrostyGoop Incident](https://app.tidalcyber.com/campaigns/1ca84953-7ba1-5449-a24b-4c6492201b77) took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, [FrostyGoop](https://app.tidalcyber.com/software/) was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.<sup>[[Dragos FROSTYGOOP 2024](https://app.tidalcyber.com/references/668d7fff-8606-5aa1-895c-390b04d176d1)]</sup><sup>[[Nozomi BUSTLEBERM 2024](https://app.tidalcyber.com/references/d8a5e49e-7d1c-54eb-92dc-273adb930c20)]</sup>","first_seen":"2024-01-01T07:00:00Z","last_seen":"2024-01-01T07:00:00Z","created":"2025-04-22T20:47:02.956972Z","modified":"2025-04-22T20:47:02.956976Z","campaign_attack_id":"C0041","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"1ca84953-7ba1-5449-a24b-4c6492201b77"},{"id":"94587edf-0292-445b-8c66-b16629597f1e","name":"FunnyDream","description":"[FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign to possible Chinese-speaking threat actors through the use of the [Chinoxy](https://app.tidalcyber.com/software/7c36563a-9143-4766-8aef-4e1787e18d8c) backdoor and noted infrastructure overlap with the TAG-16 threat group.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup><sup>[[Kaspersky APT Trends Q1 2020](https://app.tidalcyber.com/references/23c91719-5ebe-4d03-8018-df1809fffd2f)]</sup><sup>[[Recorded Future Chinese Activity in Southeast Asia December 2021](https://app.tidalcyber.com/references/0809db3b-81a8-475d-920a-cb913b30f42e)]</sup>","first_seen":"2018-07-01T05:00:00Z","last_seen":"2020-11-01T04:00:00Z","created":"2022-09-20T17:29:09.547000Z","modified":"2022-10-10T16:19:33.560000Z","campaign_attack_id":"C0007","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"abfa714d-b219-5da4-8143-ee3ed370cc08"},{"id":"39eff932-c255-4bfa-9be5-ba34940079b5","name":"Gainsight Salesforce OAuth Token Compromise Campaign","description":"A campaign in November 2025 where threat actors abused Gainsight-published applications' OAuth connections to access Salesforce customer data, using various VPNs and automation tools for reconnaissance and unauthorized access.<sup>[[Salesforce November 22 2025](/references/dda44228-4820-414c-90c9-9865ac887249)]</sup>","first_seen":"2025-10-23T00:00:00Z","last_seen":"2025-11-19T00:00:00Z","created":"2025-11-26T19:38:34.850681Z","modified":"2025-11-26T19:38:34.850685Z","campaign_attack_id":"C3177","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0ebfb7b4-074b-4761-83ba-1314c08dfc59","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2c8944a1-087a-4fad-9a73-0a8bbd31f657","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"aa05a7aa-0037-5e31-b3c6-9e3dc473d6e2"},{"id":"7249921c-cf9e-440e-8229-225c387563b2","name":"Gedit","description":"A series of Donot Team campaigns from 2020 to 2021 targeting government and military organizations in Pakistan, Bangladesh, Nepal, and Sri Lanka using the Gedit variant of the yty malware framework.<sup>[[www.welivesecurity.com January 18 2022](/references/e6d5b908-3837-4f7e-93c8-378d4006db58)]</sup>","first_seen":"2020-09-01T00:00:00Z","last_seen":"2021-10-31T00:00:00Z","created":"2026-01-23T20:31:39.570079Z","modified":"2026-01-23T20:31:39.570086Z","campaign_attack_id":"C3284","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e2211ea5-91bb-40b6-81fb-22635982a6ea","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f5cfd210-93b7-4db7-b867-e63174fa3942","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"eaea8017-7324-56df-8d2f-767672c5f8d4"},{"id":"97c1e289-6c5e-41e9-a17e-72f49fc126ce","name":"German Entity Sliver Implant Targeting","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2025-01-17T00:00:00Z","last_seen":"2025-01-21T00:00:00Z","created":"2025-03-25T13:16:35.415241Z","modified":"2025-03-25T13:16:35.415244Z","campaign_attack_id":"C3097","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"740115c5-435c-45df-bc2c-e2ec9c87f9be","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"16459ea6-6cd6-4df9-853b-e08bd92c69e0","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"7e1efb6c-4ce4-51e5-911d-a5b540878502"},{"id":"9ca03e9b-05bb-416a-a83c-4e84274e5b9e","name":"GhostCall","description":"A campaign by BlueNoroff targeting executives at tech companies and venture capital firms, primarily in the Web3/blockchain sector, using fake video calls and phishing sites mimicking Zoom and Teams to deliver multi-stage malware on macOS and Windows.<sup>[[Securelist October 28 2025](/references/cb5511fe-e8c0-4878-b986-a5b5aaa902d8)]</sup>","first_seen":"2023-06-01T00:00:00Z","last_seen":"2025-10-01T00:00:00Z","created":"2025-12-24T14:57:50.754166Z","modified":"2025-12-24T14:57:50.754171Z","campaign_attack_id":"C3220","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c8a0e82c-319e-4b05-a9a1-c014dd520d59","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"55342640-e61d-4575-80e1-9ab203dab2e7","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ae7058fb-a048-52eb-99a0-c4179e93f599"},{"id":"c1447188-c034-408e-a827-55314c698827","name":"GhostEmperor/Demodex 2023 Compromise","description":"In July 2024, Sygnia researchers reported about what they described as an \"updated infection chain\" used to deploy a variant of the Demodex rootkit, associated with the GhostEmperor (AKA FamousSparrow and Salt Typhoon) China-backed cyberespionage group. The attacks, which were discovered at an unspecified time in \"late 2023\", featured malware loading and obfuscation methods distinct from those observed during previous GhostEmperor activity in 2021.<sup>[[Sygnia July 17 2024](/references/7d30acb4-9600-46bd-a800-1c7e1149e9b4)]</sup>","first_seen":"2023-12-01T00:00:00Z","last_seen":"2023-12-31T00:00:00Z","created":"2024-10-25T19:44:41.119573Z","modified":"2024-10-25T19:44:41.119577Z","campaign_attack_id":"C3065","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8357fd0d-0dbc-494e-99ed-06386ab2e1c6","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"46d533e3-bf7f-43d1-ab9c-73386f3fa440","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3e1003a3-41d0-53de-a0ee-12579a8371bd"},{"id":"a24eb96b-d17d-47d6-89a4-f8ff20ae01df","name":"GhostHire","description":"A campaign by BlueNoroff targeting Web3 developers and engineers through fake recruitment and skill assessments, delivering malware via Telegram bots and malicious GitHub repositories, affecting Windows, macOS, and Linux.<sup>[[Securelist October 28 2025](/references/cb5511fe-e8c0-4878-b986-a5b5aaa902d8)]</sup>","first_seen":"2023-06-01T00:00:00Z","last_seen":"2025-10-01T00:00:00Z","created":"2025-12-24T14:57:50.931835Z","modified":"2025-12-24T14:57:50.931839Z","campaign_attack_id":"C3221","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1c3b5f6b-5e34-4eb0-af7e-45def94bff3e","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e03b5027-c4d5-4b42-adf7-825172cff073","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"95370c9c-4aaa-59c2-a3cb-4c80ed0b1472"},{"id":"1837d8c7-8b66-400a-94a3-bfea2471ef42","name":"GhostPoster","description":"A campaign using browser extensions to deliver malicious payloads via PNG steganography, targeting Firefox and Opera users for stealthy payload delivery and backdoor installation, with over 1 million victims.<sup>[[Www.koi.ai January 05 2026](/references/5da3facd-7bd9-4a02-843a-ad4b3fa273d7)]</sup>","first_seen":"2019-01-01T00:00:00Z","last_seen":"2025-12-30T00:00:00Z","created":"2026-01-06T18:05:33.521642Z","modified":"2026-01-06T18:05:33.521646Z","campaign_attack_id":"C3254","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"aa4a80ae-4d97-4f1b-82d9-13a9c925f7d5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"a90468ac-1836-404b-9027-37ef759be1b8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"46ed554a-2a7f-5f3d-8b17-169740feeec4"},{"id":"838fbc0d-92c4-4747-bccb-68c419a951ae","name":"GhostRedirector campaign (2024-2025)","description":"A newly identified, suspected China-aligned threat actor dubbed GhostRedirector compromised dozens of Windows servers, primarily in Southeast Asia and South America, and used custom malware to backdoor the servers and to provide search engine optimization (\"SEO\") fraud as-a-service.<sup>[[welivesecurity.com September 4 2025](/references/5dc5f9be-761b-4e8b-acf5-937682717758)]</sup>","first_seen":"2024-08-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2025-09-10T16:39:40.791480Z","modified":"2025-09-10T16:39:40.791485Z","campaign_attack_id":"C3125","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f557b7c1-29f7-46c4-8c46-8e195ed81d54","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"cbb9da26-0c83-4f78-8a49-f79c35fe3d81","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7a6a20d3-4931-452c-9306-1d4e90a335e6","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4b30b42b-0dae-5f3e-8c1e-df2cf511097f"},{"id":"3a2878cf-d0b6-40a4-9539-78a5addec720","name":"Gladinet CentreStack/Triofox Insecure Cryptography Exploitation","description":"A campaign involving active exploitation of insecure cryptography in Gladinet CentreStack and Triofox products, leading to remote code execution and potential ransomware deployment.<sup>[[Huntress December 18 2025](/references/990fe0c2-253d-467c-a16f-0f006cdeb618)]</sup>","first_seen":"2025-12-10T00:00:00Z","last_seen":"2025-12-18T00:00:00Z","created":"2025-12-24T14:57:52.117256Z","modified":"2025-12-24T14:57:52.117259Z","campaign_attack_id":"C3229","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"4a5fc587-4a4a-4a46-945a-491061e5af5c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7e2bdc39-6e77-4491-91de-8c3f7592d6f2","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ec2d588d-e04a-5e38-9692-2831c63cce45"},{"id":"4c28e7a4-914f-426b-b4f4-f14d902de5d9","name":"GoBruteforcer 2025 Campaigns","description":"A series of financially motivated campaigns in 2025 using GoBruteforcer to compromise Linux servers via brute-force attacks, with a focus on crypto and blockchain project databases, leveraging AI-generated server defaults and weak credentials.<sup>[[Check Point Research January 07 2026](/references/45a9d214-ddee-44e9-9ed1-282f05a65428)]</sup>","first_seen":"2025-06-01T00:00:00Z","last_seen":"2026-01-07T00:00:00Z","created":"2026-01-14T13:32:10.278904Z","modified":"2026-01-14T13:32:10.278908Z","campaign_attack_id":"C3274","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f5d2fc9d-82d0-4f96-9c92-b0ff0bc84a20","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"6d4d2cd6-2116-4d06-ab28-7dcb19153aed","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3dc0f0f3-ace4-591d-9316-b494008c001b"},{"id":"9cc02e41-dd65-4ab2-9f52-f3f8f7d610d7","name":"GOLD SALEM Warlock Ransomware Campaign","description":"A series of ransomware attacks conducted by GOLD SALEM, involving the deployment of Warlock, LockBit, and Babuk ransomware, leveraging SharePoint vulnerabilities, BYOVD techniques, and abuse of legitimate tools for access, persistence, and defense evasion.<sup>[[None December 11 2025](/references/1037dd5b-a209-4ea6-9a97-ac80c0f35ca3)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-12-29T17:41:31.297507Z","modified":"2025-12-29T17:41:31.297511Z","campaign_attack_id":"C3235","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"d1b728d2-4e0f-40a1-93ee-d3e546f0f019","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9ff2054b-38a7-49e6-be27-2e13b1147869","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0ff9fdb4-cd2b-58c3-8435-e9e6e055e76a"},{"id":"a2ce8adc-c565-4d47-b8d4-e3001b5d92c1","name":"Gootloader 2025 Resurgence","description":"A campaign involving the return of Gootloader operations in March and October-November 2025, leveraging new obfuscation techniques and leading to rapid domain controller compromise and ransomware deployment.<sup>[[Huntress November 05 2025](/references/89cb0d2d-3043-43c4-8c19-64e1a5029ced)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-11-05T00:00:00Z","created":"2025-11-11T13:26:50.145272Z","modified":"2025-11-11T13:26:50.145275Z","campaign_attack_id":"C3160","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c4c3e846-a8be-4ad6-af22-bbbcbaef45e7","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"0bd3264a-4617-4423-8315-923ad9278339","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e0c3bd51-3131-55d9-abb3-4f2239324f47"},{"id":"06116c97-3531-46d6-8c72-7be4c84556ef","name":"Grayling APT Taiwan Espionage Activity","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2023-02-01T00:00:00Z","last_seen":"2023-05-31T00:00:00Z","created":"2025-03-25T13:16:35.248586Z","modified":"2025-03-25T13:16:35.248588Z","campaign_attack_id":"C3096","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"df59b894-23be-4a51-b68f-f881a5579921","tag":"1f89807f-5026-4908-9860-19d636e4362e"},{"id":"050dffab-29c5-42c2-b8b8-dcc163213452","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"28273943-016f-4002-8ffe-004d7a30e1db","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f34df178-064b-542b-9780-484d8b3d6da9"},{"id":"c2f9eb70-cc7d-4d68-80d7-2caf77734674","name":"GrimResource Activity","description":"Researchers identified what they called a new infection technique, dubbed GrimResource, which allows attackers to achieve code execution capabilities in the context of the Microsoft Management Console utility (`mmc.exe`) after a victim user clicks on a specifically crafted Windows MSC (.msc) file. The researchers drew parallel sbetween the use of this new technique and other evasion techniques used after Microsoft default-disabled select Office macros, such as the use of JavaScript and MSI, ISO, or LNK files.<sup>[[elastic.co June 22 2024](/references/1f7416d3-806f-4ef7-a759-074ec040027b)]</sup>","first_seen":"2024-06-06T00:00:00Z","last_seen":"2024-06-21T00:00:00Z","created":"2024-11-15T17:29:25.677626Z","modified":"2024-11-15T17:29:25.677631Z","campaign_attack_id":"C3072","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"cc78f4ec-0616-419f-9a52-7f35bcac63cd","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"cc82a652-304e-49fe-a25c-8ed65a2c193f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f9630cb3-1a39-5aac-8ba8-1737c6e405f3"},{"id":"848833fa-7379-4abf-979f-35cde0d2d6b7","name":"GTG-1002 AI-Orchestrated Cyber Espionage Campaign","description":"A large-scale, highly sophisticated cyber espionage operation conducted by Chinese state-sponsored group GTG-1002 in September 2025, representing the first documented case of a cyberattack largely executed autonomously by AI. The campaign targeted around 30 entities, including major technology corporations, financial institutions, chemical manufacturers, and government agencies, with the AI performing 80-90% of tactical operations.<sup>[[Anthropic AI-Orchestrated Campaign November 13 2025](/references/a57a05ce-83d0-4cde-bacd-2b7281ba3833)]</sup>","first_seen":"2025-09-15T00:00:00Z","last_seen":"2025-09-25T00:00:00Z","created":"2025-11-19T17:45:57.137247Z","modified":"2025-11-19T17:45:57.137250Z","campaign_attack_id":"C3166","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a3d7c80b-1b25-44ea-94c2-63f7c825b604","tag":"3b73c532-ccfc-4d66-9830-ab76ef1bc47a"},{"id":"93b0feb2-4fcd-43be-a730-621edc40762f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d7b80120-502d-4a2f-b6e1-c697e0563e97","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e673de64-31c0-5fd8-a149-bd56646c3b04"},{"id":"03a1e2ad-2185-433a-9948-3162327ee53e","name":"Guloader Phishing Campaign Disguised as Employee Performance Reports","description":"A phishing campaign distributing Guloader malware via emails disguised as employee performance reports, leading to Remcos RAT infections.<sup>[[ASEC January 08 2026](/references/3a04cc8c-f814-4ce7-bb13-d1097f3da270)]</sup>","first_seen":"2025-12-01T00:00:00Z","last_seen":"2025-12-30T00:00:00Z","created":"2026-01-14T13:32:09.746305Z","modified":"2026-01-14T13:32:09.746310Z","campaign_attack_id":"C3271","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"10db06de-fbdb-43d0-9281-47032e56a334","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"81bb016e-1a91-4c66-8ed9-fa09b1c20f46","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3b4ab92c-9e44-5dc9-8506-5aedbd87a055"},{"id":"181a3379-36bc-4b10-b7dc-83bd5e941139","name":"Handala Group Phishing and Wiper Campaign","description":"The Handala Hacking Team sent lure emails containing malware to Israeli targets. The malware was a wiper designed to destroy files on the infected machine.<sup>[[Trellix Handala Wiper July 26 2024 July 26 2024](/references/e1c7847d-a541-4932-9a28-92ba8b1e3bdb)]</sup>","first_seen":"2025-07-21T00:00:00Z","last_seen":"2025-07-26T00:00:00Z","created":"2025-07-08T16:59:24.370545Z","modified":"2025-07-08T16:59:24.370550Z","campaign_attack_id":"C3114","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"481007ab-ecbf-451f-a714-54b9902d8168","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e7a62428-c321-4218-a740-e86169bada37","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bd7a6eb3-0b08-5f60-b3d0-5c6cc688e97b"},{"id":"334a6512-9669-40cd-bd07-83d600c2cb4f","name":"Handala June 2025 Israeli attacks","description":"A campaign by the Handala group targeting Israeli organizations in response to Israeli attacks on Iranian nuclear facilities. The campaign involved data theft, leaks, and psychological operations against multiple Israeli companies and organizations.<sup>[[Cyber Daily Handala June 16 2025](/references/0d279886-6dfd-4587-b0af-98b425b84a50)]</sup>","first_seen":"2025-06-14T00:00:00Z","last_seen":"2025-06-16T00:00:00Z","created":"2025-11-26T19:38:34.072741Z","modified":"2025-11-26T19:38:34.072745Z","campaign_attack_id":"C3172","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1f73f8df-75a1-4232-9d76-b7dbe5d577bb","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"980043e7-a92a-4a94-814a-9af98884ff23","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"d681d57e-ae38-586f-bcf0-18a3c4f7d665"},{"id":"1610257c-e2fc-4b05-bd63-5c2cbfb2342e","name":"Healthcare Social Engineering & Payment Diversion Activity","description":"U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.<sup>[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]</sup>","first_seen":"2023-08-01T00:00:00Z","last_seen":"2024-06-24T00:00:00Z","created":"2024-06-28T17:23:32.812977Z","modified":"2024-06-28T17:23:32.812982Z","campaign_attack_id":"C3042","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"90e435b0-0cda-406b-ba58-f5ead7eaa8a6","tag":"e90b243c-99e2-46fe-8f04-eca9c7939250"},{"id":"e265ba05-5688-4413-9d67-8763b93db089","tag":"d903e38b-600d-4736-9e3b-cf1a6e436481"},{"id":"119ee320-8439-43da-b5bf-b7e0aea72f82","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"}],"tidal_id":"62f25517-1ef4-5fc0-9f1c-acbd1ffd838f"},{"id":"cb383af8-48c2-418d-9365-fc3c54ff9be0","name":"Henos","description":"A Donot Team campaign in early 2021 targeting military organizations in Bangladesh and Sri Lanka using a modified Gedit variant.<sup>[[www.welivesecurity.com January 18 2022](/references/e6d5b908-3837-4f7e-93c8-378d4006db58)]</sup>","first_seen":"2021-02-01T00:00:00Z","last_seen":"2021-03-31T00:00:00Z","created":"2026-01-23T20:31:39.738468Z","modified":"2026-01-23T20:31:39.738471Z","campaign_attack_id":"C3285","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"cb4139af-f766-46fe-ba98-332ed9c535e9","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"54813382-3642-4206-ad31-32b027272932","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"2897933f-76cf-5e15-bd3e-078a78a1f281"},{"id":"04329c95-d792-5333-b5bc-13ef2c545d7b","name":"HomeLand Justice","description":"[HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for [HomeLand Justice](https://app.tidalcyber.com/campaigns/04329c95-d792-5333-b5bc-13ef2c545d7b) was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the \"HomeLand Justice\" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.<sup>[[Mandiant ROADSWEEP August 2022](https://app.tidalcyber.com/references/0d81ec58-2e12-5824-aa53-feb0d2260f30)]</sup><sup>[[Microsoft Albanian Government Attacks September 2022](https://app.tidalcyber.com/references/d00399e9-a6c6-5691-92cd-0185b03b689e)]</sup><sup>[[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)]</sup> A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.<sup>[[CISA Iran Albanian Attacks September 2022](https://app.tidalcyber.com/references/c5d37bde-52bc-525a-b25a-e097f77a924a)]</sup>\n\n","first_seen":"2021-05-01T04:00:00Z","last_seen":"2022-09-01T04:00:00Z","created":"2024-10-31T16:28:09.776023Z","modified":"2024-10-31T16:28:09.776026Z","campaign_attack_id":"C0038","source":"MITRE","owner_name":null,"tags":[{"id":"309d57f6-cb29-44cd-8e35-8c3ac0c724ac","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"ec99084a-3b66-4d00-a433-cf3fa83c8f59","tag":"15787198-6c8b-4f79-bf50-258d55072fee"}],"tidal_id":"04329c95-d792-5333-b5bc-13ef2c545d7b"},{"id":"d1244338-85dd-4650-989a-9df8020860b9","name":"HPE Midnight Blizzard Office 365 Email Exfiltration","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.","first_seen":"2023-05-01T00:00:00Z","last_seen":"2023-12-12T00:00:00Z","created":"2024-06-13T20:12:37.640713Z","modified":"2024-06-13T20:12:37.640717Z","campaign_attack_id":"C3021","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"5441354f-9cc6-4220-8095-a5690358f84a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"12c50187-0ad4-4a99-bfff-7e2d4ca869f3","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"048c1813-17ee-4ac8-bc6d-14cb0e84237c","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"7f833a3c-a7bf-5ef8-b71d-998c25571a3d"},{"id":"0785d92c-c84c-434a-b6b8-cf8cd8da28c8","name":"Hybrid Okta SSO Vishing and Adversary-in-the-Middle Phishing Campaigns","description":"A wave of voice-enabled phishing (vishing) campaigns using real-time session orchestration phishing kits to target users of Google, Microsoft, Okta, and cryptocurrency providers, aiming to bypass MFA and steal credentials.<sup>[[www.okta.com January 23 2026](/references/5ba030cc-d314-44ba-8eb1-8bd49319f6c4)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2026-01-22T00:00:00Z","created":"2026-01-23T20:31:40.554840Z","modified":"2026-01-23T20:31:40.554844Z","campaign_attack_id":"C3290","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"50f317e5-b6ee-4d41-b80a-533989418795","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d89042a6-f2bb-4792-a019-76cb14109ed4","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0a16e212-f1e8-554b-827a-ff8e6b2b16d7"},{"id":"d7357476-a73c-5b5b-9bb9-95a3b379096f","name":"Indian Critical Infrastructure Intrusions","description":"[Indian Critical Infrastructure Intrusions](https://app.tidalcyber.com/campaigns/d7357476-a73c-5b5b-9bb9-95a3b379096f) is a sequence of intrusions from 2021 through early 2022 linked to People’s Republic of China (PRC) threat actors, particularly [RedEcho](https://app.tidalcyber.com/groups/a6dea520-12ab-5c7b-8142-db3a308122de) and Threat Activity Group 38 (TAG38). The intrusions appear focused on IT system breach in Indian electric utility entities and logistics firms, as well as potentially managed service providers operating within India. Although focused on OT-operating entities, there is no evidence this campaign was able to progress beyond IT breach and information gathering to OT environment access.<sup>[[RecordedFuture RedEcho 2021](https://app.tidalcyber.com/references/644fa2c1-ed3e-5203-96d5-27acfc1947a0)]</sup><sup>[[RecordedFuture RedEcho 2022](https://app.tidalcyber.com/references/3bd1c189-8cb8-5e87-9d3a-15d24a8df16f)]</sup>","first_seen":"2021-01-01T07:00:00Z","last_seen":"2022-04-01T06:00:00Z","created":"2025-04-22T20:47:03.049041Z","modified":"2025-04-22T20:47:03.049044Z","campaign_attack_id":"C0043","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"d7357476-a73c-5b5b-9bb9-95a3b379096f"},{"id":"f33242a4-8d82-42af-bf2e-16adfe130a67","name":"Ink Dragon's Distributed Relay Network Offensive Operation","description":"A multi-stage cyber espionage campaign by Ink Dragon, focusing on government and telecom targets in Southeast Asia, South America, Africa, and Europe, leveraging ShadowPad to build a distributed relay network using compromised servers as C2 nodes.<sup>[[Check Point Research December 16 2025](/references/1fc24a9b-9636-482a-8413-211b42658872)]</sup>","first_seen":"2023-01-01T00:00:00Z","last_seen":"2025-12-16T00:00:00Z","created":"2025-12-24T14:57:51.525479Z","modified":"2025-12-24T14:57:51.525482Z","campaign_attack_id":"C3225","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"2239929a-0666-4d17-ac59-ba7a3833c4e7","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"1da91ac8-0667-4f13-b410-2d6ca434f0bc","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"2f5954e0-a531-5307-a300-8218442fbeaa"},{"id":"7d6ff40d-51f3-42f8-b986-e7421f59b4bd","name":"Iranian APT Credential Harvesting & Cryptomining Activity","description":"In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>\n\n**Related Vulnerabilities**: CVE-2021-44228<sup>[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]</sup>","first_seen":"2022-06-15T00:00:00Z","last_seen":"2022-07-15T00:00:00Z","created":"2023-10-26T14:24:12.873030Z","modified":"2023-10-26T14:24:12.873035Z","campaign_attack_id":"C3012","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0d3643ad-4e7d-4216-aeb3-99cee60a8378","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"9019f77d-2e02-4920-8c36-abdea2557846","tag":"7e6ef160-8e4f-4132-bdc4-9991f01c472e"}],"tidal_id":"61839866-4446-52d2-98b5-e8e242e527e0"},{"id":"18cf25b5-ed3a-40f6-bf0a-a3938a4f8da2","name":"Iranian APT Targeting U.S. Voter Data","description":"In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.<sup>[[U.S. CISA Iran Voter Data November 3 2020](/references/be89be75-c33f-4c58-8bf0-979c1debaad7)]</sup>","first_seen":"2020-09-20T00:00:00Z","last_seen":"2020-10-20T00:00:00Z","created":"2023-10-26T14:24:13.400313Z","modified":"2023-10-26T14:24:13.400318Z","campaign_attack_id":"C3014","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[],"tidal_id":"365f1fb6-6072-5dd2-99f2-023eb830ce5d"},{"id":"3b15979c-eabf-41d1-8930-f480106f8430","name":"Iranian Cyber Actors Compromise Critical Infrastructure Organizations","description":"On October 16, 2024, U.S., Canadian, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA24-290A, which detailed attacks by unspecified \"Iranian cyber actors\", who used brute forcing and other credential access techniques to compromise various critical infrastructure entities, including organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The advisory indicated that the actors likely carried out the attacks in order to ultimately sell harvested credentials and victim network information \"to enable access to cybercriminals\".<sup>[[U.S. CISA Iranian Actors Critical Infrastructure October 16 2024](/references/a70a4487-eaae-43b3-bfe0-0677fd911959)]</sup>","first_seen":"2023-10-01T00:00:00Z","last_seen":"2024-02-07T00:00:00Z","created":"2024-10-18T13:27:14.657208Z","modified":"2024-10-18T13:27:14.657213Z","campaign_attack_id":"C3063","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8e812765-bd6d-4c79-a6d6-4967463593df","tag":"51006447-540b-4b9d-bdba-1cbff8038ae9"},{"id":"132ff7fc-eb87-465c-8488-5770e589be8c","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"1733d44b-9f95-483b-b636-5d08b4bd9963","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"2a1b25d2-3c8e-4b0e-94fb-01df21e18f14","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"6b673268-b236-432c-8fe7-cced269b79d6","tag":"89c5b94b-ecf4-4d53-9b74-3465086d4565"},{"id":"0d27cbba-2823-40bd-9bba-a283737a3456","tag":"291c006e-f77a-4c9c-ae7e-084974c0e1eb"},{"id":"68b27e91-7de5-4b15-9559-d0216337d9cd","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"a267618e-8f1d-418b-80dd-9ddef18323e1","tag":"c9c73000-30a5-4a16-8c8b-79169f9c24aa"}],"tidal_id":"bb4d895b-a11d-5af5-b4df-275b3a5e9e72"},{"id":"338c6497-2b13-4c2b-bd45-d8b636c35cac","name":"Iranian IRGC Data Extortion Operations","description":"In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105<sup>[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)]</sup>, CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591<sup>[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]</sup>","first_seen":"2021-03-01T00:00:00Z","last_seen":"2022-09-14T00:00:00Z","created":"2023-10-26T14:24:13.135815Z","modified":"2023-10-26T14:24:13.135820Z","campaign_attack_id":"C3013","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"2e462886-646e-4aab-99be-5861b29dd9c5","tag":"3ed2343c-a29c-42e2-8259-410381164c6a"},{"id":"cedc94bb-32ef-44eb-9a6f-b2b3ad645918","tag":"375983b3-6e87-4281-99e2-1561519dd17b"},{"id":"199bb96f-6fab-440d-8b6b-2b1ee8385a48","tag":"64d3f7d8-30b7-4b03-bee2-a6029672216c"},{"id":"2bcc3917-29b9-4242-9066-d43afce4cbcb","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"ac9b41c5-7e88-4965-b16c-8b95449a8cb3","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"b6843150-8797-4674-a7a1-d641e582b465","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"15468ea1-0236-4a01-92f8-c5a0881da4e1","tag":"d84be7c9-c652-4a43-a79e-ef0fa2318c58"},{"id":"b828a770-70ab-4c00-8724-25eda6e0f12f","tag":"1423b5a8-cff3-48d5-a0a2-09b3afc9f195"},{"id":"d1e6d0d3-055d-4e73-9ad2-eaf23ece9fb2","tag":"1b98f09a-7d93-4abb-8f3e-1eacdb9f9871"},{"id":"f43b2f90-980d-42b4-9e64-4dcd8bb1f84e","tag":"fde4c246-7d2d-4d53-938b-44651cf273f1"},{"id":"6cd78367-2e8a-4957-a537-f94b650e8212","tag":"c3779a84-8132-4c62-be2f-9312ad41c273"},{"id":"b6f79565-6891-4585-a963-54bd2a88d859","tag":"c035da8e-f96c-4793-885d-45017d825596"},{"id":"f80c54b8-24c7-41a7-bb06-35d8deda0d51","tag":"7e6ef160-8e4f-4132-bdc4-9991f01c472e"},{"id":"6ab895af-d96f-4a19-a12c-48cd6eb87caf","tag":"d713747c-2d53-487e-9dac-259230f04460"},{"id":"2887b773-e657-48be-881a-556ee60db4a9","tag":"964c2590-4b52-48c6-afff-9a6d72e68908"}],"tidal_id":"0bce6dfa-b498-5dfe-9711-f86b4b0554bb"},{"id":"50a50a03-279b-455f-9a8d-38dc8e9b80fd","name":"Ivanti Cloud Service Application Zero-Day Vulnerability Exploits","description":"On January 22, 2025, U.S. cybersecurity authorities released a joint Cybersecurity Advisory (AA25-022A), which detailed threat actors' exploitation of multiple vulnerabilities in Ivanti Cloud Service Appliances (\"CSAs\"): CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380. Citing Ivanti's advisories, actors exploited these vulnerabilities as \"zero days\" and \"chained\" exploits together to achieve initial access, remotely execute code, install webshells, and harvest credentials, some of which were exfiltrated for later offline decryption. The advisory detailed exploitation activity that occurred at an unspecified point in September 2024.<sup>[[U.S. CISA Ivanti Vulnerabilities January 22 2025](/references/aeb3a9ad-2214-40dc-bfd5-f832a4eaf168)]</sup> A vendor threat report attributed the activity to unspecified suspected nation-state actors.<sup>[[Fortinet Ivanti Vulnerabilities January 22 2025](/references/7cc64109-8b40-4075-9637-46c0de35df7d)]</sup>","first_seen":"2024-09-01T00:00:00Z","last_seen":"2024-09-30T00:00:00Z","created":"2025-01-28T15:54:17.458875Z","modified":"2025-01-28T15:54:17.458882Z","campaign_attack_id":"C3082","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1204b226-fc43-4a46-a59e-c603222d97de","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"8fd75d1f-36b0-4580-97c4-ac9a8ea8a3bb","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"4c7704f3-6aee-445f-9df2-f27ff81b5f98","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"f341be5c-198b-4403-8537-8cdbfd176087","tag":"e2db8566-c418-404b-a4c4-63759cb32bd8"},{"id":"24078cbf-316e-4b2b-8d14-7ed3d1d19756","tag":"071e8577-99f4-473e-80b4-be91d6db1388"},{"id":"d2bb20be-f6ef-41a2-9c81-5899c20aa523","tag":"1855dff6-e772-44a0-b783-44148f5c4354"},{"id":"8ae8da25-6c16-4a42-990b-f351df1b5bcd","tag":"38478b80-159f-4602-9d21-d2c4efa2defd"},{"id":"2783af9a-6494-48fd-bed4-66e4ccdec786","tag":"291c006e-f77a-4c9c-ae7e-084974c0e1eb"}],"tidal_id":"4cb32fa5-58ee-55d0-b7d2-c2b8432c0771"},{"id":"ce610027-a099-4e54-9ea1-8528793a222f","name":"Ivanti VPN Zero-Day Exploit Activity (CVE-2025-0282)","description":"Google Cloud security researchers announced that they observed active exploitation of Ivanti Connect Secure VPN appliances. On January 8, Ivanti disclosed disclosed two vulnerabilities in the products, CVE-2025-0282 and CVE-2025-0283, and researchers revealed that they had identified \"zero-day\" exploitation of one of the vulnerabilities (CVE-2025-0282) since \"mid-December\" 2024. The researchers attributed the exploitation activity to a \"China-nexus\" actor dubbed UNC5337, which possibly operates as a subcomponent of UNC5221, a broader actor group believed to be behind exploits of two other vulnerabilities in Ivanti VPN and network access control appliances (CVE-2023-46805 and CVE-2024-21887) one year prior.<sup>[[Google Cloud January 8 2025](/references/d34943fb-4a7a-4cda-bbe5-3c1f5c00b8a9)]</sup>","first_seen":"2024-12-15T00:00:00Z","last_seen":"2025-01-08T00:00:00Z","created":"2025-01-13T21:02:10.443333Z","modified":"2025-01-13T21:02:10.443337Z","campaign_attack_id":"C3081","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"eb236d9e-dab9-4cd9-9a0a-936c700df770","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"a1826747-9b5f-46d9-888d-0af6af637e07","tag":"adb4f8e7-e6d8-4159-814d-7d0cf9d05a49"},{"id":"3cb10916-0179-438f-a390-c6450270b963","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"69e36b26-9ad0-42a1-b8b2-e00be2432337","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bf493268-1655-56c8-a21b-ab57adfbeec1"},{"id":"64881c9d-9979-4455-adbf-9a2291c8cfb0","name":"Jasper Sleet North Korean Remote IT Worker Activity","description":"Jasper Sleet is a North Korean threat group involved in fraudulent remote IT worker operations. They use AI tools to enhance their operations, create fake personas, and infiltrate companies globally to generate revenue and support state interests.<sup>[[Microsoft Security Blog June 30 2025](/references/3300c819-e236-40a2-a886-ce460876a2ca)]</sup>","first_seen":"2024-10-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2025-07-08T16:59:23.986487Z","modified":"2025-07-08T16:59:23.986492Z","campaign_attack_id":"C3113","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1e82d9a1-393f-4e09-a8b1-05ee91ff1ae7","tag":"dae3e667-b5db-4063-aaae-8e8e0b8127a0"},{"id":"cca31212-1981-44b3-bf51-e4b9de4271ea","tag":"3b73c532-ccfc-4d66-9830-ab76ef1bc47a"},{"id":"ee4c6560-6426-48b8-9b77-1ae866ca14c1","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4499b314-f4ee-4cc2-aed0-878e1bf5761d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3bf7edaa-b5c7-5f56-9779-4c264bc96049"},{"id":"3b839a7b-095b-5344-8d60-978d06630c3a","name":"J-magic Campaign","description":"The [J-magic Campaign](https://app.tidalcyber.com/campaigns/3b839a7b-095b-5344-8d60-978d06630c3a) was active from mid-2023 to at least mid-2024 and featured the use of the [J-magic](https://app.tidalcyber.com/software/af48c73d-5929-5a45-8182-aea5495346a3) backdoor, a custom cd00r variant tailored for use against Juniper routers. The [J-magic Campaign](https://app.tidalcyber.com/campaigns/3b839a7b-095b-5344-8d60-978d06630c3a) targeted Junos OS routers serving as VPN gateways primarily in the semiconductor, energy, manufacturing, and IT sectors. <sup>[[Lumen J-Magic JAN 2025](https://app.tidalcyber.com/references/50764afc-4d2e-54a1-8d24-2128fc91a5d3)]</sup>","first_seen":"2023-06-01T04:00:00Z","last_seen":"2024-06-01T04:00:00Z","created":"2025-04-22T20:47:03.112460Z","modified":"2025-04-22T20:47:03.112464Z","campaign_attack_id":"C0050","source":"MITRE","owner_name":null,"tags":[{"id":"f0f58b66-3036-40ed-9ef3-68f2ecb2b575","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"}],"tidal_id":"3b839a7b-095b-5344-8d60-978d06630c3a"},{"id":"c44d9a29-3025-40b3-8c12-45390597cc0f","name":"JOKERSPY Intrusion","description":"JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.<sup>[[elastic.co 6 21 2023](/references/42c40ec8-f46a-48fa-bd97-818e3d3d320e)]</sup>","first_seen":"2023-05-31T00:00:00Z","last_seen":"2023-06-01T00:00:00Z","created":"2024-06-13T20:12:40.148387Z","modified":"2024-06-13T20:12:40.148391Z","campaign_attack_id":"C3035","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9aed71dd-5783-4f77-b882-015cfc1fba97","tag":"4a457eb3-e404-47e5-b349-8b1f743dc657"},{"id":"c2713de9-9112-4048-ac0b-5d9a6b1c24a3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"98383200-8873-49be-a198-1c974b0a37aa","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"d4bc1741-9d0d-540d-ba0c-9ceee540606e"},{"id":"afa9af31-e824-5924-b1fe-87b5fd0be2cc","name":"Juicy Mix","description":"[Juicy Mix](https://app.tidalcyber.com/campaigns/afa9af31-e824-5924-b1fe-87b5fd0be2cc) was a campaign conducted by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) throughout 2022 that targeted Israeli organizations with the [Mango](https://app.tidalcyber.com/software/5d966408-4206-536d-828f-dcc340dae746) backdoor.<sup>[[ESET OilRig Campaigns Sep 2023](https://app.tidalcyber.com/references/799db594-6a65-5b80-9d64-c530fadbd9ae)]</sup>","first_seen":"2022-01-01T05:00:00Z","last_seen":"2022-12-01T05:00:00Z","created":"2025-04-22T20:47:03.151307Z","modified":"2025-04-22T20:47:03.151312Z","campaign_attack_id":"C0044","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"afa9af31-e824-5924-b1fe-87b5fd0be2cc"},{"id":"2772d10e-49a1-42c5-925f-6a34e59dfcaf","name":"July 2025 SEO Poisoning, Bumblebee Malware, and Akira Ransomware Activity","description":"In a campaign that began in early July 2025, actors were observed using SEO poisoning to trick victims into installing trojanized software. This led to the deployment of Bumblebee loader malware, which enabled full network compromise. Actors ultimately deployed Akira ransomware on both a root domain and, two days later, a child domain, creating significant operational disruptions to the victim environment.<sup>[[The DFIR Report Bumblebee Akira July 2 2025](/references/22cd30b9-fde9-4383-8106-1a506afa3c02)]</sup>","first_seen":"2025-07-01T00:00:00Z","last_seen":"2025-07-31T00:00:00Z","created":"2025-08-06T14:57:26.537992Z","modified":"2025-08-06T14:57:26.537996Z","campaign_attack_id":"C3118","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e910f27b-493c-46e3-8199-8dfdbd321304","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"610c73af-ed8f-4d1d-a324-909ad519317a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3cf191fe-da69-5b0d-9645-0f43d12389e8"},{"id":"86e3565d-93dc-40e5-8f84-20d1c15b8e9d","name":"June 2023 Citrix Vulnerability Exploitation","description":"In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.<sup>[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]</sup>\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup> Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".<sup>[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-3519<sup>[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]</sup>","first_seen":"2023-06-01T00:00:00Z","last_seen":"2023-06-30T00:00:00Z","created":"2023-07-28T16:33:37.160281Z","modified":"2023-07-28T16:33:37.160287Z","campaign_attack_id":"C3004","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6ac0dad8-7a46-4420-a987-a81fc9edcba2","tag":"fe984a01-910d-4e39-9c49-179aa03f75ab"},{"id":"59159ed1-3abf-4e27-8798-39b33a264b4a","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"4ec151ab-ae33-4045-a4ea-097e62ba3558","tag":"c475ad68-3fdc-4725-8abc-784c56125e96"}],"tidal_id":"c821d518-8dd2-58dc-939b-5af20233b185"},{"id":"3cffb49b-35fb-4b89-9cd6-011353a9863c","name":"KimJongRAT Variant Campaign (2024-2025)","description":"A broad campaign by Kimsuky involving the ongoing evolution and deployment of KimJongRAT variants, including both PE and PowerShell script delivery, targeting South Korean individuals and organizations with phishing, credential theft, and data exfiltration.<sup>[[ENKI Kimsuky KimJongRAT November 21 2025](/references/e060d834-1dfa-4451-b921-7aa26a2ffa30)]</sup>","first_seen":"2024-01-01T00:00:00Z","last_seen":"2025-11-21T00:00:00Z","created":"2025-12-10T14:15:26.736333Z","modified":"2025-12-10T14:15:26.736339Z","campaign_attack_id":"C3194","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"cc9b189b-396c-4360-bada-24ebafeb01c7","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"fa76fb2a-388e-4bc6-8b75-0331cef2b1dd","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b40c63cd-f20a-50df-85bd-458db682a236"},{"id":"b9c494de-be20-4076-a222-45f5cb31984a","name":"Kimsuky Remote Desktop Access Activity","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-01-01T00:00:00Z","last_seen":"2024-12-31T00:00:00Z","created":"2025-02-11T18:20:49.947065Z","modified":"2025-02-11T18:20:49.947068Z","campaign_attack_id":"C3090","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b21ac883-dd9b-45d6-ad5a-f3b8965db75f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"72843736-eaf4-4c47-b6d6-e26e8af5f8ea","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"db9d9277-76a1-57b5-a498-7095522e1fff"},{"id":"42fa0144-c71b-4ca8-97b5-f85698870ea8","name":"Kraken big-game hunting and double extortion attacks","description":"A campaign observed in August 2025 involving the Kraken ransomware group conducting big-game hunting and double extortion attacks against enterprises in multiple countries, leveraging SMB vulnerabilities for initial access and using tools like Cloudflared and SSHFS for persistence and data exfiltration.<sup>[[Cisco Talos Blog November 13 2025](/references/a4982787-11b3-484b-b28b-c24b51405e57)]</sup>","first_seen":"2025-08-01T00:00:00Z","last_seen":"2025-08-31T00:00:00Z","created":"2025-12-10T14:15:23.902984Z","modified":"2025-12-10T14:15:23.902991Z","campaign_attack_id":"C3179","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f4c8f5f5-5cb0-4b10-8943-ea669ce71952","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"37d6c3ee-2c3d-42a8-a8cc-61e1510cbc1d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"a2e088d7-54d1-56e8-ad23-0510a178452f"},{"id":"c0c1054c-46f0-5221-9e7c-9907fe224947","name":"KV Botnet Activity","description":"[KV Botnet Activity](https://app.tidalcyber.com/campaigns/c0c1054c-46f0-5221-9e7c-9907fe224947) consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. [KV Botnet Activity](https://app.tidalcyber.com/campaigns/c0c1054c-46f0-5221-9e7c-9907fe224947) was used by [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.<sup>[[Lumen KVBotnet 2023](https://app.tidalcyber.com/references/81bbc4e1-e1e6-5c93-bf65-ffdc9c7ff71d)]</sup> This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.<sup>[[DOJ KVBotnet 2024](https://app.tidalcyber.com/references/55cf0ced-0de3-5af8-b3e6-3c33bb445593)]</sup>","first_seen":"2022-10-01T04:00:00Z","last_seen":"2024-01-01T05:00:00Z","created":"2024-10-31T16:28:09.598046Z","modified":"2024-10-31T16:28:09.598051Z","campaign_attack_id":"C0035","source":"MITRE","owner_name":null,"tags":[{"id":"68265082-421e-4a73-a9c9-95ca4643a11a","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"}],"tidal_id":"c0c1054c-46f0-5221-9e7c-9907fe224947"},{"id":"c7035b5b-575a-5007-83bb-6b559fbfe3f3","name":"Leviathan Australian Intrusions","description":"[Leviathan Australian Intrusions](https://app.tidalcyber.com/campaigns/c7035b5b-575a-5007-83bb-6b559fbfe3f3) consisted of at least two long-term intrusions against victims in Australia by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871), relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. [Leviathan Australian Intrusions](https://app.tidalcyber.com/campaigns/c7035b5b-575a-5007-83bb-6b559fbfe3f3) were focused on exfiltrating sensitive data including valid credentials for the victim organizations.<sup>[[CISA Leviathan 2024](https://app.tidalcyber.com/references/4b538c35-ffa0-585f-b708-8c69a07f434a)]</sup>","first_seen":"2022-04-01T06:00:00Z","last_seen":"2022-09-01T06:00:00Z","created":"2025-04-22T20:47:03.341889Z","modified":"2025-04-22T20:47:03.341892Z","campaign_attack_id":"C0049","source":"MITRE","owner_name":null,"tags":[{"id":"05af847b-f7ca-433d-b0a0-e21558ff8cc0","tag":"96d58ca1-ab18-4e53-8891-d8ba62a47e5d"},{"id":"59582109-db74-4492-a3e8-b878a12c0ede","tag":"6070668f-1cbd-4878-8066-c636d1d8659c"},{"id":"5a0c56a9-64ad-4df0-b221-4a27bd81a8d0","tag":"d8f7e071-fbfd-46f8-b431-e241bb1513ac"},{"id":"f6b8b839-7de8-4f65-a95a-db8fd291b9cb","tag":"758c3085-2f79-40a8-ab95-f8a684737927"},{"id":"0a6b1eb8-07df-4c50-bf91-3f741db7df20","tag":"1dc8fd1e-0737-405a-98a1-111dd557f1b5"},{"id":"bb9c85a9-ec5b-4f1c-94bd-a6e0a6717538","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"4909fe86-c61c-4707-8f8c-8021a1421ccc","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"53c5e887-7735-475f-816d-9d3eded48f0f","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"d263374b-8912-4a80-ac5b-7b9ba8850c5e","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"fa838773-2ce3-4b50-9c65-39b28615871d","tag":"375983b3-6e87-4281-99e2-1561519dd17b"},{"id":"77bd9e4e-40e8-467f-8bf8-0e713d7cb3b0","tag":"3ed2343c-a29c-42e2-8259-410381164c6a"},{"id":"4461759b-673a-4c10-8e3e-fff7d7072069","tag":"a46c422c-5dad-49fc-a4ac-169a075a4d9a"},{"id":"d037f4b2-074e-4a27-b343-1dbb8d5d9318","tag":"2eeef0b4-08b5-4d25-84f7-25d41fe6305b"},{"id":"08c359fe-e0b7-41ce-8c7b-60f01c94c5ac","tag":"64d3f7d8-30b7-4b03-bee2-a6029672216c"},{"id":"b2ce44f3-ef32-4a09-a0c1-22e7e75985ab","tag":"7e6ef160-8e4f-4132-bdc4-9991f01c472e"},{"id":"dade0e85-e9cc-4425-a705-2ce6f8e2e946","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"}],"tidal_id":"c7035b5b-575a-5007-83bb-6b559fbfe3f3"},{"id":"f4225d6a-8734-401f-aa2a-1a73c23b16e6","name":"LockBit Affiliate Citrix Bleed Exploits","description":"In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.\n\nCitrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.\n\nAfter successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a).<sup>[[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)]</sup> Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.<sup>[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)]</sup><sup>[[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]</sup>","first_seen":"2023-08-01T00:00:00Z","last_seen":"2023-11-16T00:00:00Z","created":"2023-12-01T14:42:17.256879Z","modified":"2023-12-01T14:42:17.256885Z","campaign_attack_id":"C3016","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"27daf5bf-609d-41af-9b1a-0e7a35f6fa3d","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"dcece79c-7559-4f8a-a9d2-9d59b0138eef","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"9620570b-f112-400d-8160-c5740bdb0ace","tag":"15b77e5c-2285-434d-9719-73c14beba8bd"},{"id":"f3b2c738-b2f6-49a1-a029-1ff780a3ac36","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"a5c62fbd-f236-4979-8564-1625b7f19a3e","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"}],"tidal_id":"08713487-96ab-55e7-89f6-8aaf1800f087"},{"id":"6f1bf24e-0bbd-496f-9286-cec0d77ff47a","name":"LongNosedGoblin Southeast Asia and Japan Government Targeting (2023-2025)","description":"A series of cyberespionage campaigns by LongNosedGoblin targeting governmental entities in Southeast Asia and Japan, using custom malware and cloud-based C2.<sup>[[None December 18 2025](/references/5a6246f8-c78e-404e-9f77-eaa8639114d3)]</sup>","first_seen":"2023-09-01T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-12-24T14:57:52.709037Z","modified":"2025-12-24T14:57:52.709040Z","campaign_attack_id":"C3233","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"d3f05308-08dd-4aab-9cd3-60968ad8e60c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"836fea88-7f44-4d03-8491-243b41d7c5c9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6144c15e-74df-54f8-87be-fd7c1d783e96"},{"id":"e7cbc095-7ecf-4799-9f5b-e15f04653604","name":"Lumma Stealer Distribution via Spoofed Webpages","description":"A security researcher discovered nearly 1,000 malicious webpages that were being used to distribute Lumma Stealer malware. The pages were designed to look like legitimate posts on the Reddit social media platform, and comments to the posts contained further links to fake versions of webpages for the WeTransfer file transfer service. On the WeTransfer page, victims could download spoofed, malicious software which would ultimately drop and execute the infostealer. The researcher indicated that they are not sure how the malicious links were being distributed (such as via SEO poisoning, malvertising, or other means).<sup>[[SC Media January 24 2025](/references/b32da1da-bb84-41eb-922e-aa3e00b3efdf)]</sup>","first_seen":"2024-12-26T00:00:00Z","last_seen":"2025-01-20T00:00:00Z","created":"2025-02-11T18:20:49.733530Z","modified":"2025-02-11T18:20:49.733535Z","campaign_attack_id":"C3089","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"62e182e4-1729-4761-ba40-2e11dbc00256","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d6b65804-0ad5-4580-b9e9-41fee40b50d4","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ede3be88-ab1a-5792-9cc5-090d2c8e897c"},{"id":"15e6240a-6572-49ef-99d6-5414749bcc84","name":"Lumma Stealer Resurgence Post-Doxxing","description":"A campaign marked by a resurgence in Lumma Stealer activity following the doxxing of its core members, featuring new browser fingerprinting and C&C techniques.<sup>[[Trend Micro November 13 2025](/references/42e2f322-f311-4d96-9f07-9d4130c83cab)]</sup>","first_seen":"2025-10-20T00:00:00Z","last_seen":"2025-11-03T00:00:00Z","created":"2025-12-10T14:15:23.666814Z","modified":"2025-12-10T14:15:23.666820Z","campaign_attack_id":"C3178","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"2319975c-f2dd-4bbc-bdc7-d7186809a57a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4d67f86d-ef7e-4dad-b520-3dbb46afa252","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6b6dfcb0-e7e7-5ab6-a996-c47818aec47a"},{"id":"64c916d6-17cb-4fbb-a990-b3b881847790","name":"Lunar Spider Latrodectus/Brute Ratel Intrusion May 2024","description":"A campaign in May 2024 where Lunar Spider used tax-themed phishing to deliver Latrodectus and Brute Ratel, enabling a two-month intrusion with credential theft, lateral movement, and data exfiltration.<sup>[[The DFIR Report September 29 2025 09 29 2025](/references/062eb61b-ad37-4688-8008-7d8241ca63dd)]</sup>","first_seen":"2024-05-09T00:00:00Z","last_seen":"2024-07-09T00:00:00Z","created":"2025-10-13T17:29:36.006533Z","modified":"2025-10-13T17:29:36.006537Z","campaign_attack_id":"C3135","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"bce03ead-224b-4bc5-9110-6d571bf768b4","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"474fd4bb-6a60-4af5-845c-c07edae2b5d6","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"80f6866b-e0af-56e0-98ea-275a98679fd6"},{"id":"6a26cfc3-9554-4b63-966f-35378f723152","name":"Lynx Ransomware March 2025 Intrusion","description":"A multi-day intrusion in March 2025 involving initial access via compromised RDP credentials, lateral movement, data exfiltration, and deployment of Lynx ransomware across backup and file servers.<sup>[[The DFIR Report November 17 2025](/references/0b46ec32-fa74-4d0a-8816-0dab60e575cb)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-03-09T00:00:00Z","created":"2025-11-19T17:45:57.574404Z","modified":"2025-11-19T17:45:57.574407Z","campaign_attack_id":"C3169","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a0668a79-cacd-4295-be7e-dab45b382e56","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"6defcb6f-fc12-41c9-ac67-6d8c969e36af","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e2f355bd-46b0-571a-b165-29e1172c0c18"},{"id":"2229e945-ec3d-4e20-ad4a-bd12741a6724","name":"MacroPack Payload Delivery Activity","description":"Researchers discovered  the existence of a newly identified red teaming framework used to generate attack payloads, called \"MacroPack\". The framework was used to deploy the Brute Ratel and Havoc post-exploitation frameworks and the PhantomCore remote access trojan. In addition to red teaming applications, researchers assessed that MacroPack is also being abused by threat actors.<sup>[[Cisco Talos Blog September 3 2024](/references/b222cabd-347d-45d4-aeaf-4135795d944d)]</sup>","first_seen":"2024-05-01T00:00:00Z","last_seen":"2024-07-01T00:00:00Z","created":"2024-09-06T15:14:39.266984Z","modified":"2024-09-06T15:14:39.266987Z","campaign_attack_id":"C3052","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a5e6c804-b152-4c3b-bf05-25198fd74b0a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"078e9fac-9904-4ce5-8548-61bb46b28a75","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"24af4cb3-5257-5d18-9328-35de28d4b6a9"},{"id":"d4fd0132-0a57-4e3f-859f-9fb13d10d2b6","name":"Malicious npm packages delivering NodeCordRAT","description":"A software supply chain campaign in November 2025 where three malicious npm packages (bitcoin-main-lib, bitcoin-lib-js, bip40) were used to deliver NodeCordRAT, a Discord-based RAT targeting developer systems for credential and cryptocurrency theft.<sup>[[Www.zscaler.com January 07 2026](/references/e376a782-9a39-47da-aa27-008a59bd1877)]</sup>","first_seen":"2025-11-01T00:00:00Z","last_seen":"2025-11-30T00:00:00Z","created":"2026-01-14T13:32:10.109024Z","modified":"2026-01-14T13:32:10.109028Z","campaign_attack_id":"C3273","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0a71668b-eceb-4f75-9f7a-87f21ea677a5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"b0709f82-3ac7-42f4-bc1e-fbfb4eebf000","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"1ae6434f-1c44-5232-8377-f035aba6e432"},{"id":"d783932b-7dcf-4947-ba75-fd54a0e5dc7c","name":"Marbled Dust Output Messenger Zero-Day Attack","description":"Actors attributed to Marbled Dust, a Türkiye-affiliated cyber espionage group, were observed exploiting user accounts via a zero-day vulnerability in the Output Messenger cross-platform messaging application. The attacks targeted users associated with the Kurdish military in Iraq and sought to exfiltrate data. Microsoft security researchers indicated that \"successful use of a zero-day exploit suggests an increase in [Marbled Dust] technical sophistication\".<sup>[[Microsoft Security Blog May 12 2025](/references/8fb1a0ff-2977-4f50-aba9-e5f5c2b63647)]</sup>","first_seen":"2024-04-05T00:00:00Z","last_seen":"2025-05-12T00:00:00Z","created":"2025-06-03T14:14:56.696320Z","modified":"2025-06-03T14:14:56.696324Z","campaign_attack_id":"C3109","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"2cae1249-5e77-4a4c-94cd-706abf2cb60e","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"dd4241eb-71ec-4c03-ada3-d11e8aa96e94","tag":"4cf3ee7b-b06d-40f8-a455-64e5605d7790"},{"id":"52a3038f-fbb2-41c1-b800-b51a73068175","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"186526ca-e88e-4624-9a6a-d554e37409bb","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"77a0e99d-954d-5460-b2fb-bc15bd1c5d4f"},{"id":"39018380-0bfc-5d68-98c4-546d7b74e11e","name":"Maroochy Water Breach","description":"[Maroochy Water Breach](https://app.tidalcyber.com/campaigns/39018380-0bfc-5d68-98c4-546d7b74e11e) was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.<sup>[[Marshall Abrams July 2008](https://app.tidalcyber.com/references/7ed1c974-802d-5b1c-b93d-f0af2a46b033)]</sup>","first_seen":"2000-02-01T05:00:00Z","last_seen":"2000-04-01T05:00:00Z","created":"2026-01-28T13:08:18.104055Z","modified":"2026-01-28T13:08:18.104059Z","campaign_attack_id":"C0020","source":"ICS","owner_name":null,"tags":[],"tidal_id":"39018380-0bfc-5d68-98c4-546d7b74e11e"},{"id":"f74885c3-c39b-4db4-ab4f-2990929450a2","name":"May 2023 Exfiltration & Wiper Activity (Truebot + FlawedGrace + MBR Killer)","description":"The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.<sup>[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]</sup>","first_seen":"2023-05-01T00:00:00Z","last_seen":"2023-05-31T00:00:00Z","created":"2024-06-13T20:12:36.528114Z","modified":"2024-06-13T20:12:36.528118Z","campaign_attack_id":"C3002","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a7076385-4ae6-4247-a595-8fcffe102603","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"36e61e25-15d7-467e-bc1e-f797712bb574","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"5c082d63-0331-5c39-b5b4-44e3cfce3bbf"},{"id":"4c01ad48-6a09-462a-abf4-24ba0a4cea56","name":"Microsoft Midnight Blizzard Breach","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.","first_seen":"2023-11-30T00:00:00Z","last_seen":"2024-01-12T00:00:00Z","created":"2024-06-13T20:12:38.182198Z","modified":"2024-06-13T20:12:38.182202Z","campaign_attack_id":"C3023","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b840aff1-ae1d-44ae-aac3-dea36659a7c3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"278c7050-44e7-4309-8461-4d6aa51facc9","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"cc729a69-a4af-4750-9567-2b6b75e1eedb","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"d189fba1-f530-5f95-abb0-1c67e32d3cd6"},{"id":"afaa897f-dab5-4cf5-8f97-931c52ba00c2","name":"Midnight Blizzard RDP File Spearphishing Campaign","description":"Microsoft security researchers identified a campaign attributed to Russian espionage group Midnight Blizzard, in which actors sent spearphishing emails containing remote desktop protocol (RDP) configuration file attachments to thousands of users. Recipients included employees from more than 100 organizations, including government, higher education, defense, and non-governmental entities in countries including the United Kingdom, Europe, Australia, and Japan. According to the researchers, the use of signed .rdp file attachments, which extend automatic RDP settings and resource mappings from local systems to actor-controlled servers, represented a new initial access method for Midnight Blizzard.<sup>[[Microsoft Midnight Blizzard October 29 2024](/references/b4455d64-1171-487d-b0b4-be192be7b08c)]</sup>","first_seen":"2024-10-22T00:00:00Z","last_seen":"2024-10-29T00:00:00Z","created":"2024-11-15T17:29:25.475556Z","modified":"2024-11-15T17:29:25.475559Z","campaign_attack_id":"C3071","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"db19d2b6-f03f-4c87-bd9d-bf484dfad256","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"ca8c3c2f-6b4f-4c62-9b30-29754cc2db1f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e12a30ca-9892-5da4-9a4e-48861f856dd6"},{"id":"f1922702-2c16-496e-9d21-f32fc9c6daee","name":"Molerats 2021 Backdoor Delivery Campaign","description":"Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.<sup>[[Zscaler Molerats Campaign](/references/3b39e73e-229f-4ff4-bec3-d83e6364a66e)]</sup>","first_seen":"2021-07-01T00:00:00Z","last_seen":"2021-12-01T00:00:00Z","created":"2024-06-13T20:12:36.731801Z","modified":"2024-06-13T20:12:36.731806Z","campaign_attack_id":"C3011","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9f2d862d-3668-4099-b479-2906934ff92c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"de769632-1908-47d1-be0c-da9c84e79366","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4007e5f9-3fe4-577b-8870-35d40a267ff7"},{"id":"d60440a9-e9fb-4199-a916-aa6da8fa2d8f","name":"MuddyWater and Lyceum joint sub-campaign (Jan-Feb 2025)","description":"A joint sub-campaign in January and February 2025 where MuddyWater and Lyceum cooperated to target a manufacturing-sector organization in Israel, using spearphishing and RMM tools for initial access and credential harvesting.<sup>[[None December 02 2025](/references/fc19e816-1740-468e-966e-a7cb1165e16e)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-02-28T00:00:00Z","created":"2025-12-10T14:15:28.564178Z","modified":"2025-12-10T14:15:28.564182Z","campaign_attack_id":"C3198","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"088f2bf5-8f77-49d0-926a-50b72ea2e0a3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"1f066683-800b-4468-b16e-719058e8c544","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e483e18c-66bf-5592-abf5-1f720bef95d5"},{"id":"e753ef1f-48a1-442b-a07d-7daf9a1486e3","name":"Muddy Water RustyWater Spearphishing Campaign (2025-2026)","description":"A spear-phishing campaign attributed to Muddy Water APT targeting diplomatic, maritime, financial, and telecom sectors in the Middle East, using malicious Word documents to deliver the RustyWater Rust-based implant.<sup>[[Www.cloudsek.com January 09 2026](/references/1f12b457-540c-4e11-bd9b-df360a318aa6)]</sup>","first_seen":"2025-11-27T00:00:00Z","last_seen":"2026-01-08T00:00:00Z","created":"2026-01-14T13:32:09.413255Z","modified":"2026-01-14T13:32:09.413259Z","campaign_attack_id":"C3269","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b5918377-08ed-41f4-8c7a-fbd5f9b78ac1","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"aac63d14-7571-4a23-9402-cc382db2fefd","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"5cd9a019-45ea-58d4-9217-2251ca616c29"},{"id":"4bf10a59-b927-4ffa-a937-83633b35ec99","name":"MuddyWater: Snakes by the riverbank","description":"A campaign primarily targeting organizations in Israel and one in Egypt, using custom malware and improved tactics for defense evasion and persistence, running from September 30, 2024 to March 18, 2025.<sup>[[None December 02 2025](/references/fc19e816-1740-468e-966e-a7cb1165e16e)]</sup>","first_seen":"2024-09-30T00:00:00Z","last_seen":"2025-03-18T00:00:00Z","created":"2025-12-10T14:15:28.777344Z","modified":"2025-12-10T14:15:28.777348Z","campaign_attack_id":"C3199","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0331ccff-d3a5-4f12-935a-b2f9072b1918","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"56b3b048-a896-4f7c-b702-84939bd8facf","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ad1ec5e8-a96a-55c7-9751-571d3ba947e2"},{"id":"515cddcd-ca61-498a-9c56-880f69bcc3f8","name":"Multi-Stage AsyncRAT Campaign via Managed Detection and Response","description":"A sophisticated phishing and malware campaign that abuses Cloudflare's free-tier infrastructure and legitimate Python environments to deploy AsyncRAT via multi-stage scripts, code injection, and persistent mechanisms. The campaign uses phishing emails with Dropbox links, double-extension files, and social engineering to deceive victims and evade detection.<sup>[[Trend Micro January 12 2026](/references/836489cd-dd2c-4a0d-8783-c055206131e1)]</sup>","first_seen":"2025-10-27T00:00:00Z","last_seen":"2025-11-20T00:00:00Z","created":"2026-01-14T13:32:09.098543Z","modified":"2026-01-14T13:32:09.098547Z","campaign_attack_id":"C3267","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"cc7f9151-37ab-4682-8afe-5ec7c6e707f1","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"b194012a-d892-4ecf-80bb-0199d5e157cb","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"16380633-658b-53b8-ab5e-5975bc6e7886"},{"id":"185defab-107c-4180-9550-089f93463c4b","name":"Mysterious Elephant 2025 Campaign","description":"A campaign beginning in early 2025 involving spear phishing, custom-made and open-source tools, and advanced exfiltration techniques targeting government and foreign affairs sectors in South Asia.<sup>[[Securelist October 15 2025](/references/f0f1a57f-399c-48b8-a43b-fd911baf4471)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-12-31T00:00:00Z","created":"2026-01-23T20:31:39.235477Z","modified":"2026-01-23T20:31:39.235481Z","campaign_attack_id":"C3282","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"90efca41-206c-4bb5-9def-f7ac6a57cf56","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"96e9c188-4255-4d11-8915-2339d67fff55","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"69da9376-a627-5dd8-b6ad-d3c380c812f5"},{"id":"85f136b3-d5a3-4c4c-a37c-40e4418dc989","name":"Night Dragon","description":"[Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.<sup>[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]</sup>","first_seen":"2009-11-01T04:00:00Z","last_seen":"2011-02-01T05:00:00Z","created":"2022-09-08T13:31:37.391000Z","modified":"2022-09-22T20:45:42.479000Z","campaign_attack_id":"C0002","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"b61480f9-d2e1-52f1-b63d-851a8ae8a36c"},{"id":"ccab6533-9c2d-4ef8-a4a0-27192e6998fa","name":"Nimbus Manticore European Targeting Campaign","description":"A long-running campaign by the Iranian threat actor Nimbus Manticore, targeting defense manufacturing, telecommunications, and aviation sectors in Western Europe, especially Denmark, Sweden, and Portugal, using spear-phishing and custom malware.<sup>[[Check Point Research 09 22 2025](/references/e813f0cf-b9de-429a-8699-aadd90b5de4f)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-09-22T00:00:00Z","created":"2025-10-07T14:07:45.370601Z","modified":"2025-10-07T14:07:45.370603Z","campaign_attack_id":"C3131","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7bfeaccd-c050-4c92-a029-fc84b629ccef","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"0bbd0620-84d8-47bb-a330-afbda9313a67","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"48f79d71-1ed1-531c-997f-1cc4357478ef"},{"id":"aafeaf8e-0aba-4188-9d49-4f8007af7cac","name":"November 2023-May 2025 Lumma Stealer Deployment Activity","description":"In May 2025, U.S. cybersecurity authorities released joint cybersecurity advisory AA25-141B, which detailed behaviors used by unspecified threat actors to deploy the LummaC2 (aka Lumma Stealer) information stealer (infostealer) malware. The advisory covered activity observed from November 2023 through May 2025.<sup>[[U.S. CISA LummaC2 May 21 2025](/references/bbb517d2-a84a-4e60-a1ae-32c2841e7f34)]</sup>\n\nSeparately, on May 21, 2025 (the day of the advisory's release), U.S. Justice Department officials, international agencies, and private sector partners announced coordinated efforts to seize thousands of domains associated with Lumma Stealer distribution, including its \"central command structure\".<sup>[[U.S. DOJ Lumma Stealer Domain Seizures May 21 2025](/references/e26d1951-fadf-46c5-96af-3845929fd470)]</sup><sup>[[Microsoft Lumma Stealer Disruption May 21 2025](/references/bc7580b8-a686-4f90-a833-55592c62894b)]</sup>","first_seen":"2023-11-01T00:00:00Z","last_seen":"2025-05-21T00:00:00Z","created":"2025-05-23T14:42:12.116749Z","modified":"2025-05-23T14:42:12.116751Z","campaign_attack_id":"C3106","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c17b4705-84a5-4c4c-9633-93cef91d248d","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"0326a831-f5bb-4061-9850-4fafe9b914a7","tag":"15787198-6c8b-4f79-bf50-258d55072fee"}],"tidal_id":"e0afc489-e6ac-5879-86c6-6dfea18b8231"},{"id":"fca0581f-ee77-4b8c-898e-ab54b156faab","name":"November 2025 IIS Web Exploitation and Persistence Campaign","description":"A series of related incidents in November 2025 where a threat actor exploited IIS web application vulnerabilities to deploy remote access tools and establish persistence across multiple organizations, iteratively adapting techniques to bypass security controls.<sup>[[Huntress December 22 2025](/references/853d719f-f41d-49e4-8752-7c0e3f7090df)]</sup>","first_seen":"2025-11-06T00:00:00Z","last_seen":"2025-11-25T00:00:00Z","created":"2025-12-29T17:41:32.982311Z","modified":"2025-12-29T17:41:32.982315Z","campaign_attack_id":"C3246","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8365fb39-5cbb-446d-b8ba-fe473f072436","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"597e3dcf-b83b-41f4-bb7a-4b06f863af9a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9cdbc5f1-b536-58c5-9c13-6c9ca013c906"},{"id":"a11d1575-5487-41cd-83b5-1601aa9d5487","name":"Okta Customer Support Security Incident","description":"According to details published by Okta Security, threat actors gained unauthorized access to Okta’s customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.\n\nAfter gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers’ names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.<sup>[[Okta HAR Files Incident Notice](/references/14855034-494e-477d-8c91-fc534fd7790d)]</sup><sup>[[Okta HAR Files RCA](/references/742d095c-9bd1-4f4a-8bc6-16db6d15a9f4)]</sup><sup>[[Okta HAR Files Incident Update](/references/5e09ab9c-8cb2-49f5-b65f-fd5447e71ef4)]</sup>","first_seen":"2023-09-28T00:00:00Z","last_seen":"2023-10-17T00:00:00Z","created":"2024-06-13T20:12:37.230496Z","modified":"2024-06-13T20:12:37.230499Z","campaign_attack_id":"C3018","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9b887e7e-a73e-49b8-b1cf-dfb9df96e0b5","tag":"e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"},{"id":"1958e592-950e-4d23-a080-f91851091ee7","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"8f3f8f0a-e829-40d5-aa73-e9dff66ced9c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"64ece2c6-5931-4517-bbae-7270584d0666","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"727f1c66-dd0e-566b-98fe-5af7f695b387"},{"id":"fd9478a7-1e9c-43d3-a38a-95e243be1c80","name":"Operation Artemis","description":"A spear-phishing campaign by APT37 targeting South Korean organizations using HWP documents, DLL side-loading, and cloud-based C2 infrastructure. The campaign leverages social engineering, steganography, and multi-stage payloads to evade detection.<sup>[[None December 21 2025](/references/57b3ee67-b2b8-4937-a557-411a870bb5b3)]</sup>","first_seen":"2023-08-01T00:00:00Z","last_seen":"2023-11-30T00:00:00Z","created":"2025-12-29T17:41:31.453034Z","modified":"2025-12-29T17:41:31.453037Z","campaign_attack_id":"C3236","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a605050a-80c3-4a75-ad28-1d1fc336067a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"c523a5a9-2f14-48ff-8f4d-964f1183e39b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"7a590376-0dc9-5f1c-b0e3-71e7b3b034b7"},{"id":"3e699e87-205e-4d6b-8c0d-680fa762575a","name":"Operation Baby Coin","description":"A campaign reported by ESTSecurity in 2018, overlapping with Kimsuky activity and involving KimJongRAT and related malware.<sup>[[ENKI Kimsuky KimJongRAT November 21 2025](/references/e060d834-1dfa-4451-b921-7aa26a2ffa30)]</sup>","first_seen":"2018-01-01T00:00:00Z","last_seen":"2018-12-31T00:00:00Z","created":"2025-12-10T14:15:26.925744Z","modified":"2025-12-10T14:15:26.925750Z","campaign_attack_id":"C3195","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f326f866-733c-45cd-95f5-0cc39ff89627","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"bd4f5a2b-b8d6-43a8-9f89-88eb9e3cb3e5","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"17adaf2f-67de-5d67-95c9-f8182c2872fa"},{"id":"0496e076-1813-4f51-86e6-8f551983e8f8","name":"Operation Bearded Barbie","description":"\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.<sup>[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]</sup>","first_seen":"2022-03-01T00:00:00Z","last_seen":"2022-04-01T00:00:00Z","created":"2024-04-25T14:11:07.098441Z","modified":"2024-04-25T14:11:07.098445Z","campaign_attack_id":"C3015","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"424a32ca-aedf-4d73-9211-868c98e59ed5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e7b35f42-a08f-40a4-85ae-2da17210f6e3","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f3d5585a-a628-50da-84b0-0b01f2617a17"},{"id":"cb6c1b04-8d33-4886-9fa6-9759da0f37d9","name":"Operation Code on Toast","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-05-01T00:00:00Z","last_seen":"2024-05-31T00:00:00Z","created":"2025-05-06T16:29:22.901976Z","modified":"2025-05-06T16:29:22.901980Z","campaign_attack_id":"C3100","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"557ee187-b31b-4440-b3ee-a364c1ed7347","tag":"19e8c417-a31d-417d-8266-f2430fa4cc02"},{"id":"2cd3ffd5-5bca-41a9-860a-280ae05e153d","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f7a5eeb2-66f0-4fd6-a292-4fb453938e42","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f29849bd-9485-5ef6-85f3-0e7bea3908c1"},{"id":"81bf4e45-f0d3-4fec-a9d4-1259cf8542a1","name":"Operation CuckooBees","description":"[Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1), which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was conducted by actors affiliated with [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9), and BARIUM.<sup>[[Cybereason OperationCuckooBees May 2022](https://app.tidalcyber.com/references/fe3e2c7e-2287-406c-b717-cf7721b5843a)]</sup>","first_seen":"2019-12-01T07:00:00Z","last_seen":"2022-05-01T06:00:00Z","created":"2022-09-22T20:07:47.208000Z","modified":"2022-10-13T15:10:42.515000Z","campaign_attack_id":"C0012","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"692402f6-f33b-5945-9020-503229da5d02"},{"id":"2a537808-da78-4607-979c-92b84772c4fb","name":"Operation Deceptive Prospect","description":"Actors attributed to the RomCom adversary group targeted UK organizations via customer feedback portals, exploiting these mechanisms to deliver remote access trojan malware that enabled comprehensive remote control over infected systems. The campaign showcased advanced social engineering techniques through convincing feedback submissions containing embedded malicious code.<sup>[[CybersecurityNews May 5 2025](/references/8516eaf7-0749-4dba-9d04-c112a13a87f4)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-03-31T00:00:00Z","created":"2025-05-06T16:29:23.094878Z","modified":"2025-05-06T16:29:23.094883Z","campaign_attack_id":"C3101","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"d6882fec-ad26-49a6-95dd-a3146aabde52","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"05b41091-52c2-4691-8939-6b54114842b6","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"a2a9289d-3b17-5600-bd47-b173f14ec09c"},{"id":"a2c807ea-dcb0-4d46-8cb7-e183eb505467","name":"Operation Diplomatic Specter","description":"A Chinese cyberespionage campaign leveraging rare toolsets to target governmental entities in the Middle East, Africa, and Asia, attributed to Phantom Taurus.<sup>[[Unit 42 September 30 2025 09 30 2025](/references/257d2f0e-d60c-4317-b9ab-ed6e76b90d2d)]</sup>","first_seen":"2023-06-01T00:00:00Z","last_seen":"2024-05-31T00:00:00Z","created":"2025-10-13T17:29:35.858399Z","modified":"2025-10-13T17:29:35.858404Z","campaign_attack_id":"C3134","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7fd33b1b-3b3a-4fff-8fe9-e38f5aa63176","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e7249f4b-86e3-4590-8e56-bd2cf6fff92c","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"63d34994-d9df-5ef6-af10-79d32d2796b9"},{"id":"9a94e646-cbe5-54a1-8bf6-70ef745e641b","name":"Operation Dream Job","description":"[Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b) was a cyber espionage operation likely conducted by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://app.tidalcyber.com/campaigns/9a94e646-cbe5-54a1-8bf6-70ef745e641b) as an umbrella term covering both Operation Interception and Operation North Star.<sup>[[ClearSky Lazarus Aug 2020](https://app.tidalcyber.com/references/2827e6e4-8163-47fb-9e22-b59e59cd338f)]</sup><sup>[[McAfee Lazarus Jul 2020](https://app.tidalcyber.com/references/43581a7d-d71a-4121-abb6-127483a49d12)]</sup><sup>[[ESET Lazarus Jun 2020](https://app.tidalcyber.com/references/b16a0141-dea3-4b34-8279-7bc1ce3d7052)]</sup><sup>[[The Hacker News Lazarus Aug 2022](https://app.tidalcyber.com/references/8ae38830-1547-5cc1-83a4-87c3a7c82aa6)]</sup>","first_seen":"2019-09-01T04:00:00Z","last_seen":"2020-08-01T04:00:00Z","created":"2023-05-26T01:20:56.122471Z","modified":"2023-05-26T01:20:56.122476Z","campaign_attack_id":"C0022","source":"MITRE","owner_name":null,"tags":[{"id":"2f6c4033-a018-46eb-935e-62110d3d7c6a","tag":"6070668f-1cbd-4878-8066-c636d1d8659c"},{"id":"5ea82196-d687-454e-8512-6f02672640e9","tag":"d8f7e071-fbfd-46f8-b431-e241bb1513ac"}],"tidal_id":"c7660441-3628-5a99-9d57-30dde396a426"},{"id":"af0c0f55-dc4f-4cb5-9350-3a2d7c07595f","name":"Operation Dust Storm","description":"[Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.<sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup>\n\n[Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.<sup>[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]</sup>","first_seen":"2010-01-01T07:00:00Z","last_seen":"2016-02-01T06:00:00Z","created":"2022-09-29T20:00:38.136000Z","modified":"2022-09-30T21:05:22.490000Z","campaign_attack_id":"C0016","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"20c7ff2c-4e57-5482-9859-42e108c80980"},{"id":"1fcfe949-5f96-578e-86ad-069ba123c867","name":"Operation Ghost","description":"[Operation Ghost](https://app.tidalcyber.com/campaigns/1fcfe949-5f96-578e-86ad-069ba123c867) was an [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During [Operation Ghost](https://app.tidalcyber.com/campaigns/1fcfe949-5f96-578e-86ad-069ba123c867), [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.<sup>[[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)]</sup>\n","first_seen":"2013-09-01T04:00:00Z","last_seen":"2019-10-01T04:00:00Z","created":"2023-05-26T01:20:56.179238Z","modified":"2023-05-26T01:20:56.179241Z","campaign_attack_id":"C0023","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"254b86c6-db3c-56dc-bc7b-a2a0382dc3e9"},{"id":"08402dd4-0b65-41bc-af1b-aa77efb93cfa","name":"Operation Giant Baby","description":"A campaign attributed to Kimsuky involving the use of KimJongRAT and BabyShark malware, targeting South Korean entities with spear-phishing and data theft.<sup>[[ENKI Kimsuky KimJongRAT November 21 2025](/references/e060d834-1dfa-4451-b921-7aa26a2ffa30)]</sup>","first_seen":"2019-01-01T00:00:00Z","last_seen":"2019-12-31T00:00:00Z","created":"2025-12-10T14:15:27.121773Z","modified":"2025-12-10T14:15:27.121779Z","campaign_attack_id":"C3196","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"ffd26385-a5c2-472e-9471-c5d9c8d08dac","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"63beaf34-8120-4e55-9f22-066e40099cb6","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"49d5b113-a323-59b8-a31b-78b2414945fc"},{"id":"f741ed36-2d52-40ae-bbdc-70722f4071c7","name":"Operation Honeybee","description":"[Operation Honeybee](https://app.tidalcyber.com/campaigns/f741ed36-2d52-40ae-bbdc-70722f4071c7) was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. [Operation Honeybee](https://app.tidalcyber.com/campaigns/f741ed36-2d52-40ae-bbdc-70722f4071c7) initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign \"Honeybee\" after the author name discovered in malicious Word documents.<sup>[[McAfee Honeybee](https://app.tidalcyber.com/references/e6f0f7b5-01fe-437f-a9c9-2ea054e7d69d)]</sup> ","first_seen":"2017-08-01T05:00:00Z","last_seen":"2018-02-01T06:00:00Z","created":"2022-09-16T21:08:54.358000Z","modified":"2022-10-13T17:57:06.034000Z","campaign_attack_id":"C0006","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"4e320095-6794-51ea-913f-7bdfaed17f91"},{"id":"9637ff1e-803e-47f7-b808-f4d1ef6fd500","name":"Operation In(ter)ception","description":"Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.<sup>[[SentinelOne 9 26 2022](/references/973a110c-f1cd-46cd-b92b-5c7d8e7492b1)]</sup>","first_seen":"2019-12-01T00:00:00Z","last_seen":"2022-09-26T00:00:00Z","created":"2024-06-24T15:00:29.552701Z","modified":"2024-06-24T15:00:29.552707Z","campaign_attack_id":"C3040","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c8a9f82a-e9cd-44d7-8f97-96027014c358","tag":"cce5f564-f7f0-4aa6-a908-b857cb2cbfe4"},{"id":"72871cc1-9fc6-4aa2-9a22-58a9e0d5563c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"8396fcfa-3988-43a9-be00-ac4c0353e322","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"a2acb330-8edf-5eb5-aca3-7ec539ee88bf"},{"id":"24c4fade-c0d8-40d4-8c8f-8420f70899b5","name":"Operation Lunar Peek (CVE-2024-0012 & CVE-2024-9474 Exploitation Activity)","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-11-18T00:00:00Z","last_seen":"2024-11-22T00:00:00Z","created":"2024-12-02T20:29:03.226321Z","modified":"2024-12-02T20:29:03.226326Z","campaign_attack_id":"C3076","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"35d40dd2-f74f-4f43-9270-ee7d31de1374","tag":"7ea60d6f-41bc-4ff0-afcc-b5d50b9b92fc"},{"id":"4ec6ac2e-f2ab-4080-afbb-974c88dde6dd","tag":"86cb0672-fb56-4c8f-a619-f9c401c45540"},{"id":"94c6696f-97b5-4da3-9786-c5b15c7bf819","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"4ffecab0-b8d2-4c2f-952d-db8845d83985","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"12539e86-bc6e-419a-bc6e-0f2db9356121","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"d27b97b7-74b8-5235-9940-fa6418434a3f"},{"id":"440702c5-cb76-5d9c-9223-d00882693ba3","name":"Operation MidnightEclipse","description":"[Operation MidnightEclipse](https://app.tidalcyber.com/campaigns/440702c5-cb76-5d9c-9223-d00882693ba3) was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.<sup>[[Volexity UPSTYLE 2024](https://app.tidalcyber.com/references/2f5c6e28-ba86-537b-b71b-4a7625b8d41e)]</sup><sup>[[Palo Alto MidnightEclipse APR 2024](https://app.tidalcyber.com/references/3aafba02-9807-5977-8b42-ec02fd8dee5e)]</sup>","first_seen":"2024-03-01T05:00:00Z","last_seen":"2024-04-01T04:00:00Z","created":"2025-04-22T20:47:03.008851Z","modified":"2025-04-22T20:47:03.008856Z","campaign_attack_id":"C0048","source":"MITRE","owner_name":null,"tags":[{"id":"ab7708cd-7f57-481e-8bd4-2d4dc6282225","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"8e2eea12-1b3b-4bc2-8e6d-aa5d0eaa3a96","tag":"07f09197-1847-411e-a451-d37211ead1b2"}],"tidal_id":"440702c5-cb76-5d9c-9223-d00882693ba3"},{"id":"57e858c8-fd0b-4382-a178-0165d03aa8a9","name":"Operation Sharpshooter","description":"[Operation Sharpshooter](https://app.tidalcyber.com/campaigns/57e858c8-fd0b-4382-a178-0165d03aa8a9) was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) operations, including fake job recruitment lures and shared malware code.<sup>[[McAfee Sharpshooter December 2018](https://app.tidalcyber.com/references/96b6d012-8620-4ef5-bf9a-5f88e465a495)]</sup><sup>[[Bleeping Computer Op Sharpshooter March 2019](https://app.tidalcyber.com/references/84430646-6568-4288-8710-2827692a8862)]</sup><sup>[[Threatpost New Op Sharpshooter Data March 2019](https://app.tidalcyber.com/references/2361b5b1-3a01-4d77-99c6-261f444a498e)]</sup>    ","first_seen":"2017-09-01T05:00:00Z","last_seen":"2019-03-01T06:00:00Z","created":"2022-09-26T21:18:34.075000Z","modified":"2022-10-13T17:10:55.334000Z","campaign_attack_id":"C0013","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"0a7f65fc-3dcc-5119-aabc-09656961f382"},{"id":"98d3a8ac-6af9-4471-83f6-e880ca70261f","name":"Operation Spalax","description":"[Operation Spalax](https://app.tidalcyber.com/campaigns/98d3a8ac-6af9-4471-83f6-e880ca70261f) was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The [Operation Spalax](https://app.tidalcyber.com/campaigns/98d3a8ac-6af9-4471-83f6-e880ca70261f) threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to [APT-C-36](https://app.tidalcyber.com/groups/153c14a6-31b7-44f2-892e-6d9fdc152267), however identified enough differences to report this as separate, unattributed activity.<sup>[[ESET Operation Spalax Jan 2021](https://app.tidalcyber.com/references/b699dd10-7d3f-4542-bf8a-b3f0c747bd0e)]</sup>  ","first_seen":"2019-11-01T05:00:00Z","last_seen":"2021-01-01T06:00:00Z","created":"2022-09-16T15:32:41.893000Z","modified":"2022-10-13T13:06:44.395000Z","campaign_attack_id":"C0005","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"80341e2f-c547-5e16-8ebb-291972351f08"},{"id":"7803f880-4669-5884-b93f-5da3d5e07801","name":"Operation Triangulation","description":"[Operation Triangulation](https://app.tidalcyber.com/campaigns/7803f880-4669-5884-b93f-5da3d5e07801) is a mobile campaign targeting iOS devices.<sup>[[SecureList OpTriangulation 01Jun2023](https://app.tidalcyber.com/references/e0eaad95-0a74-5e11-8265-1c54f1f19fa9)]</sup> The unidentified actors used zero-click exploits in iMessage attachments to gain [Initial Access](https://app.tidalcyber.com/tactics/586a5b49-c566-4a57-beb4-e7c667f9c34c), then executed exploits and validators, such as [Binary Validator](https://app.tidalcyber.com/software/5a29e92b-fdf6-5b05-a4cf-c4faba51d141) before finally executing the [TriangleDB](https://app.tidalcyber.com/software/d7d0a2dc-ae99-557f-b6ce-c1a92ef41825) implant.","first_seen":"2019-01-01T08:00:00Z","last_seen":"2023-06-01T07:00:00Z","created":"2026-01-28T13:08:09.921616Z","modified":"2026-01-28T13:08:09.921621Z","campaign_attack_id":"C0054","source":"Mobile","owner_name":null,"tags":[],"tidal_id":"7803f880-4669-5884-b93f-5da3d5e07801"},{"id":"56e4e10f-8c8c-4b7c-8355-7ed89af181be","name":"Operation Wocao","description":"[Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.<sup>[[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup>\n\nSecurity researchers assessed the [Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) actors used similar TTPs and tools as APT20, suggesting a possible overlap. [Operation Wocao](https://app.tidalcyber.com/campaigns/56e4e10f-8c8c-4b7c-8355-7ed89af181be) was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.<sup>[[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]</sup>","first_seen":"2017-12-01T05:00:00Z","last_seen":"2019-12-01T05:00:00Z","created":"2022-09-27T14:15:23.984000Z","modified":"2022-10-13T17:42:00.940000Z","campaign_attack_id":"C0014","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"b947cb08-c064-5f57-b2d7-4bc6a52699ce"},{"id":"b7b64977-1cb8-4d1f-9f1f-8c6f4c58b8cf","name":"#OPSrilanka","description":"A hacktivist campaign by Tamil Eelam Cyber Force targeting Sri Lankan government websites to protest alleged genocide and war crimes against Tamils.<sup>[[www.tamilguardian.com April 26 2022](/references/5f85cc74-19d6-48f0-a4e8-98689674935a)]</sup>","first_seen":"2022-04-20T00:00:00Z","last_seen":"2022-04-26T00:00:00Z","created":"2026-01-23T20:31:38.771057Z","modified":"2026-01-23T20:31:38.771061Z","campaign_attack_id":"C3279","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"46ccc0ca-6849-4da3-9f09-276af141e9c1","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"0685d947-6651-4ee8-9661-edbd7d16fe4f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"781e2b7a-5a97-5455-b6b5-3af474a2968b"},{"id":"4a4b412f-1418-4607-8e96-30d75f7e43bd","name":"#OpVenezuela","description":"A hacktivist campaign relaunched in July 2024 by Anonymous and affiliated groups targeting Venezuelan government infrastructure with DDoS attacks, website defacements, and data leaks in response to alleged election fraud.<sup>[[Check Point Blog August 13 2024](/references/72134c73-bdd5-4cd1-9046-1ea01c75faf3)]</sup>","first_seen":"2024-07-31T00:00:00Z","last_seen":"2024-08-05T00:00:00Z","created":"2026-01-06T18:05:33.978367Z","modified":"2026-01-06T18:05:33.978371Z","campaign_attack_id":"C3257","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"2eac509b-f315-4f5a-8521-2bd6e663c649","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"97bdeb87-c899-4817-b1a3-d8fd7cf36d55","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"5ef80f70-f8c0-5168-a009-c7cc5ef08498"},{"id":"cc893de9-3a94-531d-b799-08c75aeab019","name":"Outer Space","description":"[Outer Space](https://app.tidalcyber.com/campaigns/cc893de9-3a94-531d-b799-08c75aeab019) was a campaign conducted by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) throughout 2021 that used the [SampleCheck5000](https://app.tidalcyber.com/software/e3864daf-a284-5cc0-b434-6e77c8406bd9) downloader and [Solar](https://app.tidalcyber.com/software/d168da01-86ca-5392-80fb-4488b41ea704) backdoor to target Israeli organizations.<sup>[[ESET OilRig Campaigns Sep 2023](https://app.tidalcyber.com/references/799db594-6a65-5b80-9d64-c530fadbd9ae)]</sup>","first_seen":"2021-01-01T05:00:00Z","last_seen":"2021-12-01T05:00:00Z","created":"2025-04-22T20:47:03.245349Z","modified":"2025-04-22T20:47:03.245353Z","campaign_attack_id":"C0042","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"cc893de9-3a94-531d-b799-08c75aeab019"},{"id":"0236a727-6d06-4a48-8464-904d019304b3","name":"Pacific Rim Network Device Targeting Campaigns","description":"On October 31, 2024, Sophos X-Ops researchers published details of a wide-reaching, five-year-long investigation they carried out into China-based threat groups using botnets, novel vulnerability exploits, and custom malware to target \"perimeter devices\" such as Sophos firewalls. This Campaign object reflects the various MITRE ATT&CK® Techniques referenced in the \"Pacific Rim timeline\" article within the reporting series.<sup>[[Sophos Pacific Rim Timeline October 31 2024](/references/77146036-d207-465e-a987-3e9e527ea927)]</sup>\n\nConsidering inherent challenges in securing network devices, such as telemetry collection and detection tuning, this extensive set of TTPs could be useful for identifying post-exploit opportunities for detection or mitigation, allowing layering of defenses against sophisticated network device campaigns such as Pacific Rim.","first_seen":"2018-12-04T00:00:00Z","last_seen":"2023-11-27T00:00:00Z","created":"2024-11-08T20:32:59.059801Z","modified":"2024-11-08T20:32:59.059806Z","campaign_attack_id":"C3067","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"36e6a9c9-5d31-4297-aa3f-e466e362d8e2","tag":"36dc085a-daf3-48da-b035-255811cd4fc0"},{"id":"9e7bd0f2-4ddc-4692-bbd4-1c87a72a4ed2","tag":"bae39caa-b16b-4b72-975c-26c2b01c7e5e"},{"id":"a707a9a6-0d43-4fc0-a6c2-83f4b2cad5c1","tag":"16c44517-793a-4869-aa25-59128096ff8a"},{"id":"c559655e-8e83-44c1-8561-94943284f104","tag":"5b8371c5-1173-4496-82c7-5f0433987e77"},{"id":"1ae5fff7-2a1b-456f-b8cd-9e2e6fa93a68","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"db0a3b86-761a-4422-9e3a-f2b4777ddfc6","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"fb5ce14a-4b4c-470d-85a1-608beb9e8d2d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"57b5de6b-3086-5596-886c-0e1e5d30396b"},{"id":"38443d11-135a-47ac-909f-fa34744bc3a5","name":"PaperCut Vulnerability Exploitation","description":"In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.<sup>[[PaperCut MF/NG vulnerability bulletin](/references/d6e71b45-fc91-40f4-8201-2186994ae42a)]</sup> According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>\n\nCVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the \"Education Facilities Subsector\" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>\n\nThe Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a).\n\n**Related Vulnerabilities**: CVE-2023-27350<sup>[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]</sup>","first_seen":"2023-04-15T00:00:00Z","last_seen":"2023-05-30T00:00:00Z","created":"2023-08-04T16:40:35.386184Z","modified":"2023-08-04T16:40:35.386192Z","campaign_attack_id":"C3006","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"95fa6809-c6f7-4d22-8c49-09d527bd6d6f","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"e8650e69-9ad6-4bc4-809a-07e11361a1ba","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"48ac9ac6-f6fd-4c6d-8b4d-d3c8b6789419","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"bfa906a8-ed5a-4204-a82f-cf22d2f50266","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"6e896a5a-90fa-493a-bfe6-9654446e271b","tag":"992bdd33-4a47-495d-883a-58010a2f0efb"}],"tidal_id":"cced23c9-5947-5ead-91f1-2d8263f3a125"},{"id":"65c489ed-f0f9-4fa8-bb31-e9275d97a331","name":"Paper Werewolf XLL and WinRAR Campaign targeting Russian organizations","description":"A campaign attributed to Paper Werewolf (GOFFEE) targeting Russian organizations using Excel XLL add-ins, WinRAR vulnerabilities, and AI-generated decoy documents to deliver the EchoGather backdoor.<sup>[[Intezer December 19 2025](/references/53d1f9b0-855f-4478-9e13-a15f2dcdec9f)]</sup>","first_seen":"2025-10-26T00:00:00Z","last_seen":"2025-12-19T00:00:00Z","created":"2025-12-29T17:41:32.245738Z","modified":"2025-12-29T17:41:32.245742Z","campaign_attack_id":"C3241","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"bc5277b2-bc5c-48db-8f23-bb4b21e17203","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"ada5f7c7-0a9b-4b6c-8ba9-22e16d6a864c","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"522f0c83-8256-5a49-b8fe-332f6c20dd30"},{"id":"7933e57f-c8f6-4b1d-86b3-9efb4d5d60b7","name":"PayHere April 2022 Website Attack","description":"A cyber attack on the PayHere website on April 2, 2022, resulting in service outage, web defacement, credential compromise, and reputational damage.<sup>[[PayHere Incident May 1 2022](/references/1ae3af0b-3228-471f-9095-f4d9eb95d71d)]</sup>","first_seen":"2022-04-02T00:00:00Z","last_seen":"2022-04-03T00:00:00Z","created":"2026-01-23T20:31:40.079302Z","modified":"2026-01-23T20:31:40.079305Z","campaign_attack_id":"C3287","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6cfbcfeb-4739-46a9-908d-07ae523683ab","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"c5d3ed36-3aba-427b-8687-5e1af4337a64","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"14e5e365-7a48-53eb-b4b2-6bf4056ceae9"},{"id":"61744de0-441c-476e-888a-c445a1d4bc9a","name":"PHALT#BLYX","description":"A multi-stage malware campaign targeting the hospitality sector in Europe, using phishing lures themed as Booking.com reservation cancellations, advanced social engineering (ClickFix, fake captchas, fake BSOD), and living-off-the-land techniques to deliver a customized DCRat payload.<sup>[[Securonix January 05 2026](/references/314a9db4-8a16-4732-aa23-b24b38897943)]</sup>","first_seen":"2024-09-01T00:00:00Z","last_seen":"2025-01-05T00:00:00Z","created":"2026-01-14T13:32:08.042299Z","modified":"2026-01-14T13:32:08.042303Z","campaign_attack_id":"C3261","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"07bbac4f-4a63-4891-8874-163d5932f1dc","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"bd06da82-1062-4bf9-89d3-be49eefb7f74","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"299e51fe-9181-55c4-9e39-a6fe3de8d451"},{"id":"71f6d3b1-c45e-421c-99cb-3b695647cf0b","name":"Pikabot Distribution Campaigns 2023","description":"*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nThis is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)<sup>[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]</sup><sup>[[Unit42 Malware Roundup December 29 2023](/references/a18e19b5-9046-4c2c-bd94-2cd5061064bf)]</sup>; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.<sup>[[Trend Micro Pikabot January 9 2024](/references/dc7d882b-4e83-42da-8e2f-f557b675930a)]</sup>","first_seen":"2023-02-01T00:00:00Z","last_seen":"2023-12-31T00:00:00Z","created":"2024-01-26T18:00:45.568619Z","modified":"2024-01-26T18:00:45.568623Z","campaign_attack_id":"C3019","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"4ba9df22-00f4-482d-875c-a93bbdb178ea","tag":"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"},{"id":"0ed84101-f1b0-4e2f-be11-a0d8242961f9","tag":"84615fe0-c2a5-4e07-8957-78ebc29b4635"}],"tidal_id":"187f4dec-73a2-590b-9576-a67c1fb392a6"},{"id":"6e6fa0e4-18b3-5700-803d-b821dcdcd787","name":"Pikabot Distribution February 2024","description":"[Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) was distributed in [Pikabot Distribution February 2024](https://app.tidalcyber.com/campaigns/6e6fa0e4-18b3-5700-803d-b821dcdcd787) using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of [Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.<sup>[[Elastic Pikabot 2024](https://app.tidalcyber.com/references/6c222f33-f588-513c-9149-4c2308e05319)]</sup><sup>[[Zscaler Pikabot 2024](https://app.tidalcyber.com/references/9c1edd25-0fd0-5b5d-8091-68074da52593)]</sup>","first_seen":"2024-02-01T05:00:00Z","last_seen":"2024-02-01T05:00:00Z","created":"2024-10-31T16:28:09.809892Z","modified":"2024-10-31T16:28:09.809895Z","campaign_attack_id":"C0036","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"6e6fa0e4-18b3-5700-803d-b821dcdcd787"},{"id":"1adc41a5-7655-48ae-96ba-4c48ae2195ed","name":"PlushDaemon supply-chain compromise of a South Korean VPN service","description":"A supply-chain attack campaign in 2024 where PlushDaemon compromised a South Korean VPN service to distribute malware to downstream targets.<sup>[[ESET PlushDaemon November 19 2025](/references/fd6d089e-4549-4442-91bf-3cf1e85db012)]</sup>","first_seen":"2024-01-01T00:00:00Z","last_seen":"2024-12-31T00:00:00Z","created":"2025-12-10T14:15:24.303396Z","modified":"2025-12-10T14:15:24.303401Z","campaign_attack_id":"C3182","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b679032c-e615-4e84-9d7c-214649525313","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"086a1ec5-b1e4-4f7e-a9e4-6b79794dbdf1","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"208d5eec-afb4-5880-b98b-aff1936833e3"},{"id":"9864ed5a-0633-4c04-85f1-728d3ff37e82","name":"PowerShell User Execution Social Engineering Campaign (TA571, ClearFake, ClickFix)","description":"Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.<sup>[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)]</sup><sup>[[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]</sup>","first_seen":"2024-03-01T00:00:00Z","last_seen":"2024-06-07T00:00:00Z","created":"2024-07-03T15:44:05.785509Z","modified":"2024-07-03T15:44:05.785514Z","campaign_attack_id":"C3045","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"471dbe20-5ac1-41fc-9099-5704f011170f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"cc20561a-a1a5-41fd-860c-52a62e5752ed","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"644126f9-c363-5016-8809-f36c068ecb27"},{"id":"e4b1361f-f7c7-4c43-97e6-592c97a9ccd4","name":"Premier Pass-as-a-Service: Earth Estries and Earth Naga Joint Operations","description":"A series of collaborative cyberespionage campaigns in which Earth Estries acted as an access broker for Earth Naga, targeting government, telecommunications, and retail sectors in APAC, NATO, and other regions.<sup>[[Trend Micro October 22 2025](/references/230dbb27-9f4b-417f-ae7f-e88de27f4bc5)]</sup>","first_seen":"2023-11-01T00:00:00Z","last_seen":"2025-07-31T00:00:00Z","created":"2025-10-24T16:14:02.335836Z","modified":"2025-10-24T16:14:02.335839Z","campaign_attack_id":"C3150","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9a1a55a4-39a1-492e-8d70-2efd9c692502","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"3258c236-2f59-43f3-b327-42b62013fab0","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"c2b58f94-d4e1-50e6-9059-0fb9ed134e8e"},{"id":"fee07ef3-94b4-4997-a88b-4b0f367eff45","name":"PyStoreRAT GitHub Supply Chain Campaign","description":"A campaign leveraging malicious GitHub repositories disguised as development utilities or OSINT tools to deliver PyStoreRAT via Python and JavaScript loader stubs, with staged payloads and advanced evasion techniques.<sup>[[Engage.morphisec.com December 09 2025](/references/e3021488-2578-49a2-908a-13184997ff82)]</sup>","first_seen":"2025-06-15T00:00:00Z","last_seen":"2025-11-23T00:00:00Z","created":"2026-01-14T13:32:09.259168Z","modified":"2026-01-14T13:32:09.259172Z","campaign_attack_id":"C3268","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"896c80e8-486c-4cf0-b8bb-805e0cd557cc","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"fe96eea8-fd9a-4a94-9197-f6dbe94054b4","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"151ea65e-792c-5ebd-9f0a-eee30d36acc3"},{"id":"6292123a-3d7e-4e8e-8ff0-daa7868433b7","name":"QakBot January 2024 Campaign","description":"A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.<sup>[[K7 QakBot Returns January 4 2024](/references/5cb5e645-b77b-4bd1-a742-c8f53f234713)]</sup>","first_seen":"2023-12-11T00:00:00Z","last_seen":"2024-01-04T00:00:00Z","created":"2024-06-13T20:12:37.438188Z","modified":"2024-06-13T20:12:37.438192Z","campaign_attack_id":"C3020","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"cdff9e3f-96b0-45c3-b32b-f55ff16f692e","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"663ae3d1-3427-481a-ae10-f166e60bfb1d","tag":"e809d252-12cc-494d-94f5-954c49eb87ce"},{"id":"f0371351-f555-4c18-a6c8-11266943ec02","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"18fc840a-e66e-5202-8829-f246c7fb0a63"},{"id":"1c28a3f9-b0b2-4768-ad3b-c7f9471a3880","name":"Qilin Ransomware Affiliate MSP Compromise","description":"The STAC4365 activity cluster, believed to be an affiliate of the Qilin ransomware operation, spear-phished a Managed Service Provider (MSP) administrator, giving actors highly privileged access to a ScreenConnect Cloud instance, which enabled them to gain access to multiple of the MSP's customer's environments. The attack culminated in deployment of Qilin ransomware in those environments.<sup>[[Sophos News April 1 2025](/references/7066ca7e-03e9-4d3c-8d10-2a659c79c859)]</sup>","first_seen":"2025-01-24T00:00:00Z","last_seen":"2025-01-31T00:00:00Z","created":"2025-09-15T19:14:12.795062Z","modified":"2025-09-15T19:14:12.795067Z","campaign_attack_id":"C3128","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6c1091b1-d262-49ed-8443-649e05ca5604","tag":"33d22eff-59a1-47e0-b9eb-615dee314595"},{"id":"e449831f-7fc2-4ec3-b6ae-30edf331d142","tag":"e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"},{"id":"3070c710-a555-492f-bfaf-f764556c9b8d","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"44a0fde1-41c8-486a-96e3-ecd5739fea6d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"8e2e951c-2645-5bbf-b8e0-5aea45e8dd50"},{"id":"505f50fa-aac1-4bb7-b4c5-20af4dd6be6f","name":"Qilin Ransomware Credential Harvesting & Encryption Activity","description":"Actors compromised domain controllers in a victim environment, encrypting systems with Qilin ransomware, but also (in a single case), performing rare harvesting of credentials, likely to support other future attacks. The actors specifically targeted credentials associated with Google Chrome browser.<sup>[[Sophos News August 22 2024](/references/bf5dffdc-1a18-49ed-bc81-493aff20661e)]</sup>","first_seen":"2024-07-01T00:00:00Z","last_seen":"2024-07-10T00:00:00Z","created":"2025-09-15T19:14:12.624474Z","modified":"2025-09-15T19:14:12.624479Z","campaign_attack_id":"C3127","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e01d5b92-257a-4104-8183-ed216ea87016","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"8e8f4084-19cf-4bdf-b012-f15ef71638c9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"abc30b88-a65e-5153-895e-be4e320df105"},{"id":"4102ed25-b635-4f95-bd9e-758a749e75fa","name":"Qilin Ransomware Global Campaign (2022-2025)","description":"A persistent and large-scale ransomware campaign by the Qilin group, targeting organizations worldwide with double-extortion attacks, peaking at over 100 victims per month in 2025.<sup>[[Cisco Talos Blog October 27 2025](/references/0eede7ae-6637-4f1a-b3b8-425d585025d8)]</sup>","first_seen":"2022-07-01T00:00:00Z","last_seen":"2025-10-26T00:00:00Z","created":"2025-11-11T13:26:49.790477Z","modified":"2025-11-11T13:26:49.790482Z","campaign_attack_id":"C3158","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b32f8912-c095-4043-a9a4-c4b4fd36ddee","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"3628a9fb-ca1e-44fd-8458-f87e35b9c85d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3b21846f-e5ab-5c08-9242-a81fac0c1861"},{"id":"37073675-6a23-5d56-8c1e-471debe84278","name":"Quad7 Activity","description":" Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. <sup>[[Bitsight 7777 Botnet](https://app.tidalcyber.com/references/2d144298-ee08-5fe3-9d66-113edf03bc40)]</sup> <sup>[[Microsoft Storm-0940](https://app.tidalcyber.com/references/79a1dd8e-5546-50b2-8c65-983210cd521d)]</sup> The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner <code>xlogin</code>. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying <code>alogin</code>. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. <sup>[[Bitsight 7777 Botnet](https://app.tidalcyber.com/references/2d144298-ee08-5fe3-9d66-113edf03bc40)]</sup><sup>[[Medium 777-Botnet](https://app.tidalcyber.com/references/97fe7237-2dbf-560c-9ee8-4b2ceeb2f5ef)]</sup> Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. <sup>[[Microsoft Storm-0940](https://app.tidalcyber.com/references/79a1dd8e-5546-50b2-8c65-983210cd521d)]</sup>","first_seen":"2023-08-01T04:00:00Z","last_seen":"2025-08-01T04:00:00Z","created":"2025-10-29T21:08:48.054404Z","modified":"2025-10-29T21:08:48.054405Z","campaign_attack_id":"C0055","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"37073675-6a23-5d56-8c1e-471debe84278"},{"id":"a9bef150-04e6-41f2-9f94-069f9912f5e3","name":"Quantum Ransomware Compromise","description":"Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as \"one of the fastest ransomware cases\" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.<sup>[[The DFIR Report April 25 2022](/references/2e28c754-911a-4f08-a7bd-4580f5283571)]</sup>","first_seen":"2022-04-01T00:00:00Z","last_seen":"2022-04-25T00:00:00Z","created":"2024-06-28T17:23:33.031717Z","modified":"2024-06-28T17:23:33.031721Z","campaign_attack_id":"C3043","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"95c88307-10b4-4b2b-a588-bc0091bf85aa","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"e7bc3a77-dff9-438c-9c1a-76fdfbc68094","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"d82f3e3b-4720-4330-9be8-a4619bbf0a5a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2aceebe3-e26b-46d9-8f95-da79f804c97e","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"795d05f8-0fbe-5b13-b93a-5adcbfa7a369"},{"id":"39a4cd32-d617-4276-acf8-b650c6b09037","name":"Qubitstrike Cryptojacking & Rootkit Activity","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2023-09-22T00:00:00Z","last_seen":"2023-10-18T00:00:00Z","created":"2025-03-10T18:06:30.143432Z","modified":"2025-03-10T18:06:30.143436Z","campaign_attack_id":"C3094","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"117bcb55-f7b5-4c44-b4a0-1d983b810a9e","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"1df1a159-5c18-4bf7-94cf-eedb61dde485","tag":"82009876-294a-4e06-8cfc-3236a429bda4"},{"id":"5500549c-c2c2-4224-99d1-05014fb09be6","tag":"2e5f6e4a-4579-46f7-9997-6923180815dd"},{"id":"a09a37fe-08e3-449e-9e9e-e70780645c5a","tag":"8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e"},{"id":"87872499-30b9-480f-8305-24975ef52006","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"6bb3342b-a358-4dd6-957a-3db32207c560","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"2d8340bd-1a5c-5ace-8b2c-26fe0e0c28b7"},{"id":"65c66049-ce9b-4c4e-ac18-04a4ce65d5a6","name":"RALord Initial Campaigns (2025)","description":"The first wave of RALord ransomware attacks, beginning in March 2025, targeting organizations in Education, Engineering, Manufacturing, and Tourism sectors in France, Argentina, Brazil, and other countries, using double extortion tactics.<sup>[[None April 01 2025](/references/09f43dcf-3af4-40cd-9dcb-6a9205fef52b)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-04-01T00:00:00Z","created":"2025-12-24T14:57:51.233204Z","modified":"2025-12-24T14:57:51.233207Z","campaign_attack_id":"C3223","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"66999015-ead9-4171-93f2-8e80de81f3f0","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"0bca5b68-0322-4871-b6d2-2d44e210cfca","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"759b4f43-4d68-5daa-84c9-cae658fc522b"},{"id":"fcba5560-af79-4a3e-828d-135e0be160d7","name":"React2Shell Exploitation Campaign (CVE-2025-55182 & CVE-2025-66478)","description":"A rapid, broad campaign by China-nexus threat groups and unattributed clusters to exploit the React2Shell (CVE-2025-55182) vulnerability in React Server Components and Next.js, observed within hours of public disclosure.<sup>[[Amazon Web Services December 04 2025](/references/30d35163-9d01-498d-aa49-7e302579c5ab)]</sup>","first_seen":"2025-12-03T00:00:00Z","last_seen":"2025-12-04T00:00:00Z","created":"2025-12-10T14:15:29.943764Z","modified":"2025-12-10T14:15:29.943768Z","campaign_attack_id":"C3206","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"775fec79-24bf-4517-b11b-822d87d3e24a","tag":"0ee5e1fb-23ee-4ea6-8d9b-2e8d960e72ad"},{"id":"06e95092-23ab-4e7f-bfaf-3b5a8c94f57c","tag":"001d3d9e-5e44-4374-965c-8b7289c21137"},{"id":"f5e200db-3910-4ed5-ae14-a81698d78b08","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"a7340f1d-ceb4-426e-a13f-b70c05690838","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"7f4e3cdb-6404-5470-bb26-02795e89de16"},{"id":"ad132ec8-59f4-56cc-8eb9-9bb770c2e655","name":"RedDelta Modified PlugX Infection Chain Operations","description":"[RedDelta Modified PlugX Infection Chain Operations](https://app.tidalcyber.com/campaigns/ad132ec8-59f4-56cc-8eb9-9bb770c2e655) was executed by [Mustang Panda](https://app.tidalcyber.com/groups/4a4641b1-7686-49da-8d83-00d8013f4b47) from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. [RedDelta Modified PlugX Infection Chain Operations](https://app.tidalcyber.com/campaigns/ad132ec8-59f4-56cc-8eb9-9bb770c2e655) involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10) on victim machines in a persistent state.<sup>[[Recorded Future RedDelta 2025](https://app.tidalcyber.com/references/47419c14-1c84-5c6a-9feb-b0e98948fd61)]</sup>","first_seen":"2023-07-01T06:00:00Z","last_seen":"2024-12-01T07:00:00Z","created":"2025-04-22T20:47:02.978364Z","modified":"2025-04-22T20:47:02.978369Z","campaign_attack_id":"C0047","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"ad132ec8-59f4-56cc-8eb9-9bb770c2e655"},{"id":"e27fd82e-58fe-44e2-a9b4-c33b43bbfb10","name":"RedDelta Updated PlugX Infection Chain (Deprecated)","description":"*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"RedDelta Modified PlugX Infection Chain Operations\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nChinese state-sponsored adversary RedDelta, which overlaps with the Mustang Panda espionage group, was observed using an updated infection chain to deploy PlugX backdoor malware between July 2023 and December 2024 in attacks on entities in Taiwan, Mongolia, and countries in Southeast Asia. Spearphishing-based attacks progressively used Windows shortcut (LNK), Management Console Snap-In Control (MSC), and HTML files to launch infections. The attacks also utilized Cloudflare CDN to proxy command and control communications.<sup>[[Recorded Future RedDelta January 9 2025](/references/bd7ef51c-47e1-4322-98fd-5c5a475a0605)]</sup>","first_seen":"2023-07-01T00:00:00Z","last_seen":"2024-12-31T00:00:00Z","created":"2025-01-13T21:02:10.122216Z","modified":"2025-01-13T21:02:10.122221Z","campaign_attack_id":"C3080","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"bda7aa01-3c5f-4539-a660-bd7287f8af83","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"790e22f9-ed70-4d67-b6cf-6ff59dd74c0b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"14747598-bc29-5d98-8ec0-2fab15eafa6d"},{"id":"c67c4aa8-9bed-4125-8b1c-493d82257ceb","name":"Red Hat GitLab Consulting Breach","description":"A campaign in which the Crimson Collective breached Red Hat's self-managed GitLab instance used by its Consulting division, stole data from internal repositories and consulting engagement reports, and attempted extortion.<sup>[[BleepingComputer 10 02 2025](/references/198467fc-372a-4ddf-b042-cbd22ae49c06)]</sup>","first_seen":"2025-09-18T00:00:00Z","last_seen":"2025-10-02T00:00:00Z","created":"2025-10-07T14:07:45.641347Z","modified":"2025-10-07T14:07:45.641349Z","campaign_attack_id":"C3133","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"fd13e8da-3e42-47e0-b1d9-fd053eb88011","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"1a997ee3-56d2-488a-9a11-faf317996ea4","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"ffbef326-3656-4435-b4f4-7cb18fb11ee0","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f2504c4c-3595-500a-bb0e-a073f68270aa"},{"id":"cc15b834-60ec-5140-8368-c60e3dac5692","name":"RedPenguin","description":"The [RedPenguin](https://app.tidalcyber.com/campaigns/cc15b834-60ec-5140-8368-c60e3dac5692) project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. [RedPenguin](https://app.tidalcyber.com/campaigns/cc15b834-60ec-5140-8368-c60e3dac5692) activity was separately attributed to [UNC3886](https://app.tidalcyber.com/groups/037aba85-f1a1-53d0-9631-992a2295d198) and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.<sup>[[Juniper RedPenguin MAR 2025](https://app.tidalcyber.com/references/62d5e493-5931-5f6d-8e93-4876e30ab1e0)]</sup><sup>[[Mandiant UNC3886 Juniper Routers MAR 2025](https://app.tidalcyber.com/references/cb0342dd-755f-581d-b2ad-424ac6175306)]</sup>","first_seen":"2024-07-01T04:00:00Z","last_seen":"2025-03-01T05:00:00Z","created":"2025-10-29T21:08:48.054374Z","modified":"2025-10-29T21:08:48.054382Z","campaign_attack_id":"C0056","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"cc15b834-60ec-5140-8368-c60e3dac5692"},{"id":"f8a1f170-fa15-4030-9464-e9b4274c6be9","name":"Rhysida Malvertising Campaign (2024)","description":"A campaign by the Rhysida ransomware gang using malvertising to deliver OysterLoader malware, primarily impersonating Microsoft Teams download pages. The campaign involved the use of code-signing certificates to evade detection.<sup>[[Expel October 31 2025](/references/ce92580a-66f0-431c-9ee8-7efec2bd4585)]</sup>","first_seen":"2024-05-01T00:00:00Z","last_seen":"2024-09-30T00:00:00Z","created":"2025-11-19T17:45:56.404734Z","modified":"2025-11-19T17:45:56.404738Z","campaign_attack_id":"C3161","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"ba143bca-c4f6-4467-88da-4d74fb43ed54","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"68924a0e-ab34-4ec9-ae3a-0a1f95925d7a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"d13493f3-2b60-51cc-9a10-1a43d262e487"},{"id":"afbae08c-d6a0-4867-baea-f60b4dfced4a","name":"Rhysida Malvertising Campaign (2025)","description":"An ongoing campaign by the Rhysida ransomware gang, starting in June 2025, using malvertising to deliver OysterLoader and Latrodectus malware. The campaign shows increased operational tempo and resource investment, with over 40 code-signing certificates used.<sup>[[Expel October 31 2025](/references/ce92580a-66f0-431c-9ee8-7efec2bd4585)]</sup>","first_seen":"2025-06-01T00:00:00Z","last_seen":"2025-10-31T00:00:00Z","created":"2025-11-19T17:45:56.559880Z","modified":"2025-11-19T17:45:56.559883Z","campaign_attack_id":"C3162","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"3b1285da-e9fd-4eb4-b1d3-30258077b2a5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"1acc9125-201d-4eee-8a5f-faf79330052f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e0557dd1-b845-568e-863a-3518cd88079c"},{"id":"ea851f71-0392-4c1e-822a-98a620888ae6","name":"Rogue ScreenConnect Social Engineering Campaigns 2025","description":"A series of phishing and social engineering campaigns throughout 2025 where threat actors used lures such as Social Security statements, invitations, and invoices to trick users into installing rogue ScreenConnect clients, enabling remote access and further malicious activity.<sup>[[Huntress December 31 2025](/references/a07eaeca-f826-42da-aee3-86c96875c600)]</sup>","first_seen":"2025-01-13T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2026-01-06T18:05:33.365566Z","modified":"2026-01-06T18:05:33.365570Z","campaign_attack_id":"C3253","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f3976dae-200c-480b-a0b3-e2fcb1d4a3c8","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"a2e1dbde-7c19-4ed9-abe7-ccc1077126d2","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0eb4fd83-83f2-53b3-9383-5e0754cd054f"},{"id":"783903b6-df11-46bc-b422-856208769e63","name":"RomCom via SocGholish targeting U.S. companies supporting Ukraine","description":"A campaign in September 2025 where RomCom, via SocGholish operated by TA569, targeted a U.S.-based engineering firm with ties to Ukraine, delivering the RomCom Mythic loader for espionage and disruption.<sup>[[Arctic Wolf November 25 2025](/references/24a1832e-ffc5-4504-8e47-32ba0be97b0c)]</sup>","first_seen":"2025-09-01T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-12-10T14:15:25.731171Z","modified":"2025-12-10T14:15:25.731176Z","campaign_attack_id":"C3189","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"ee3e5e27-af31-40c6-acc3-ddeee7931b9b","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"21b9379e-7ea9-4fb2-bc0a-52afd1a8b3b9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b2f9471c-d8fe-591e-9ed7-8b30f5a43520"},{"id":"c91bdb0c-e7ed-44ec-8826-d9983d72c171","name":"RomCom WinRAR Zero-Day Vulnerability Exploit (CVE-2025-8088)","description":"Void Rabisu (aka RomCom) actors sent spearphishing emails containing malicious archive attachmentss to victims in the financial, manufacturing, defense, and logistics sectors in Europe and Canada. The attachments enabled exploitation of a zero-day vulnerability in the WinRAR file archiving utility, tracked as CVE-2025-8088. Researchers assessed that the aim of the attacks was cyberespionage.<sup>[[ESET CVE-2025-8088 August 11 2025](/references/0b9a2bad-46e0-4bc9-acd6-1223c1b4f6bf)]</sup>","first_seen":"2025-07-18T00:00:00Z","last_seen":"2025-07-21T00:00:00Z","created":"2025-08-14T15:16:43.482650Z","modified":"2025-08-14T15:16:43.482655Z","campaign_attack_id":"C3119","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"33ecaeb8-a9ae-4131-ac35-a158c77ab101","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"c899e0c7-3594-415b-b996-b170c17774fd","tag":"1dc2830c-99a9-4615-91f2-12c278077959"},{"id":"4da4ba28-7b04-4ed8-b311-e96d52aa11a7","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"01fb00ee-fa0c-4ab3-b842-e679160e9eb5","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"c2b7fcef-45a2-5ec4-9e5f-5c41d48b3479"},{"id":"a2ce2e5a-f496-4865-996f-6b60d3ca810c","name":"RondoDoX Botnet Campaign","description":"A persistent nine-month campaign involving the RondoDoX botnet, targeting IoT devices and web applications, exploiting vulnerabilities including Next.js RCE, and deploying botnet, cryptominer, and persistence payloads.<sup>[[Www.cloudsek.com December 29 2025](/references/4c94a4d9-242c-4b15-8fa0-0d7f7273d43f)]</sup>","first_seen":"2025-03-28T00:00:00Z","last_seen":"2025-12-29T00:00:00Z","created":"2026-01-06T18:05:32.738272Z","modified":"2026-01-06T18:05:32.738277Z","campaign_attack_id":"C3249","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1b64f306-0a4f-4a73-bbd3-f7229accad70","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"20a6597b-8895-4270-86a6-fa5e5792866b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"551e6023-6e9f-57d2-b51b-7c598037ba78"},{"id":"246d56a6-141c-4d60-a346-538e44fac1c9","name":"Russian SVR Cyber Operations and Vulnerability Exploitation Activity","description":"On October 10, 2024, U.S. cybersecurity authorities and international patners released a joint Cybersecurity Advisory (JCSA-20241010-001), which detailed TTPs used by Russian Foreign Intelligence Service (SVR) actors (aka APT29, Midnight Blizzard, et al) during \"recent\" cyber operations. The advisory highlighted the variety of initial access and post-exploitation TTPs leveraged by SVR actors in both targeted and broad-based campaigns, and it also spotlighted that these actors have the \"capability and interest\" to exploit a relatively long list of publicly disclosed vulnerabilities, which are tagged to this object.<sup>[[FBI SVR Update October 10 2024](/references/63a76e88-2cd1-4cfa-bd96-4c1c3eebb39b)]</sup>","first_seen":"2021-01-01T00:00:00Z","last_seen":"2024-10-10T00:00:00Z","created":"2024-10-14T19:20:51.048330Z","modified":"2024-10-14T19:20:51.048333Z","campaign_attack_id":"C3062","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9f85f157-685f-42ba-9ab1-2109f39adb80","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"d9c60b6a-a284-4a94-9738-e0e3fbb42904","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"09cfb567-9399-42ba-b6dd-9e3384a2acd5","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"e4404d11-232f-40ae-8cfb-be78377addce","tag":"154bd6f0-9276-4ea5-946c-d35769d3ae4b"},{"id":"1a80309e-c205-45df-9afe-7f2db6397b54","tag":"1ee3e55f-8f28-43c4-9f01-8a1bad68bd56"},{"id":"afdbc082-c8a1-42cd-bfc1-e41a0c67e5bb","tag":"082b6886-9f4a-4237-82e4-827f6bab704e"},{"id":"ff55f812-6158-43a6-9638-2940106699e1","tag":"7d158419-2d50-4688-aa4f-3b68a4d30870"},{"id":"a4a2c932-25d4-41f5-8629-de9f8478d683","tag":"5c7a911d-9f28-4f13-a6aa-c7a2e2b3ca55"},{"id":"6ccac239-9c01-4184-bef7-534f836018c0","tag":"46404b24-e38a-4fea-981b-cac3d3020c8b"},{"id":"9daff838-8d8e-499c-980f-9378d557110b","tag":"9a0df3c4-2bbf-4192-a08a-ec27d9a4c5f1"},{"id":"c9b9b5ae-1978-4036-b41c-f46a1fd27ef6","tag":"e676e31d-d1d4-4a83-afa9-acf58be4f92a"},{"id":"5389ebed-f0a6-4563-8bcd-d867bdbe1ca6","tag":"49478e42-38e9-417c-9cf9-7f2c5d41bfa8"},{"id":"a560478a-ed1c-46cf-9ff6-dad353a7858c","tag":"b7ad8591-fbff-46ec-8f4a-33f569cce2f9"},{"id":"a5b1137b-2101-44ea-9264-cf52f1c03a1d","tag":"5ef89937-dd06-4407-91d2-61db30c75934"},{"id":"2f7867e2-3f5c-41d5-a1dc-f2a61c1c20c6","tag":"72d3fa15-265b-4f4c-ba77-635d8531fe69"},{"id":"afa9da38-d816-439e-9416-ddd3ffcc422d","tag":"5bd6e9f7-78e3-4a8b-8734-c8c45b61a76d"},{"id":"221c3812-782d-4be4-89fb-0e7df4494caa","tag":"b3665c87-5cb3-414e-8910-d4ffe53371c2"},{"id":"12afe719-3b11-4e68-a3ce-7228ffa694a3","tag":"d1596bb2-b947-419a-b1f0-8f38e28eae09"},{"id":"bf5f0a97-620f-44d7-ac84-8059c6930b3b","tag":"49a674f7-c117-422e-8057-67bdfab2de9c"},{"id":"9c3871d0-d9ed-40aa-a422-ea3adac00cb3","tag":"a4240ea5-b7d4-40a0-afbd-76fcf2e4ebbc"},{"id":"2b1c84d0-54c3-4675-b1b4-ee768e14ac7d","tag":"f97e406e-0d4b-4927-af03-8113a720417f"},{"id":"05a1c150-7959-4b65-9f22-aed65297f711","tag":"1b0321d7-4d9a-4977-bd2a-092c2693b328"},{"id":"97f85279-5a1f-4934-88b5-9a51021e68c2","tag":"cccb02c5-9791-4cb4-8fe8-0c5a6aea7dcf"},{"id":"2d7ffc90-56bd-4d21-bf49-edfabd794354","tag":"15b77e5c-2285-434d-9719-73c14beba8bd"},{"id":"ae3e7772-b461-435d-9c3f-855afb22b868","tag":"08809fa0-61b6-4394-b103-1c4d19a5be16"},{"id":"cdc7e4e4-41cb-44fc-bcb6-a9f71e758291","tag":"7551097a-dfdd-426f-aaa2-a2916dd9b873"},{"id":"66fffc3f-6e06-4215-92eb-68395ee023fa","tag":"a32a757a-9d6b-43ca-ac4b-5f695dd0f110"},{"id":"8fe6108c-1d42-491a-91b0-e14621a4067a","tag":"1b98f09a-7d93-4abb-8f3e-1eacdb9f9871"}],"tidal_id":"21187354-4d68-5104-8501-f7359a8b70ab"},{"id":"06ea1fe8-ff94-4197-8fbe-764abaf99d90","name":"Salary Bonus + Employer Benefits Reports 25","description":"A phishing campaign using OAuth device code phishing, where users received a shared document alert and were tricked into entering a device code on Microsoft's legitimate device authorization page, resulting in account compromise.<sup>[[Proofpoint December 16 2025](/references/1f13a583-dbb1-462e-9a88-31fc8ef184c9)]</sup>","first_seen":"2025-12-08T00:00:00Z","last_seen":"2025-12-08T00:00:00Z","created":"2025-12-29T17:41:31.605599Z","modified":"2025-12-29T17:41:31.605603Z","campaign_attack_id":"C3237","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0d5504c5-49e1-48cc-849f-73ee01f29328","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"8e62adbe-5b28-4299-9775-fe95c6d281f3","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"51547090-8229-55ab-aeb6-84eefe5b579d"},{"id":"ab99d168-f97f-53e1-83d2-578de7d137fd","name":"Salesforce Data Exfiltration","description":"The [Salesforce Data Exfiltration](https://app.tidalcyber.com/campaigns/ab99d168-f97f-53e1-83d2-578de7d137fd) campaign began in October 2024 with financially-motivated threat actor UNC6040 using [Spearphishing Voice](https://app.tidalcyber.com/technique/113b8750-d166-5cac-bd26-2c82c90b9d88) (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the “ShinyHunters” group. The observed infrastructure and TTPs used during the [Salesforce Data Exfiltration](https://app.tidalcyber.com/campaigns/ab99d168-f97f-53e1-83d2-578de7d137fd) campaign overlap with those used by threat groups with suspected ties to the broader collective known as \"The Com.” These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.<sup>[[FBI Salesforce Data Theft SEP 2025](https://app.tidalcyber.com/references/519603b4-3520-5879-9e16-7380915b87c3)]</sup><sup>[[Google Salesforce JUN 2025](https://app.tidalcyber.com/references/4f9aec3c-28be-5b81-b78b-0fda0d3b214d)]</sup>","first_seen":"2004-10-01T04:00:00Z","last_seen":"2025-09-01T04:00:00Z","created":"2025-10-29T21:08:48.054416Z","modified":"2025-10-29T21:08:48.054417Z","campaign_attack_id":"C0059","source":"MITRE","owner_name":null,"tags":[{"id":"3e024106-727c-4d22-a801-341be143e624","tag":"e90b243c-99e2-46fe-8f04-eca9c7939250"}],"tidal_id":"ab99d168-f97f-53e1-83d2-578de7d137fd"},{"id":"edd0f27c-5d6c-4ecc-ba99-56e00fd3da6c","name":"Salt Typhoon July 2025 European Telecommunications Intrusion","description":"A targeted intrusion against a European telecommunications organization in July 2025, involving exploitation of Citrix NetScaler Gateway, lateral movement to Citrix VDA hosts, and deployment of SNAPPYBEE (Deed RAT) via DLL sideloading.<sup>[[Darktrace Salt Typhoon October 20 2025](/references/10b7ccf8-9d41-489a-ad8e-e5bb61c95f4a)]</sup>","first_seen":"2025-07-01T00:00:00Z","last_seen":"2025-07-31T00:00:00Z","created":"2025-10-24T16:14:03.491234Z","modified":"2025-10-24T16:14:03.491237Z","campaign_attack_id":"C3157","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"bc4f47e9-51b8-479d-afa3-29d77d271eff","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"c20e15a2-e4ff-4605-b019-ce5cc9d10081","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"740eddc9-c5b4-5058-9521-742ceafefddd"},{"id":"9cfb9bc8-dad9-4a49-bbdd-7273d8ccbc06","name":"Sandworm 2021-2025 Western Critical Infrastructure Campaign","description":"A years-long Russian state-sponsored campaign targeting Western critical infrastructure, especially the energy sector, by compromising misconfigured network edge devices for credential harvesting and lateral movement.<sup>[[Amazon Web Services December 15 2025](/references/cb9ff075-d033-4990-b389-4760d089e255)]</sup>","first_seen":"2021-01-01T00:00:00Z","last_seen":"2025-12-31T00:00:00Z","created":"2025-12-24T14:57:51.379157Z","modified":"2025-12-24T14:57:51.379160Z","campaign_attack_id":"C3224","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0a7f7377-03b6-4f9d-864f-186f9242394e","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e808d793-4f61-493a-b701-93b06bf03a6a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0dc87cec-7063-5a28-b75c-d133219095cb"},{"id":"7206531c-74b6-4a97-a598-700bc88c7c87","name":"Scattered Spider CFO Targeting and Compromise","description":"Techniques and other details from an incident repsonse engagement in late May 2025, reported by ReliaQuest in late June 2025 and attributed to Scattered Spider. Actors performed in-depth reconnaissance around a high-level employee (CFO) to gain initial access and battled against responders over four days before finally being evicted from the network for good.<sup>[[ReliaQuest Scattered Spider June 27 2025](/references/9a051c1d-94f3-49e7-a226-acbd749407b6)]</sup>","first_seen":"2025-05-28T00:00:00Z","last_seen":"2025-05-31T00:00:00Z","created":"2025-07-21T18:43:35.556028Z","modified":"2025-07-21T18:43:35.556031Z","campaign_attack_id":"C3116","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e106cc30-de5d-4372-b15e-bdd2311bae2e","tag":"e90b243c-99e2-46fe-8f04-eca9c7939250"},{"id":"dd3b02b7-d572-4942-be86-7823cd647cf4","tag":"b802443a-37b2-4c38-addd-75e4efb1defd"},{"id":"75de2c18-7fe5-4d94-9db0-ef54a8537e57","tag":"c9c73000-30a5-4a16-8c8b-79169f9c24aa"},{"id":"c173f15b-cc55-47c6-b41a-65b49d445f92","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"158f185d-d51e-494c-b588-947bc3197fdb","tag":"d92fd4ee-09aa-4a32-9058-cd23f0c6238a"},{"id":"bb1e7a70-3d83-4013-809d-e82c6d781cdc","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"42f56819-da17-4a58-9c11-2fa7159929b9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"8d9cc9de-de81-500d-8560-ce93a3a4ae31"},{"id":"43f29c00-437f-43f3-8d69-052a06f1a2eb","name":"Scattered Spider TTP Evolution - SaaS Targeting","description":"Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.<sup>[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]</sup>\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).","first_seen":"2023-08-13T00:00:00Z","last_seen":"2024-06-13T00:00:00Z","created":"2024-06-24T15:00:29.798861Z","modified":"2024-06-24T15:00:29.798866Z","campaign_attack_id":"C3041","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"58db5be4-bf49-483c-8bc2-866e8ee55082","tag":"e90b243c-99e2-46fe-8f04-eca9c7939250"},{"id":"e58d6e13-5094-412b-8e9e-89c88892038d","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"c7e29dc6-d6cc-4dc6-9437-1a04dd773343","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"23ec1337-b5b9-4e43-a248-244587fbbb69","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"eed0fb2a-070e-5ec0-9d98-2a2d6551f487"},{"id":"365150b8-94ed-4d43-895e-fb07d0a8a7cd","name":"ScreenConnect Vulnerability Exploit Attacks","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka \"SlashAndGrab\"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.\n\nFurther background & contextual details can be found in the References tab below.","first_seen":"2024-02-19T00:00:00Z","last_seen":"2024-02-23T00:00:00Z","created":"2024-06-13T20:12:38.384815Z","modified":"2024-06-13T20:12:38.384819Z","campaign_attack_id":"C3024","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a1965501-61d3-4360-b7dd-d5b414991538","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"47cc928e-adf0-4cb2-8665-25de3af8a945","tag":"fdd53e62-5bf1-41f1-8bd6-b970a866c39d"},{"id":"a07afb38-0d38-46a9-b15d-0ceb59f7461a","tag":"d431939f-2dc0-410b-83f7-86c458125444"},{"id":"3c6bc59f-f254-4117-9575-33eee3590617","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"8127ce0d-b061-43bc-922e-36028ecae2bf","tag":"e727eaa6-ef41-4965-b93a-8ad0c51d0236"},{"id":"382a952a-cd4a-44a1-9104-89f483432917","tag":"509a90c7-9ca9-4b23-bca2-cd38ef6a6207"},{"id":"ecc81a1b-57cf-4fc5-a7e5-9c7e4c67a889","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"7f272fbc-cad1-52ce-8963-9452ec7281dd"},{"id":"fe148f24-92bf-4bc3-b010-20ff2aea43e6","name":"SesameOp campaign","description":"A sophisticated, long-term intrusion campaign discovered in July 2025, where the threat actor maintained persistence in the target environment for several months using the SesameOp backdoor and internal web shells, with the objective of espionage.<sup>[[Microsoft Security Blog November 03 2025](/references/4fc98ad2-fabe-46a7-8546-db22dd737177)]</sup>","first_seen":"2025-07-01T00:00:00Z","last_seen":"2025-07-31T00:00:00Z","created":"2025-11-19T17:45:56.848417Z","modified":"2025-11-19T17:45:56.848421Z","campaign_attack_id":"C3164","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"d18af4d5-b9b9-4d1b-a762-7858b6690a1f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4044a367-2698-4f38-be1a-0d1b788db52d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"661f3717-4ff7-555c-8806-f526d70f1c12"},{"id":"644f4e81-7f53-4bc4-9eaf-b533fb739541","name":"ShadowPad Distribution via WSUS CVE-2025-59287","description":"A campaign in which attackers exploited the WSUS remote code execution vulnerability (CVE-2025-59287) to distribute ShadowPad malware to Windows servers, leveraging PowerCat for initial access and using LOLBins for malware installation.<sup>[[ASEC November 18 2025](/references/3058206c-6817-4b53-b232-2b7a87f572cd)]</sup>","first_seen":"2025-10-22T00:00:00Z","last_seen":"2025-11-06T00:00:00Z","created":"2025-12-10T14:15:25.525853Z","modified":"2025-12-10T14:15:25.525859Z","campaign_attack_id":"C3188","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"91d8e923-2d28-4fdb-9c27-6956219ac96c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"b504e371-4879-4c0a-b991-7cb915bcc259","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"477752dd-7302-5b79-a898-e6f750898ebc"},{"id":"7920b2d4-1d80-5d74-b79b-80fdd51db06a","name":"ShadowRay","description":"[ShadowRay](https://app.tidalcyber.com/campaigns/7920b2d4-1d80-5d74-b79b-80fdd51db06a) was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers [ShadowRay](https://app.tidalcyber.com/campaigns/7920b2d4-1d80-5d74-b79b-80fdd51db06a) was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.<sup>[[Oligo ShadowRay Campaign MAR 2024](https://app.tidalcyber.com/references/84201679-1855-588d-aee0-b2518f563c9f)]</sup>","first_seen":"2023-09-01T04:00:00Z","last_seen":"2024-03-01T05:00:00Z","created":"2025-04-22T20:47:03.099062Z","modified":"2025-04-22T20:47:03.099067Z","campaign_attack_id":"C0045","source":"MITRE","owner_name":null,"tags":[{"id":"c417b89b-a0d8-4634-a0ea-93b7045c7bc8","tag":"803e2b2e-2321-4bd2-b0f3-13ecd2e905c3"}],"tidal_id":"7920b2d4-1d80-5d74-b79b-80fdd51db06a"},{"id":"56b304b2-6ad1-490d-823b-20049eaad34c","name":"ShadowRay 2.0","description":"A global, multi-stage campaign exploiting exposed Ray AI clusters via CVE-2023-48022 to build a self-propagating botnet for cryptojacking, DDoS, data exfiltration, and lateral propagation. The campaign evolved from GitLab-based to GitHub-based infrastructure and leverages AI-generated payloads.<sup>[[Oligo ShadowRay November 18 2025](/references/760d0a0d-620b-45a5-9e8d-06903555a118)]</sup>","first_seen":"2024-09-01T00:00:00Z","last_seen":"2025-11-17T00:00:00Z","created":"2025-12-10T14:15:24.895683Z","modified":"2025-12-10T14:15:24.895689Z","campaign_attack_id":"C3185","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0a55e3af-65c7-4c17-8250-16d3e8dae441","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f9aef0f2-aca1-4eba-ad67-5f8ff11a8576","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bc44e87e-4848-5e63-b3ab-2773b5450991"},{"id":"bae71508-8454-482e-acc0-a3611f3e5a00","name":"ShadowV2 IoT DDoS Test Campaign","description":"A campaign observed at the end of October 2025, where the ShadowV2 Mirai variant was spread via IoT vulnerabilities during a global AWS outage, likely as a test run for future attacks. The campaign targeted multiple countries and industries worldwide.<sup>[[Fortinet Blog November 26 2025](/references/b75763ef-f03a-48a6-929d-231181be61ab)]</sup>","first_seen":"2025-10-25T00:00:00Z","last_seen":"2025-10-31T00:00:00Z","created":"2025-12-10T14:15:26.141188Z","modified":"2025-12-10T14:15:26.141193Z","campaign_attack_id":"C3191","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c66ea24c-95d8-4fcc-8111-a1891920aedf","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"5e352ced-f4fb-42d9-8994-b216d974b93f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f207af1b-2ddf-5594-b675-07c43f6923c8"},{"id":"99cb11cf-cb9a-41ae-835e-c9aee98f7c8b","name":"SHADOW-VOID-042 November 2025 Trend Micro-Themed Campaign","description":"A spear-phishing campaign in November 2025 using Trend Micro-themed lures targeting multiple industries, including defense, energy, chemical, cybersecurity, and ICT, with a decoy website and multi-stage payload delivery.<sup>[[Trend Micro December 11 2025](/references/245f6529-20de-4849-8aa3-ba35b79f3a49)]</sup>","first_seen":"2025-11-01T00:00:00Z","last_seen":"2025-11-30T00:00:00Z","created":"2025-12-17T14:19:15.275785Z","modified":"2025-12-17T14:19:15.275789Z","campaign_attack_id":"C3216","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"fe7fdd69-addf-4b5a-a366-71dfe5072445","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"bad259f6-642a-4589-b3a9-278ad4b5e7a8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9cd18968-4f69-5230-9d3b-eca7037f0968"},{"id":"f0270ef7-e447-4a84-adf9-52bf61a0241d","name":"SHADOW-VOID-042 October 2025 HR/Research Lure Campaign","description":"A spear-phishing campaign in October 2025 targeting executives and HR employees in various industries using HR complaints and research participation as lures, with tailored decoy documents.<sup>[[Trend Micro December 11 2025](/references/245f6529-20de-4849-8aa3-ba35b79f3a49)]</sup>","first_seen":"2025-10-01T00:00:00Z","last_seen":"2025-10-31T00:00:00Z","created":"2025-12-17T14:19:15.446715Z","modified":"2025-12-17T14:19:15.446719Z","campaign_attack_id":"C3217","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"52d8b5df-d65e-4e51-b550-541c6439066f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9a5dbd70-f787-4a02-a36a-548e9e70026d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"17f90d16-8cd9-52b4-987b-84cc93b4dd8c"},{"id":"b9c5165c-96af-4749-903e-b98b369a558e","name":"ShadyPanda","description":"A 7+ year campaign involving over 100 browser extensions for mass surveillance, affiliate fraud, and spyware, infecting at least 5.6 million users across Chrome, Edge, and Firefox.<sup>[[Www.koi.ai January 05 2026](/references/5da3facd-7bd9-4a02-843a-ad4b3fa273d7)]</sup>","first_seen":"2018-01-01T00:00:00Z","last_seen":"2025-12-30T00:00:00Z","created":"2026-01-06T18:05:33.676272Z","modified":"2026-01-06T18:05:33.676276Z","campaign_attack_id":"C3255","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"bfce618c-34c7-4489-aced-10f5b11b89a5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9cd472e0-6e55-4ef4-b766-39dbbee709ee","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6daba355-e998-5545-964d-0ca3316ee42b"},{"id":"6d9068cf-20d6-4048-b192-2ab5d10e33e5","name":"Shai-hulud 2.0 Campaign","description":"A supply chain attack campaign targeting cloud and developer ecosystems by compromising NPM package maintainers, stealing cloud and developer credentials, and automating the backdooring and republishing of NPM packages with malware.<sup>[[Trend Micro Shai-hulud 2.0 November 27 2025](/references/8ef2673c-0d9a-4b8d-b529-154ad16d7ce7)]</sup>","first_seen":"2024-09-15T00:00:00Z","last_seen":"2025-11-24T00:00:00Z","created":"2025-12-10T14:15:26.341155Z","modified":"2025-12-10T14:15:26.341161Z","campaign_attack_id":"C3192","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"21fbfa04-81ef-4d1c-bb5a-85a1fcb88ab7","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"80aea5c3-9c38-4f21-9dec-9a9f8335cf47","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"10658c6e-933d-5120-9e0e-21bf1eab2dbc"},{"id":"0b5746af-645a-42b0-9c0d-469b163791b2","name":"Shai-Hulud npm Supply Chain Attack","description":"A mid-September 2025 supply chain attack campaign that featured a worm-style malware dubbed \"Shai‑Hulud\", which compromised developer accounts in the npm ecosystem. The attack injected malicious `postinstall` scripts (bundle.js) into dozens of packages; once victims installed a compromised package, the malicious script steals secrets (such as GitHub, npm, AWS, or GCP tokens), creates or abuses GitHub Actions workflows to exfiltrate data, and - with stolen npm tokens - republishes itself across all packages the maintainer controls, effectively self‑propagating across the ecosystem.<sup>[[Unit 42 September 17 2025](/references/7a6dddcf-f746-4daa-8c22-2b26ec2d58d1)]</sup><sup>[[Socket Tinycolor npm Compromise September 15 2025](/references/197b6774-25e5-4c02-bf45-20e0c1dfca6c)]</sup><sup>[[Socket CrowdStrike npm Compromise September 16 2025](/references/1f0bceb3-0709-48eb-8d39-98d04b1ceb42)]</sup>","first_seen":"2025-09-14T00:00:00Z","last_seen":"2025-09-17T00:00:00Z","created":"2025-09-19T19:48:27.842512Z","modified":"2025-09-19T19:48:27.842516Z","campaign_attack_id":"C3129","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"4f2af695-0378-48e1-b9f6-2f99369e7b6f","tag":"4a457eb3-e404-47e5-b349-8b1f743dc657"},{"id":"dae0d2c8-3f7b-4361-82a4-b6bf257eb4ef","tag":"3b73c532-ccfc-4d66-9830-ab76ef1bc47a"},{"id":"86666de2-04d6-419b-9d28-3a90309e5f31","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"bae1f5e1-3856-424e-aaff-b84ff381f2f7","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"7e55b88c-93c7-55b1-91c4-35b9d951d8dd"},{"id":"60ce336a-62ff-541d-a751-11fe51da7bef","name":"SharePoint ToolShell Exploitation","description":"The [SharePoint ToolShell Exploitation](https://app.tidalcyber.com/campaigns/60ce336a-62ff-541d-a751-11fe51da7bef) campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompetely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) and [ZIRCONIUM](https://app.tidalcyber.com/groups/5e34409e-2f55-4384-b519-80747d02394c). [SharePoint ToolShell Exploitation](https://app.tidalcyber.com/campaigns/60ce336a-62ff-541d-a751-11fe51da7bef) targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.<sup>[[Microsoft SharePoint Exploit JUL 2025](https://app.tidalcyber.com/references/e6b03e68-453d-570a-8910-74401d0ffdca)]</sup><sup>[[Palo Alto SharePoint Vulnerabilities JUL 2025](https://app.tidalcyber.com/references/5249d609-2eed-5910-858a-3a5355049fee)]</sup><sup>[[Eye Research ToolShell JUL 2025](https://app.tidalcyber.com/references/9db6a350-e61e-51d0-b94c-e2fa8bcb5c3a)]</sup><sup>[[ESET ToolShell JUL 2025](https://app.tidalcyber.com/references/5adee7b6-feba-5954-98d8-62d7c756a591)]</sup><sup>[[Trend Micro SharePoint Attacks JUL 2025](https://app.tidalcyber.com/references/659a720d-108f-5eac-9e8f-ea9de749d22b)]</sup>\n","first_seen":"2025-07-01T04:00:00Z","last_seen":"2025-07-01T04:00:00Z","created":"2025-10-29T21:08:48.054428Z","modified":"2025-10-29T21:08:48.054429Z","campaign_attack_id":"C0058","source":"MITRE","owner_name":null,"tags":[{"id":"40b9979f-4855-4b5a-9292-04a4464d5169","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"81c38aaf-fa6d-4740-9cc9-62bb6bdf8418","tag":"27821e4d-7d67-4f7c-bb48-1c42b98998eb"},{"id":"afb88f63-28b3-4838-8158-5df370169332","tag":"63a47b84-917d-41ca-8461-93a4fef8c68b"},{"id":"4f73dc76-f002-4b73-bc13-bdd7647dc688","tag":"8490bce5-3ac4-4285-8ec5-bd79a4670492"},{"id":"d87f154b-bdcb-4a71-b5bc-ea2d6242ebbd","tag":"c8ee7c0d-8a65-4c86-b0fa-8d5430788cff"}],"tidal_id":"60ce336a-62ff-541d-a751-11fe51da7bef"},{"id":"18f9141f-beab-4dbc-86d3-365a805cb472","name":"SharePoint Vulnerabilities (ToolShell) Mass Exploit Campaign (Deprecated)","description":"*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"SharePoint ToolShell Exploitation\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\nToolShell refers to a critical weakness in on-premises Microsoft SharePoint, which enables attackers to gain control of servers without authentication. Security researchers identified CVE-2025-49704 and CVE-2025-49706 in May 2025 and labeled the attack chain involving both vulnerabilities as \"ToolShell\". In July 2025, incident responders identified suspected zero-day, mass exploitation activity on SharePoint servers, where attackers were able to perform remote code execution by extracting cryptographic keys from SharePoint servers.<sup>[[research.eye.security July 19 2025](/references/b3080101-3946-4dfd-9438-30f7d7346c13)]</sup> This activity was linked to a distinct vulnerability, CVE-2025-53770 (which U.S. CISA described as a \"variant\" of CVE-2025-49706), and Microsoft subsequently published another related SharePoint vulnerability, CVE-2025-53771.<sup>[[research.eye.security July 19 2025](/references/b3080101-3946-4dfd-9438-30f7d7346c13)]</sup><sup>[[Microsoft CVE-2025-53770 Guidance](/references/2257b29b-02f7-4e08-b43a-ae54c5ed1521)]</sup><sup>[[U.S. CISA CVE-2025-53770 Advisory](/references/32a94452-510e-4e22-bcf4-8cbe93031d3a)]</sup> Microsoft confirmed these latter vulnerabilities are \"related\" to the two identified in May and indicated their patches provide \"more robust\" protections than the fixes for the two earlier weaknesses.<sup>[[Microsoft CVE-2025-53770 Guidance](/references/2257b29b-02f7-4e08-b43a-ae54c5ed1521)]</sup>","first_seen":"2025-07-18T00:00:00Z","last_seen":"2025-07-19T00:00:00Z","created":"2025-07-21T18:43:35.196047Z","modified":"2025-07-21T18:43:35.196050Z","campaign_attack_id":"C3115","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"92e0612f-c30c-4c00-a441-b0bb93954922","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"8fc200df-a4d1-4e87-a13e-2eb8341aed08","tag":"27821e4d-7d67-4f7c-bb48-1c42b98998eb"},{"id":"2e80c221-6504-46f0-b90b-b66a6fada987","tag":"63a47b84-917d-41ca-8461-93a4fef8c68b"},{"id":"34b3def4-63fe-4a80-97a6-7ef403c046e2","tag":"8490bce5-3ac4-4285-8ec5-bd79a4670492"},{"id":"92484d08-1f49-47e9-bd7e-93f2ffa28924","tag":"c8ee7c0d-8a65-4c86-b0fa-8d5430788cff"},{"id":"55bf530b-fc08-4b07-b979-c0d51260add8","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"af01f060-e46c-486e-a551-433ffe131fbf","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b82a7d4a-c4fd-5766-bf25-924a48d728a5"},{"id":"e6452c73-c19d-4577-962f-291eaa7880bd","name":"ShinyHunters Salesforce Phishing and Credential Harvesting Campaign","description":"A coordinated campaign by ShinyHunters (with possible Scattered Spider collaboration) targeting Salesforce users at major organizations using ticket-themed and Salesforce-themed phishing domains to harvest credentials and exfiltrate data.<sup>[[ReliaQuest September 15 2025](/references/8693bfa8-2b15-4697-b519-24833e2e8822)]</sup>","first_seen":"2025-06-20T00:00:00Z","last_seen":"2025-08-12T00:00:00Z","created":"2025-11-19T17:45:57.292350Z","modified":"2025-11-19T17:45:57.292355Z","campaign_attack_id":"C3167","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"51f266b2-5848-4a69-9557-a28733d755c6","tag":"e90b243c-99e2-46fe-8f04-eca9c7939250"},{"id":"2083eb1c-10ae-4d82-a1f8-f10203b3a5ed","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"47d05bff-c50c-453b-bb99-747565608e78","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"3a599a10-3d32-5ff6-8b14-7c6ac3cb4bb9"},{"id":"0fbbc01b-489c-44b9-87ef-f3015ef37a78","name":"SideWinder 2025 South Asia Public Sector Campaign","description":"A targeted spear phishing and credential theft campaign by SideWinder APT against government, military, and financial institutions in Sri Lanka, Bangladesh, and Pakistan, leveraging legacy Microsoft Office exploits and geofenced payload delivery.<sup>[[Acronis May 20 2025](/references/2a673731-bb40-4981-acb9-f27077e2e844)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-05-20T00:00:00Z","created":"2026-01-23T20:31:39.088810Z","modified":"2026-01-23T20:31:39.088813Z","campaign_attack_id":"C3281","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"5e309e68-d6a9-4848-9869-dc7e5f09c3e3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"33b09e7b-28c7-4985-980c-aa606cda7d6e","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"8bad9d87-fdcb-5a06-a668-4a08867b55a0"},{"id":"0bd87b91-e017-4f2a-a040-e5997f5c7e2e","name":"SideWinder's 2025 South Asia Diplomatic Espionage Campaign","description":"A multi-wave phishing and espionage campaign in 2025 by SideWinder targeting government and diplomatic entities in Sri Lanka, Pakistan, Bangladesh, and embassies in India, using spearphishing with PDF and Word lures to deliver custom malware.<sup>[[www.trellix.com October 22 2025](/references/a14fa007-b9de-4bc5-9431-d416bdc7b24d)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2026-01-23T20:31:38.456722Z","modified":"2026-01-23T20:31:38.456728Z","campaign_attack_id":"C3277","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"3847910e-021e-474c-8b50-498508943866","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"a9cfed7e-9468-40c0-b9d9-e78a44aa2f78","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"608b6822-3a11-592d-9470-897ac350e97a"},{"id":"23a0f142-4287-4ffd-bc44-b03f095e23d4","name":"Silver Fox Income Tax Phishing Campaign","description":"A targeted cyber espionage campaign by the Chinese Silver Fox APT group against Indian organizations, using income tax-themed phishing lures, DLL hijacking, and Valley RAT for persistent access and data theft.<sup>[[Www.cloudsek.com December 26 2025](/references/0d6e9bfe-9c6c-40ba-9d12-30273b559d13)]</sup>","first_seen":"2025-09-30T00:00:00Z","last_seen":"2025-12-24T00:00:00Z","created":"2026-01-14T13:32:07.883219Z","modified":"2026-01-14T13:32:07.883224Z","campaign_attack_id":"C3260","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8952ca78-9e5a-47ef-bab4-1a9b1941bd77","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7805603f-88b2-4b5a-a079-cb73ce7afd42","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"2dc02838-e82f-5f7c-a625-744cf693b112"},{"id":"9d339ef7-5671-45bf-8636-7890be48f655","name":"Silver Fox Microsoft Teams SEO Poisoning Campaign","description":"A campaign by Silver Fox using SEO poisoning and a fake Microsoft Teams website to deliver ValleyRAT malware to Chinese-speaking users and organizations in China, employing false flags to mislead attribution.<sup>[[ReliaQuest December 04 2025](/references/3eea040e-75fb-4e52-b9b6-9e1476f0ddcb)]</sup>","first_seen":"2025-11-01T00:00:00Z","last_seen":"2025-12-04T00:00:00Z","created":"2025-12-29T17:41:33.301449Z","modified":"2025-12-29T17:41:33.301452Z","campaign_attack_id":"C3248","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"eca839ba-21af-4ad2-9bf2-c1be30aeecfb","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9f6f95a2-9929-449f-9b33-d0371dae538f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"58ba2f9c-a4d7-571c-9d8b-68f953859360"},{"id":"8bde8146-0656-5800-82e6-e24e008e4f4a","name":"SolarWinds Compromise","description":"The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.<sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup> Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.<sup>[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)]</sup><sup>[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)]</sup><sup>[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]</sup><sup>[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]</sup><sup>[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]</sup><sup>[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]</sup><sup>[[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)]</sup><sup>[[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)]</sup> \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.<sup>[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)]</sup><sup>[[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)]</sup><sup>[[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)]</sup> The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.<sup>[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)]</sup> ","first_seen":"2019-08-01T05:00:00Z","last_seen":"2021-01-01T06:00:00Z","created":"2023-05-26T01:20:56.184427Z","modified":"2023-05-26T01:20:56.184430Z","campaign_attack_id":"C0024","source":"MITRE","owner_name":null,"tags":[{"id":"ee8e0458-3b91-4664-9508-bdd4f293b130","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"50768cba-b2ef-4260-b02d-a92add47df6b","tag":"f2ae2283-f94d-4f8f-bbde-43f2bed66c55"}],"tidal_id":"3609278a-8d50-5866-90a1-2ade8b5f40d4"},{"id":"69992595-2ad3-419f-a033-596662a339b4","name":"SonicWall VPN exploitation and Akira ransomware deployment","description":"A campaign involving the exploitation of SonicWall VPN devices to gain initial access, followed by lateral movement, credential and certificate theft, and rapid deployment of Akira ransomware. The attackers also abused recovery codes to disable security controls.<sup>[[Huntress September 15 2025](/references/14473272-5941-4ebb-8ea7-5521f6a9a283)]</sup>","first_seen":"2025-09-01T00:00:00Z","last_seen":"2025-09-15T00:00:00Z","created":"2025-12-17T14:19:13.975631Z","modified":"2025-12-17T14:19:13.975635Z","campaign_attack_id":"C3208","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"244f0aab-0df2-496b-97fc-40256bdc2ef5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7d151ca2-d3a6-4bfe-9a84-396a1b11ab80","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6bbc301c-7283-51d3-9651-5e8247ef9b65"},{"id":"611b48f7-66ac-59db-8b68-87b55f67eede","name":"SPACEHOP Activity","description":"[SPACEHOP Activity](https://app.tidalcyber.com/campaigns/611b48f7-66ac-59db-8b68-87b55f67eede) is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) and [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.<sup>[[ORB Mandiant](https://app.tidalcyber.com/references/3852fe26-53ad-504f-9328-7e249d121ebd)]</sup> ","first_seen":"2019-01-01T05:00:00Z","last_seen":"2024-05-01T04:00:00Z","created":"2025-04-22T20:47:03.202554Z","modified":"2025-04-22T20:47:03.202557Z","campaign_attack_id":"C0052","source":"MITRE","owner_name":null,"tags":[{"id":"e8bca636-35f6-4666-bb34-38a605ad9d9b","tag":"77de8096-7e36-481a-9a35-149fada04c57"}],"tidal_id":"611b48f7-66ac-59db-8b68-87b55f67eede"},{"id":"ca02171c-29fd-4fad-b8bb-db083b75156f","name":"SpearSpecter","description":"A sophisticated, ongoing cyber espionage campaign attributed to Iranian IRGC-IO-aligned actors (APT42), targeting high-profile government and defense officials using advanced social engineering, fileless malware, and multi-channel C2 infrastructure.<sup>[[National-Digital-Agency November 14 2025](/references/16bfc78d-3c16-4eb9-997d-1ada2e9d9aee)]</sup>","first_seen":"2025-08-17T00:00:00Z","last_seen":"2025-11-30T00:00:00Z","created":"2025-11-26T19:38:34.700597Z","modified":"2025-11-26T19:38:34.700600Z","campaign_attack_id":"C3176","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7e3ce4e4-4ffd-4333-b002-2303b329b27a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"b2eda2ba-2ceb-4ccd-9235-b120525f29ea","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"5673cb93-f581-5d11-b7d2-48e07e437aad"},{"id":"90820932-dc57-4437-a1cd-0a8c0f729a02","name":"Spoofed Phishing and Financial Scam Campaigns via Complex Routing","description":"A series of opportunistic phishing campaigns since May 2025 exploiting complex email routing and misconfigured spoof protections to deliver credential phishing and financial scam emails, often using Tycoon2FA PhaaS infrastructure.<sup>[[Microsoft Security Blog January 06 2026](/references/eefa02e0-af27-49df-af14-16c4d4f867d3)]</sup>","first_seen":"2025-05-01T00:00:00Z","last_seen":"2025-11-30T00:00:00Z","created":"2026-01-14T13:32:08.220289Z","modified":"2026-01-14T13:32:08.220294Z","campaign_attack_id":"C3262","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"5c3229bf-8acf-4477-8477-5066d76639d9","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2778658c-1ead-4509-88b6-689832c07169","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6075a99b-cf8a-5f8d-a58e-8a4e1db3f263"},{"id":"687b3df0-31f4-4812-aa49-b0fb1c82bed6","name":"Sri Lankan Prime Minister’s Office Website Defacement","description":"A hacktivist campaign by Dr.MwNs defacing the official website of the Sri Lankan Prime Minister’s Office, leaving a political message and music.<sup>[[hackread.com August 05 2015](/references/8019da01-3ec1-48e3-9f7f-27499e4ca35b)]</sup>","first_seen":"2015-08-05T00:00:00Z","last_seen":"2015-08-05T00:00:00Z","created":"2026-01-23T20:31:38.620292Z","modified":"2026-01-23T20:31:38.620296Z","campaign_attack_id":"C3278","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1cfc2849-b482-4d08-bb75-397b0f6848ee","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"aa43e6aa-00dc-47b2-8f84-c07d4b4a9363","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0a57f4b9-4465-5cc5-ad20-a8942b710df9"},{"id":"6899e057-4159-4f38-9770-990dbab6334d","name":"STAC6565","description":"A campaign attributed to GOLD BLADE, running from February 2024 to August 2025, involving nearly 40 intrusions primarily targeting Canadian organizations with a blend of data theft and selective ransomware deployment.<sup>[[Sophos News December 05 2025](/references/30f373ed-0d2e-474a-b17f-29de7beec0c8)]</sup>","first_seen":"2024-02-01T00:00:00Z","last_seen":"2025-08-31T00:00:00Z","created":"2025-12-17T14:19:14.300626Z","modified":"2025-12-17T14:19:14.300630Z","campaign_attack_id":"C3210","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"3bfd4796-f4ef-4dc4-affb-eb3652f78717","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"13e36b31-72c5-447b-91e9-7f77a5786e5b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"7c5185c3-8035-5a2b-ab6f-7b8ebae6d72d"},{"id":"9e5b017c-e386-47c2-8de3-5f069cdaccb1","name":"STARK#VORTEX","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2023-09-01T00:00:00Z","last_seen":"2023-09-25T00:00:00Z","created":"2025-03-25T13:16:35.069600Z","modified":"2025-03-25T13:16:35.069602Z","campaign_attack_id":"C3095","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"81b02e5a-2f86-4d46-91e1-f784f05dc2c4","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"1a713a83-e9fe-471a-9108-c5f882a89f71","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"efb6ab51-83c8-5535-894e-b96d1b4f0b11"},{"id":"24b21463-c435-4d59-9828-18cc6b1a4a45","name":"Static Tundra Network Device Compromises (CVE-2018-0171)","description":"Cisco Talos researchers and FBI officials released details of an \"ongoing\" campaign attributed to Static Tundra, which the researchers described as a likely \"sub-cluster\" of Russian cyber espionage group Energetic Bear (aka BERSERK BEAR, Dragonfly, et al), where actors exploited a seven-year old vulnerability (CVE-2018-0171) in unpatched Cisco network devices to conduct large-scale device configuration discovery, likely for use in later targeting.<sup>[[FBI Alert Russian Government Network Device Targeting August 20 2025](/references/f9337ded-5379-451f-8bf7-84a5b23ba486)]</sup><sup>[[Cisco Talos Static Tundra August 20 2025](/references/8b207fa6-039b-4ff8-9126-928f3f31f65c)]</sup>","first_seen":"2024-08-20T00:00:00Z","last_seen":"2025-08-20T00:00:00Z","created":"2025-08-28T19:35:58.754212Z","modified":"2025-08-28T19:35:58.754215Z","campaign_attack_id":"C3120","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f58922cc-afdd-433c-9133-ffa091ab54f7","tag":"9ed63cc4-ed9d-4e8f-8297-4a5b6bd66858"},{"id":"d6e9ff09-44f1-49ae-a744-05f8ea69d68d","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"},{"id":"53255e64-2e2c-4656-a9d2-a681874f9908","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e43c6fa1-fb48-4044-b6a2-819e56271bbc","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"708d761c-de37-5d59-b613-143e7870d0cf"},{"id":"a091bd7f-41b6-4c18-9497-6dc442d6bb41","name":"Stealth in Layers Loader Campaign","description":"A sophisticated, multi-stage campaign leveraging a commodity loader to deliver RATs and infostealers via targeted phishing emails, primarily against manufacturing and government organizations in Italy, Finland, and Saudi Arabia. The campaign features advanced evasion, steganography, and process injection techniques.<sup>[[Cyble December 19 2025](/references/0632aa3b-2687-4ca8-9d3a-b109f624f21e)]</sup>","first_seen":"2025-12-19T00:00:00Z","last_seen":"2025-12-19T00:00:00Z","created":"2026-01-14T13:32:08.397954Z","modified":"2026-01-14T13:32:08.397959Z","campaign_attack_id":"C3263","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"8d3c8092-7f76-4894-9918-e2e573146b00","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"486fd939-fffc-4f2d-9ef8-f3ae2fd55434","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"bc0ee935-c792-5b1b-8fdb-e3b4b7d59f80"},{"id":"718cb1fb-82c9-4f52-857b-5dec2df829b9","name":"Storm-0249 Precision EDR Exploitation Campaign","description":"A campaign in which Storm-0249 shifted from mass phishing to precision exploitation of EDR processes, notably abusing SentinelOne's SentinelAgentWorker.exe via DLL sideloading, fileless execution, and domain spoofing to enable ransomware affiliates.<sup>[[ReliaQuest December 09 2025](/references/d01a6573-49f4-415b-a778-778d08255afd)]</sup>","first_seen":"2025-12-09T00:00:00Z","last_seen":"2025-12-09T00:00:00Z","created":"2025-12-17T14:19:15.107622Z","modified":"2025-12-17T14:19:15.107626Z","campaign_attack_id":"C3215","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6560c550-7106-48ca-9a60-a95b43697608","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"decb985b-ab5c-433f-b4f0-7a6c278ba757","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"55e96041-fb91-532a-b977-f01d06f2f618"},{"id":"22bffe62-3e15-4904-b993-90d1f577b3fc","name":"Storm-0501 Cloud-Based Ransomware Attack (2025)","description":"Microsoft Threat Intelligence researchers reported how Storm-0501 continued to evolve its behaviors while sharpening its focus on cloud environments. The researchers described a recent attack where the actor pivoted from on-premises to cloud environments achieving cloud privilege escalation before deploying cloud-based ransomware.<sup>[[Microsoft Security Blog August 27 2025](/references/acee642f-25de-48d7-a566-5bdfe804b8b3)]</sup>","first_seen":"2025-08-01T00:00:00Z","last_seen":"2025-08-08T00:00:00Z","created":"2025-09-04T13:58:31.652288Z","modified":"2025-09-04T13:58:31.652291Z","campaign_attack_id":"C3124","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"aecba06c-0392-4b87-a636-69e78f2d20e2","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"1454f9d9-da89-4def-9071-62868ed196ac","tag":"c9c73000-30a5-4a16-8c8b-79169f9c24aa"},{"id":"baa3a54e-a803-4b14-b3c0-291519029c5b","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d60ef513-cb7f-4735-94ae-ecc0d7f3de2a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"525f2904-2d83-5d35-af50-7bdbe19a09f3"},{"id":"96a04dd1-c6e6-4edd-ada4-03171fd15b2d","name":"Storm-0501 Hybrid Cloud Compromise","description":"Microsoft researchers observed Storm-0501 actors abusing hybrid user identities and their associated privileges in order to pivot from on-premises to cloud environments in Q3 2024. Storm-0501 is a financially motivated actor that has been known to deploy multiple distinct ransomware families and exfiltrate data for extortion purposes, leveraging the relatively new, Rust-based Embargo ransomware (along with a number of supporting commodity and open-source tools) during the hybrid compromise attack.<sup>[[Microsoft Security Blog September 26 2024](/references/bf05138b-f690-4b0f-ba10-9af71f7d9bfc)]</sup> Mandiant reserachers linked Storm-0501 with an actor group they track as UNC2190, which was observed carrying out ransomware attacks while branded as \"54BB47h\" (Sabbath) in 2021.<sup>[[Mandiant Sabbath Ransomware November 29 2021](/references/ab3a20a5-2df1-4f8e-989d-baa96ffaca74)]</sup><sup>[[Tyler McLellan UNC2190 September 26 2024](/references/32298444-284a-4991-ba3b-a80bd62be903)]</sup>","first_seen":"2024-07-17T00:00:00Z","last_seen":"2024-09-17T00:00:00Z","created":"2024-10-04T20:33:27.640055Z","modified":"2024-10-04T20:33:27.640062Z","campaign_attack_id":"C3057","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a217c803-91a9-46ff-8edb-227382cd592a","tag":"ecfc9a06-e970-4310-ac3f-0af98163563b"},{"id":"dae20bd1-11de-4769-84f5-32db5a954eaf","tag":"1c1a335a-dc30-470d-9539-b09aa87e2f8c"},{"id":"2ba56de5-46cc-4fee-9fb7-0f995b1bf4cd","tag":"15b77e5c-2285-434d-9719-73c14beba8bd"},{"id":"e524f221-ac59-4cc0-8ad4-e46399fa4eef","tag":"532b7819-d407-41e9-9733-0d716b69eb17"},{"id":"c204ced0-75a2-467f-aa38-301d205fabb5","tag":"c9c73000-30a5-4a16-8c8b-79169f9c24aa"},{"id":"7d96eb76-4a0d-4358-86ac-d7779abfb0fe","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"2a35d986-bc50-46ff-9b5b-b928e068c084","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"a0024e48-c95a-41ad-bf60-475e4849230d","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2231b9ac-dd1a-4368-845d-65a37824b921","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"57742f76-8b11-5b14-a066-5de917ac7717"},{"id":"816e7fae-49de-4f9a-9cf7-1ba454bac4aa","name":"Storm-0558 Unauthorized Email Access Activity","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2023-05-15T00:00:00Z","last_seen":"2023-07-11T00:00:00Z","created":"2024-11-15T17:29:26.092585Z","modified":"2024-11-15T17:29:26.092589Z","campaign_attack_id":"C3073","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"fc14d22c-ff33-465e-9c52-77afbcae5d95","tag":"e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"},{"id":"9e5f6344-f378-4dd1-b090-8db405e76548","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"b0d9ce96-910f-4f51-8470-310e3cc34c6b","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"0c137634-6377-4249-acf0-d6e36e9c3d29","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9d544b9c-9d29-5899-844f-5dc91bbe93aa"},{"id":"12b14ee4-de0b-4af7-85b4-ab8c5e41d9e4","name":"Storm-1175 GoAnywhere MFT Exploitation Campaign","description":"A campaign in which Storm-1175 exploited CVE-2025-10035, a deserialization vulnerability in GoAnywhere MFT, to gain initial access, establish persistence, perform discovery, exfiltrate data, and deploy Medusa ransomware.<sup>[[Microsoft Security Blog October 06 2025](/references/242bd97d-dad0-49af-9ed6-f150542b8ded)]</sup>","first_seen":"2025-09-11T00:00:00Z","last_seen":"2025-09-18T00:00:00Z","created":"2025-10-13T17:29:36.661249Z","modified":"2025-10-13T17:29:36.661253Z","campaign_attack_id":"C3139","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"ee0e98aa-2b02-4ae8-9310-9c2edb7440f5","tag":"99916272-acf8-4201-8cfb-6ba16a3d5fbe"},{"id":"db00c1e7-9282-4e2e-88c2-bc0dd2546959","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e36bd622-ed1d-4118-82be-b11fcc945d70","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f93796ab-5475-5b43-8a03-0252a0de7889"},{"id":"ebab01fe-7ae3-44f6-90d3-8c248e4d6861","name":"Storm-2603 August 2025 Ransomware Campaign","description":"A ransomware campaign in August 2025 attributed to Storm-2603, involving the deployment of Warlock, LockBit, and Babuk ransomware, abuse of Velociraptor for persistence, and exploitation of ToolShell vulnerabilities for initial access and lateral movement.<sup>[[Cisco Talos Blog October 09 2025](/references/06bee483-26fb-4cfc-a6a5-c8282a997946)]</sup>","first_seen":"2025-08-01T00:00:00Z","last_seen":"2025-08-31T00:00:00Z","created":"2025-10-13T17:29:36.939800Z","modified":"2025-10-13T17:29:36.939803Z","campaign_attack_id":"C3141","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9e5409d1-2691-41e9-83e7-5b79792ed672","tag":"b802443a-37b2-4c38-addd-75e4efb1defd"},{"id":"59210467-11b4-4c7c-b38b-ee0beef6e5be","tag":"64a4d34f-1be5-4f53-a8af-1505d8584e93"},{"id":"8a64c518-2362-4abe-9714-8ea8f91430d3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"a6fe28d2-37ca-4bcc-8c4a-6aa6e409b551","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"013bebae-2820-5fc3-8089-f001767e0ccb"},{"id":"aae909cd-d24a-4367-8973-af0227ebb105","name":"TA2723 OAuth Device Code Phishing (October 2025)","description":"A campaign by TA2723 in October 2025 using OAuth device code phishing, spoofing Microsoft OneDrive and sending emails with links that led to device code authorization pages, resulting in account takeover.<sup>[[Proofpoint December 16 2025](/references/1f13a583-dbb1-462e-9a88-31fc8ef184c9)]</sup>","first_seen":"2025-10-06T00:00:00Z","last_seen":"2025-10-10T00:00:00Z","created":"2025-12-29T17:41:31.792104Z","modified":"2025-12-29T17:41:31.792107Z","campaign_attack_id":"C3238","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"fbc75251-680c-4d0a-a37b-68b6181b3861","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"638b6541-d02f-4946-8154-3473c9786e24","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"adba1b04-9f0f-5ced-8516-c21ed1ea3434"},{"id":"3c5d0cab-7974-4413-9d00-1aa769bb67db","name":"TA455 Iranian Dream Job Campaign","description":"Security researchers observed a campaign in which threat actors contacted workers in the aerospace, aviation, and defense industries, offering them fake job opportunities in an attempt to trick them into downloading malicious software. The researchers attributed the campaign to TA455, which they described as a subgroup of the Iranian threat actor Charming Kitten. Considering that North Korean actors have been observed using similar attack methods, the researchers concluded that the Iranian actors were either impersonating the Lazarus Group, or that North Korean actors had shared tools and TTPs with TA455.<sup>[[ClearSky Dream Job November 12 2024](/references/e53ea724-6783-4616-a6ca-30316aeca03e)]</sup>","first_seen":"2023-12-01T00:00:00Z","last_seen":"2024-11-12T00:00:00Z","created":"2024-11-15T17:29:25.241549Z","modified":"2024-11-15T17:29:25.241553Z","campaign_attack_id":"C3070","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"741733aa-739e-491a-812c-3a6d7a18e6a3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"89e8b30c-2685-417e-8bc7-e7be9c2a46d7","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b99343d7-e146-5064-8cca-97e3df85e727"},{"id":"55fe6e08-96df-41a0-bfa9-555c6b4ce623","name":"TA577 NTLM Credential Theft Attacks","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.","first_seen":"2024-02-26T00:00:00Z","last_seen":"2024-02-27T00:00:00Z","created":"2024-06-13T20:12:38.877583Z","modified":"2024-06-13T20:12:38.877586Z","campaign_attack_id":"C3029","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a43d805b-b6b9-4560-a3c1-543671e97a5f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7f2ac775-6d22-4d07-ab3f-83b41d0fe9dd","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"21068e7c-d853-5751-b3e5-63b9e6fee75f"},{"id":"6240a4e9-cc7c-4744-95b7-da5636f028d4","name":"TAG-160 Logistics Sector Campaign","description":"A campaign by TAG-160 targeting the logistics sector using phishing lures, spoofed emails, and freight-matching platforms to deliver CastleLoader and other malware.<sup>[[None December 09 2025](/references/ea47bb34-cf65-4abe-ae24-a51fad15154e)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-11-10T00:00:00Z","created":"2025-12-17T14:19:14.778472Z","modified":"2025-12-17T14:19:14.778476Z","campaign_attack_id":"C3213","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"5b07f0d8-7f73-4e5f-bcdd-890cfd5bcbab","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"7f79fc2c-657a-43a7-85dc-7a62d34cf6d4","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ef2aee00-3ffe-57db-894b-bed1f4decf99"},{"id":"88e61b64-23c8-4a5c-8a26-034464512c84","name":"TAG-161 Booking.com-Themed Campaign","description":"A campaign by TAG-161 using Booking.com-themed phishing lures and custom phishing email management tools to deliver CastleLoader and Matanbuchus.<sup>[[None December 09 2025](/references/ea47bb34-cf65-4abe-ae24-a51fad15154e)]</sup>","first_seen":"2025-06-01T00:00:00Z","last_seen":"2025-11-10T00:00:00Z","created":"2025-12-17T14:19:14.944859Z","modified":"2025-12-17T14:19:14.944863Z","campaign_attack_id":"C3214","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1ec14cbf-5521-4824-8a57-858ab47a8e3e","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"62cab18b-e587-487b-adeb-0b32beee1a98","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"d758b779-a6e9-53bd-8370-0b488ff03114"},{"id":"8b68bbc7-39a6-4002-baae-4d87e7b56bc9","name":"The Gentlemen Ransomware Campaign","description":"A campaign launched by The Gentlemen ransomware group in August 2025, targeting multiple industries and regions with advanced, adaptive tools to bypass enterprise endpoint protections, exfiltrate data, and deploy ransomware for double extortion.<sup>[[Trend Micro September 09 2025](/references/b49a1225-233f-47e8-95e5-db092e790cd0)]</sup>","first_seen":"2025-08-01T00:00:00Z","last_seen":"2025-08-31T00:00:00Z","created":"2025-10-17T17:10:08.394981Z","modified":"2025-10-17T17:10:08.394986Z","campaign_attack_id":"C3143","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"dcef1688-03f2-46f5-bb0a-dadab7d1b649","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d7dc5f12-d4c0-40d5-b0de-04421bba7927","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0c1a9250-cf65-537e-b3f2-032a97e81d6a"},{"id":"834c7795-ed51-4ff6-b495-e8e94e102fd7","name":"The Gentlemen Ransomware Campaign (July 2025)","description":"A campaign by The Gentlemen ransomware group, beginning around July 2025, involving dual-extortion attacks, rapid victim publication, and targeting organizations worldwide with advanced ransomware techniques.<sup>[[Cybereason The Gentlemen November 18 2025](/references/bc7807fd-020a-42b4-a311-1a1673a8f90a)]</sup>","first_seen":"2025-07-01T00:00:00Z","last_seen":"2025-10-31T00:00:00Z","created":"2025-12-17T14:19:11.016869Z","modified":"2025-12-17T14:19:11.016873Z","campaign_attack_id":"C3181","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"b09295c7-2ddf-4882-ac0f-8f9732585c27","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f3e48c08-c5b1-4943-bd4c-e6614fa57a5b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"65fe1267-877c-568f-82fd-50d4eaf055fb"},{"id":"b18886ca-d5fc-4938-bcf2-77ef5fe67aaa","name":"The Great VM Escape: ESXi Exploitation in the Wild","description":"A sophisticated intrusion observed in December 2025 involving the deployment of a VMware ESXi VM escape exploit toolkit, likely developed as a zero-day, with the goal of compromising the ESXi hypervisor from a guest VM.<sup>[[Huntress January 07 2026](/references/f4a98641-d76c-4f39-9cc2-4daf30cc1a56)]</sup>","first_seen":"2025-12-01T00:00:00Z","last_seen":"2025-12-31T00:00:00Z","created":"2026-01-14T13:32:08.940941Z","modified":"2026-01-14T13:32:08.940945Z","campaign_attack_id":"C3266","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"171a82fb-1dee-4d46-825d-d93d81642234","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"aee62396-9bb3-4bd2-a91a-adb6eb30a990","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"4a6a9541-774d-5f49-86a0-e89991b5994b"},{"id":"b47f4e37-c122-4a49-bab1-ee00b912933d","name":"The Zoom Stealer","description":"A campaign using browser extensions disguised as productivity tools to harvest corporate meeting intelligence from 28+ video conferencing platforms, infecting 2.2 million users.<sup>[[Www.koi.ai January 05 2026](/references/5da3facd-7bd9-4a02-843a-ad4b3fa273d7)]</sup>","first_seen":"2024-01-01T00:00:00Z","last_seen":"2025-12-30T00:00:00Z","created":"2026-01-06T18:05:33.829343Z","modified":"2026-01-06T18:05:33.829347Z","campaign_attack_id":"C3256","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7c201f19-eec1-4f99-9b21-5e74039e985f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"39018919-c77c-4714-a37a-1e4931aa291d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"381c9e1b-2cfe-5c1d-8690-38dfbe0df51a"},{"id":"83239f13-9d75-4bb3-a3ab-fa5beb27ee47","name":"ToddyCat APT attacks targeting corporate email (2024-2025)","description":"A series of attacks by the ToddyCat APT group in the second half of 2024 and early 2025, focusing on stealing business correspondence and credentials from both on-premises and cloud-based email systems.<sup>[[SecureList ToddyCat November 21 2025](/references/889c7685-43ce-4156-a142-4b4605d8fec9)]</sup>","first_seen":"2024-07-01T00:00:00Z","last_seen":"2025-01-31T00:00:00Z","created":"2025-12-10T14:15:24.493432Z","modified":"2025-12-10T14:15:24.493437Z","campaign_attack_id":"C3183","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"4f360679-019f-4224-b628-3f6fcc4cd8a8","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2ae645a7-ec58-4a90-86dc-53e611fbc1e5","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6626d66a-962f-5dd4-9254-addb857dfa30"},{"id":"2ba55dab-36ef-4075-bb93-7ab2c8896a4b","name":"TOUGHPROGRESS Campaign","description":"Google Threat Intelligence Group researchers identified an \"innovative\" campaign, dubbed \"TOUGHPROGRESS\" after its namesake malware and attributed to the China-affiliated APT41 group, where attackers leveraged Google Calendar for command and control activities.<sup>[[Google Cloud May 28 2025](/references/def3e3dd-8136-4714-a58f-ffbd00066dc0)]</sup>","first_seen":"2024-10-21T00:00:00Z","last_seen":"2024-10-31T00:00:00Z","created":"2025-06-03T14:14:56.896849Z","modified":"2025-06-03T14:14:56.896852Z","campaign_attack_id":"C3110","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"cbf89c0b-08f4-4fdd-85f4-61a40f0692d0","tag":"82009876-294a-4e06-8cfc-3236a429bda4"},{"id":"2f6822ac-b97f-4f98-aac7-5a16e5037ce7","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4f83f216-9e8f-469d-86d6-45d786d911eb","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"dbf34d45-e6eb-5b9b-a09a-340f341fa8e8"},{"id":"a5f5cc8e-2e2a-406e-815f-568e636ff2aa","name":"Triofox CVE-2025-12480 Exploitation Campaign","description":"A campaign in which UNC6485 exploited an unauthenticated access vulnerability in Gladinet’s Triofox platform to gain remote access, create admin accounts, and deploy remote access tools for further compromise.<sup>[[Google Cloud Blog November 10 2025](/references/343dab24-9d2e-4269-ab54-3dba4d684a9c)]</sup>","first_seen":"2025-08-24T00:00:00Z","last_seen":"2025-11-10T00:00:00Z","created":"2025-11-19T17:45:56.705401Z","modified":"2025-11-19T17:45:56.705404Z","campaign_attack_id":"C3163","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"0f0ccb30-5128-490a-a826-f3dd47d65b9e","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"c84896d9-bbe1-4d37-abc2-3941e9d9535e","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"613dcdfe-10c1-5278-b939-3f6868b8bb15"},{"id":"6c7185e1-bd46-5a80-9a76-a376b16fbc7b","name":"Triton Safety Instrumented System Attack","description":"[Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b) was a campaign employed by [TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) which leveraged the [Triton](https://app.tidalcyber.com/software/) malware framework against a petrochemical organization.<sup>[[Triton-EENews-2017](https://app.tidalcyber.com/references/5cc54d85-ee53-579d-a8fb-9b54b3540dc0)]</sup> The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.<sup>[[FireEye TRITON 2018](https://app.tidalcyber.com/references/bfa5886a-a7f4-40d1-98d0-c3358abcf265)]</sup> The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.<sup>[[FireEye TRITON 2017](https://app.tidalcyber.com/references/597a4d8b-ffb2-4551-86db-b319f5a5b707)]</sup>\n","first_seen":"2017-06-01T04:00:00Z","last_seen":"2017-08-01T04:00:00Z","created":"2024-04-25T13:28:23.341436Z","modified":"2024-04-25T13:28:23.341440Z","campaign_attack_id":"C0030","source":"MITRE","owner_name":null,"tags":[{"id":"4c69bc72-6b6a-4533-8517-f436c10a1936","tag":"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"}],"tidal_id":"88ee2be3-3293-5b3b-ba13-e1969799b2a1"},{"id":"a8c25965-ce45-490e-a25f-01e75db57491","name":"Trust Wallet Browser Extension v2.68 Supply Chain Attack","description":"A supply chain attack in which a malicious version of the Trust Wallet Browser Extension was published to the Chrome Web Store using a leaked API key, resulting in the theft of user wallet data and cryptocurrency.<sup>[[Trust Blog December 30 2025](/references/962eb2df-3c54-461c-a40c-123dec2e457e)]</sup>","first_seen":"2025-12-24T00:00:00Z","last_seen":"2025-12-26T00:00:00Z","created":"2026-01-06T18:05:33.217950Z","modified":"2026-01-06T18:05:33.217953Z","campaign_attack_id":"C3252","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"fff30f96-6f30-4ed1-bba7-17c84c97e7c5","tag":"cce5f564-f7f0-4aa6-a908-b857cb2cbfe4"},{"id":"dd09ea04-49d2-4b5e-970f-21fae6aa3dba","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"6bd7c48c-8e82-49a6-a366-f1b0504019d5","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0bcab9e8-d1b8-5a41-9925-e3bdb901d6c2"},{"id":"0ba3793e-7cdc-44d4-ba3e-b2b8dd2bd8b6","name":"UAC-0218 2025 Campaign","description":"A phishing campaign by UAC-0218 delivering password-protected Office documents and VBE scripts to deploy HOMESTEEL stealer.<sup>[[CERT-UA New cyber threats October 08 2025](/references/35467d53-626d-4c81-9f8e-ff9c24b7666b)]</sup>","first_seen":"2024-01-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2025-10-17T17:10:08.566876Z","modified":"2025-10-17T17:10:08.566879Z","campaign_attack_id":"C3144","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"10e4ad9a-7ef9-4080-9720-58c8835f73d9","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d4ef54c2-1ee7-4483-ad82-ace02a27e4e9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b98687a9-4ba2-5fca-a6f2-19793802b2f4"},{"id":"238bd823-be15-4bbb-b07d-d69b8fbd0eaa","name":"UAC-0219 2025 Campaign","description":"A campaign by UAC-0219 using WRECKSTEEL malware and AI-generated PowerShell scripts to steal data and screenshots from Ukrainian targets.<sup>[[CERT-UA New cyber threats October 08 2025](/references/35467d53-626d-4c81-9f8e-ff9c24b7666b)]</sup>","first_seen":"2024-01-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2025-10-17T17:10:08.737134Z","modified":"2025-10-17T17:10:08.737136Z","campaign_attack_id":"C3145","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7f87c01b-f516-4f2d-b2a2-a2b69abd14e8","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f88a682f-3aa7-4dfc-81aa-d6d620ed8eb8","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"1148b1d4-11ee-550f-befd-8e88645e5c14"},{"id":"c4d70d6f-c56f-4135-ae3f-63c0ce4d12b2","name":"UAC-0226 2025 Campaign","description":"A phishing campaign by UAC-0226 targeting defense, local government, and law enforcement sectors in Ukraine with Reverse-shell and GIFTEDCROOK malware.<sup>[[CERT-UA New cyber threats October 08 2025](/references/35467d53-626d-4c81-9f8e-ff9c24b7666b)]</sup>","first_seen":"2025-02-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2025-10-17T17:10:08.906803Z","modified":"2025-10-17T17:10:08.906806Z","campaign_attack_id":"C3146","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"ec8ab2a2-8295-414d-8fa7-8069f160cb02","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"5bd0b462-d8db-4089-80c9-c50723bdc99b","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6e7f5bc2-1e20-5f3b-95ae-52d410277cbc"},{"id":"05f902cf-bdea-48af-a426-d048f608c9e1","name":"UAC-0227 2025 Campaign","description":"A campaign by UAC-0227 targeting local government, critical infrastructure, and military organizations in Ukraine and the EU using SVG file-based phishing.<sup>[[CERT-UA New cyber threats October 08 2025](/references/35467d53-626d-4c81-9f8e-ff9c24b7666b)]</sup>","first_seen":"2025-03-01T00:00:00Z","last_seen":"2025-06-30T00:00:00Z","created":"2025-10-17T17:10:09.084380Z","modified":"2025-10-17T17:10:09.084382Z","campaign_attack_id":"C3147","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"35e6668d-47c6-4065-896b-1e96dc3a61df","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"129682d3-c97c-49e5-bb73-e64a7e9861c5","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"853e1ebd-1cdd-502f-b959-917aae91dca2"},{"id":"2f28d479-301a-4275-8d01-1a95f38c68a9","name":"UAC-0245 CABINETRAT Campaign (CERT-UA#17479)","description":"A targeted campaign by UAC-0245 in September 2025 using XLL-based malware and the CABINETRAT backdoor to attack Ukrainian government organizations, leveraging spear-phishing and malicious archives.<sup>[[cert.gov.ua 09 30 2025](/references/bc4a5dc2-fc7c-451f-a69f-b153a8279e0b)]</sup>","first_seen":"2025-09-01T00:00:00Z","last_seen":"2025-09-30T00:00:00Z","created":"2025-10-13T17:29:36.259641Z","modified":"2025-10-13T17:29:36.259645Z","campaign_attack_id":"C3136","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"4d6642cb-4b02-4724-a6b2-afebe1ea2fd4","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"440f6c5a-08a4-40fe-8a40-0702cda43c92","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"d8e4b189-0209-53dc-a84c-a446c2ae5fe9"},{"id":"e8d737d6-265b-4477-9c8f-71e06c0aa90d","name":"UAT-7290 targeting South Asian telecommunications infrastructure","description":"A campaign by UAT-7290 since at least 2022 targeting high-value telecommunications and critical infrastructure in South Asia and, more recently, Southeastern Europe, using custom and open-source malware to gain access and conduct espionage.<sup>[[Cisco Talos Blog January 08 2026](/references/74959041-08ca-41fc-8ceb-675f1fefd765)]</sup>","first_seen":"2022-01-01T00:00:00Z","last_seen":"2026-01-08T00:00:00Z","created":"2026-01-14T13:32:09.928270Z","modified":"2026-01-14T13:32:09.928274Z","campaign_attack_id":"C3272","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e3ab1c89-5fc3-4ee7-94f4-10ae4ce632ef","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9f0e1310-77b3-4c4b-8bc4-bcf1558a595f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"c8c516b2-8d72-5051-998d-7bc6b49d4c66"},{"id":"02064708-c4ea-4023-a689-4777b239f0cb","name":"UAT-8099 IIS SEO Fraud Campaign (2025)","description":"A campaign by the UAT-8099 group targeting high-value IIS servers in India, Thailand, Vietnam, Canada, and Brazil for SEO fraud, credential theft, and monetization via fraudulent redirects and credential resale.<sup>[[Cisco Talos Blog October 02 2025 10 02 2025](/references/d2d2ef04-150e-445d-811e-e0174dfc3d10)]</sup>","first_seen":"2025-04-01T00:00:00Z","last_seen":"2025-10-02T00:00:00Z","created":"2025-10-13T17:29:36.398776Z","modified":"2025-10-13T17:29:36.398780Z","campaign_attack_id":"C3137","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9e47a9b5-87df-4958-b550-eae522057847","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"fdfe3c14-13a9-43fc-aaa0-2d3a46a1d602","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"449c193b-a006-5e12-af21-2ef6cb41a55b"},{"id":"6d143f21-22f1-47fe-a262-00e09b3f3d28","name":"UAT-9686 campaign targeting Cisco Secure Email Gateway and Secure Email and Web Manager","description":"A campaign attributed to UAT-9686 targeting Cisco AsyncOS Software for Cisco Secure Email Gateway and Secure Email and Web Manager, deploying custom backdoors and tunneling tools to gain persistent access and evade detection.<sup>[[Cisco Talos Blog December 17 2025](/references/1ef07f79-df28-441c-b4f6-b4e396a01353)]</sup>","first_seen":"2025-11-20T00:00:00Z","last_seen":"2025-12-17T00:00:00Z","created":"2025-12-24T14:57:51.820744Z","modified":"2025-12-24T14:57:51.820749Z","campaign_attack_id":"C3227","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"f519afe5-3af5-4262-8054-2618487d7b6f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"f7346e96-f7da-4ad1-8103-013946b26803","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0c23d499-20c7-5f5c-89df-bf0e53d5536a"},{"id":"0227d531-f8e6-4006-934c-6a94ba2cf7d9","name":"UDPGangster Campaigns Target Multiple Countries","description":"A series of phishing and macro-based malware campaigns delivering the UDPGangster backdoor to targets in Turkey, Israel, and Azerbaijan, using malicious Word documents and advanced anti-analysis techniques.<sup>[[Fortinet Blog December 04 2025](/references/f7eeed3f-485b-4130-a10b-e19045e97a2d)]</sup>","first_seen":"2025-08-01T00:00:00Z","last_seen":"2025-11-30T00:00:00Z","created":"2025-12-10T14:15:29.778452Z","modified":"2025-12-10T14:15:29.778456Z","campaign_attack_id":"C3205","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a3a1e1c8-4fd9-4667-8c70-528068c62eb0","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e0909982-7b8d-4800-b3b4-a1e18c64f1a4","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"274013f1-1372-5e54-a560-2064a4aa47b2"},{"id":"b1449b0e-2afb-4382-8a57-b0493aca75a6","name":"UNC1549 Aerospace and Defense Espionage Campaign","description":"A multi-year campaign by UNC1549 targeting the aerospace, aviation, and defense industries in the Middle East and beyond, using phishing, supply chain attacks, and custom malware for espionage.<sup>[[Google Cloud Blog November 17 2025](/references/7bfcbc55-2aae-4643-942f-6db8ee8aa398)]</sup>","first_seen":"2023-07-01T00:00:00Z","last_seen":"2025-11-17T00:00:00Z","created":"2025-11-19T17:45:57.859243Z","modified":"2025-11-19T17:45:57.859247Z","campaign_attack_id":"C3171","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"159c3c95-196d-4b14-a29c-a2199af782b7","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"ded09810-7117-4d3a-8632-4012c392e930","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9860be47-4519-5068-a9a9-4aa45918f07f"},{"id":"1a9e2500-a1aa-4001-8bb4-9d7ebca60d47","name":"UNC2190 2021 Ransomware Activity","description":"Mandiant researchers observed UNC2190, an actor group now linked to Storm-0501, deploying evasive, in-memory-only ransomware in 2021 while branded as the \"54BB47h\" (Sabbath) ransomware gang. The group had previously branded its operations as Eruption and Arcane. UNC2190 was seen targeting organizations in the education, health, and natural resources sectors in the United States and Canada from June through at least October 2021.<sup>[[Mandiant Sabbath Ransomware November 29 2021](/references/ab3a20a5-2df1-4f8e-989d-baa96ffaca74)]</sup>","first_seen":"2021-06-01T00:00:00Z","last_seen":"2021-10-26T00:00:00Z","created":"2024-10-04T20:33:27.829409Z","modified":"2024-10-04T20:33:27.829413Z","campaign_attack_id":"C3058","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6d4b54d0-7010-4ea9-8fb4-c6d3918db53f","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"90be3576-ad3f-4cd0-a41d-e42999236adf","tag":"7e7b0c67-bb85-4996-a289-da0e792d7172"},{"id":"f88ab6e1-d928-4001-97b9-4f2c4aea3ce6","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"61818d22-6440-4cf8-8a46-522c58d33111","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0e844f24-d344-534a-ab46-046c9b278ad5"},{"id":"319c232c-4bbb-41eb-a610-2254dc20cf09","name":"UNC4841 Barracuda ESG Espionage Campaign (CVE-2023-2868)","description":"UNC4841 exploited a zero-day vulnerability (CVE-2023-2868) in Barracuda email security gateway (ESG) appliances to gain access and maintain persistence on compromised systems, and they showed sophistication and adaptability in response to remediation efforts, deploying new and novel malware to maintain presence at high priority targets. UNC4841 is a suspected China-nexus actor believed to be motivated by global espionage purposes.<sup>[[Mandiant UNC4841 August 29 2023](/references/f990745d-06c1-4b0a-8394-66c7a3cf0818)]</sup><sup>[[Google Cloud June 15 2023](/references/beb7f804-f6b7-4b9c-996b-61136b97a546)]</sup>","first_seen":"2022-10-10T00:00:00Z","last_seen":"2023-06-15T00:00:00Z","created":"2025-08-28T19:35:58.899319Z","modified":"2025-08-28T19:35:58.899324Z","campaign_attack_id":"C3121","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"580b90a9-f7ef-4202-bc00-131575692405","tag":"12b074b9-6748-4ad7-880f-836cb80587e1"},{"id":"27ba78ed-f901-4cec-ba31-46d6e77f949f","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"6d1507f9-ddfe-4e55-9422-71c6f9f20bd0","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"8c51aa2f-2842-4baf-97da-170a04d8ae47","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2a0dcfe3-0740-464d-af88-7db5808e6d70","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"294c6648-a0df-5a48-a31d-e518e4296cda"},{"id":"7e0e25b2-1a68-4adc-a230-3b3cd8e3a198","name":"UNC5174 Access Operations Targeting F5 BIG-IP and ScreenConnect","description":"A campaign by UNC5174 exploiting F5 BIG-IP (CVE-2023-46747) and ConnectWise ScreenConnect (CVE-2024-1709) vulnerabilities to gain access to government, defense, education, NGO, and commercial targets in the US, UK, Canada, Southeast Asia, Hong Kong, and Taiwan.<sup>[[Google Cloud Blog March 21 2024](/references/efba67c7-a481-44de-84bd-cf74bc946f6e)]</sup>","first_seen":"2023-10-25T00:00:00Z","last_seen":"2024-02-29T00:00:00Z","created":"2025-12-17T14:19:13.821976Z","modified":"2025-12-17T14:19:13.821980Z","campaign_attack_id":"C3207","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"456786b6-3ca5-4e7c-b052-5d7306f86aeb","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d3d0aafd-6932-41b2-9dfc-e84a6b512746","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"5d344622-ab58-56dd-90af-1c91bc4042da"},{"id":"393ff99b-4d77-402b-8c6e-f8fc9a747dee","name":"UNC6395 Salesloft Drift/Salesforce Data Theft Activity","description":"A widespread data theft campaign, attributed to an actor tracked as UNC6395, targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The group systematically exported large volumes of data and searched for sensitive credentials such as AWS access keys, passwords, and Snowflake-related access tokens.<sup>[[Google Cloud August 26 2025](/references/9d98f4ff-a358-45d0-89d4-541786abc36a)]</sup>","first_seen":"2025-08-08T00:00:00Z","last_seen":"2025-08-18T00:00:00Z","created":"2025-08-28T19:35:59.042953Z","modified":"2025-08-28T19:35:59.042956Z","campaign_attack_id":"C3122","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c9856fd5-0e57-4bbd-bd34-024964c32839","tag":"e7ea1f6d-59f2-40c1-bbfe-835dedf033ee"},{"id":"935232bd-3c45-4d7e-9df0-537c71daf491","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"c83d307b-b9bb-4da8-99ae-913795ccfebd","tag":"2e5f6e4a-4579-46f7-9997-6923180815dd"},{"id":"7e1db052-f968-4e06-a09e-466033e30bba","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9528aef4-a1ce-4107-963a-556ef2b28f16","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6ba70783-1bcd-5f52-a0ee-ced672141aa6"},{"id":"76201059-8ebc-43a1-a677-bca05b244489","name":"Unit 26165 Russian Military Cyber Activity","description":"In May 2025, U.S. cybersecurity authorities, along with more than 20 domestic and international partner agencies, released joint cybersecurity advisory AA25-141A, which detailed a long-running espionage campaign tied to Russian state-sponsored actors targeting \"Western\" logistics entities and technology companies associated with the supply of foreign assistance to Ukraine. The actors, attributed to Unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU) military organization, used a range of behaviors to surveil and harvest data from entities \"across virtually all transportation modes\" and even targeted Internet-exposed cameras on Ukraine's border to monitor and track aid shipments.<sup>[[U.S. CISA Russian GRU Targeting May 21 2025](/references/fb2f8efe-1e54-42c3-90eb-b1acba8f55b3)]</sup>","first_seen":"2022-02-23T00:00:00Z","last_seen":"2024-08-31T00:00:00Z","created":"2025-05-23T14:42:11.774322Z","modified":"2025-05-23T14:42:11.774328Z","campaign_attack_id":"C3105","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"5c5511ae-7310-48d3-9a66-d13809b030d9","tag":"e90b243c-99e2-46fe-8f04-eca9c7939250"},{"id":"91594be4-e57b-4422-b224-9219f89dffd9","tag":"98dc51bc-b8e1-4e77-8cda-72698b2768be"},{"id":"29ff22e1-c35d-4b41-a9d7-cfa0b9137018","tag":"904ad11a-20ca-479c-ad72-74bd5d9dc7e4"},{"id":"bc031f8f-6942-4686-aaa7-c653cdba4037","tag":"1dc8fd1e-0737-405a-98a1-111dd557f1b5"},{"id":"a558ddaa-f1db-41cb-8743-032507d2758a","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"69cf36be-5bd8-4325-bc9e-6bfea05bef3c","tag":"2185ed93-7e1c-4553-9452-c8411b5dca93"},{"id":"eb4036c5-a844-4fb9-89a6-b5379e8d267b","tag":"d8f7e071-fbfd-46f8-b431-e241bb1513ac"},{"id":"8d00131b-c2fd-439f-9583-baf9d8ffd06b","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"cea8767e-07bd-4d8d-ac14-70b6beed2834","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"6b735570-5807-42e7-bf5e-afa2befc2a23","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"d7e18f0e-3f8f-40e0-8d8b-a23f44d14007","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"f45873b1-4165-4446-8e5b-f6421d58de72","tag":"c146ec54-a59e-4e2c-87d9-bef2181c896a"},{"id":"801c1d8a-1d41-426d-b9c5-e9c601b2ecff","tag":"62996ab2-7293-4d4b-a699-30e5bbd137df"},{"id":"ae9001d5-c2cc-4ce9-a2dc-1d2e54500ded","tag":"77c45e5f-7ac2-4ec2-8962-cdb843b9087c"},{"id":"d8390d3e-5538-495e-bf3d-b4c21b77c9b0","tag":"b62ad173-2fd9-49e7-8d4c-b8e3579ce46c"},{"id":"9163843d-9b3f-47e5-b7aa-0451172e1100","tag":"916ea1e8-d117-45a4-8564-0597a02b06e4"},{"id":"40828791-d2b0-4372-b93c-0eb5522344eb","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"40f03845-c772-446e-812c-b72c48eb5342","tag":"b20e7912-6a8d-46e3-8e13-9a3fc4813852"},{"id":"17cfcaf4-bde2-4761-b508-5319d5c05e00","tag":"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"},{"id":"d3d65b25-0321-4c90-9d30-2ef13210ef61","tag":"33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a"}],"tidal_id":"fd11eda4-1318-5cd2-bc93-a7e43102e1e9"},{"id":"5e1bc9d2-1f2e-4ba3-b6b8-8d4e1f635762","name":"Unit 29155 Russian Military Cyber Activity","description":"On September 5, 2024, international authorities published joint Cybersecurity Advisory AA24-249A, which detailed recent activity linked to cyber actors affiliated with the 161st Specialist Training Center (aka Unit 29155) of the Russian General Staff Main Intelligence Directorate (GRU), the foreign military intelligence agency of Russia's armed forces. The advisory highlighted Unit 29155 espionage, sabotage, and reputational cyber attacks carried out against targets around the world since 2020.\n\nWhile Unit 29155 had been previously linked to influence, interference, and physical sabotage operations, the advisory noted how the group has expanded its tradecraft to now include offensive cyber operations. The advisory indicated that several groups tracked by the cybersecurity community relate to Unit 29155 cyber actors but may not be directly synonyms with all parts of the Unit (or each other), including: Cadet Blizzard, DEV-0586, Ember Bear, Bleeding Bear, Frozenvista, UNC2589, and UAC-0056.<sup>[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]</sup>","first_seen":"2020-08-03T00:00:00Z","last_seen":"2024-09-05T00:00:00Z","created":"2024-09-09T19:59:14.572796Z","modified":"2024-09-09T19:59:14.572800Z","campaign_attack_id":"C3053","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"66f8358a-1b1b-46c4-84f8-0bfacffa84d5","tag":"af5e9be5-b86e-47af-91dd-966a5e34a186"},{"id":"e31931e3-077c-4525-a053-ca51926b31e9","tag":"35e694ec-5133-46e3-b7e1-5831867c3b55"},{"id":"3895d121-6f9e-4279-8c02-92dc01831b59","tag":"d8f7e071-fbfd-46f8-b431-e241bb1513ac"},{"id":"e6e93b0d-85b9-48a9-a0b4-0b8b19a565ba","tag":"61cdbb28-cbfd-498b-9ab1-1f14337f9524"},{"id":"8f60ff2f-6f50-4bb7-ba78-5cd30c66b373","tag":"e551ae97-d1b4-484e-9267-89f33829ec2c"},{"id":"f7741308-0ff5-4e20-936d-7bcf2de2cf1f","tag":"15787198-6c8b-4f79-bf50-258d55072fee"},{"id":"c4a6239a-8946-45a8-9d27-fbb9fd2407df","tag":"5b8371c5-1173-4496-82c7-5f0433987e77"},{"id":"a75de99b-10f1-4b3e-924f-a6b765c14f11","tag":"f18e6c1d-d2ee-4eda-8172-67dcbc4e59ed"},{"id":"f68c8a67-23ea-4219-a2c1-89a183747d44","tag":"9e4936f0-e3b7-4721-a638-58b2d093b2f2"},{"id":"1bb762f2-6f8e-48bc-bb6b-3faf6731f941","tag":"1281067e-4a7e-4003-acf8-e436105bf395"},{"id":"68128c3e-f8c6-4819-b86f-e87fad855c21","tag":"7c67d99a-fc8a-4463-8f46-45e9a39fe6b0"},{"id":"92566170-5b1e-4605-99fc-dad5e80fee62","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"55946581-94d1-474a-b980-ff5962823a15","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"}],"tidal_id":"c5f2bfda-3d43-5a57-91b3-d70a102cde26"},{"id":"8a63fa77-3337-5329-b8cd-acacfac9cadf","name":"Unitronics Defacement Campaign","description":"The [Unitronics Defacement Campaign](https://app.tidalcyber.com/campaigns/8a63fa77-3337-5329-b8cd-acacfac9cadf) was a collection of intrusions across multiple sectors by the [CyberAv3ngers](https://app.tidalcyber.com/groups/488fe989-6223-5562-9f4f-58459b0d9e23), where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.<sup>[[CISA AA23-335A IRGC-Affiliated December 2023](https://app.tidalcyber.com/references/d4e229ab-daa5-56cf-a752-b26f67c7f866)]</sup><sup>[[Frank Bajak and Marc Levy December 2023](https://app.tidalcyber.com/references/3a9d3273-2eb7-5585-b33c-ffcdd7546be5)]</sup>","first_seen":"2023-11-01T04:00:00Z","last_seen":"2023-11-01T04:00:00Z","created":"2026-01-28T13:08:18.104085Z","modified":"2026-01-28T13:08:18.104086Z","campaign_attack_id":"C0031","source":"ICS","owner_name":null,"tags":[],"tidal_id":"8a63fa77-3337-5329-b8cd-acacfac9cadf"},{"id":"0851e891-c22a-49c4-aed2-9700cd616ddc","name":"UNK_AcademicFlare Device Code Phishing (September–December 2025)","description":"A series of campaigns by UNK_AcademicFlare since September 2025, using rapport-building and benign outreach from compromised government and military email addresses to target US and European government, think tank, higher education, and transportation sectors with device code phishing.<sup>[[Proofpoint December 16 2025](/references/1f13a583-dbb1-462e-9a88-31fc8ef184c9)]</sup>","first_seen":"2025-09-01T00:00:00Z","last_seen":"2025-12-31T00:00:00Z","created":"2025-12-29T17:41:31.939995Z","modified":"2025-12-29T17:41:31.939999Z","campaign_attack_id":"C3239","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"4a5cdc81-3f36-4287-9fdc-f9770d4a0d8c","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"8f623621-4e1f-4db6-8756-f879f83d939c","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"99a6fc21-fee3-53fe-ad05-1a74b833d81c"},{"id":"054c01bf-4d51-425d-89c3-8d4f6fe658b5","name":"UNK_SneakyStrike","description":"UNK_SneakyStrike is an account takeover campaign targeting Microsoft Entra ID accounts using the TeamFiltration pentesting framework. It involves unauthorized activities such as user enumeration and password spraying attempts, affecting over 80,000 user accounts across hundreds of organizations.<sup>[[Proofpoint June 9 2025](/references/0346a943-4e49-4984-8fc9-90b27ebbcd26)]</sup>","first_seen":"2024-12-01T00:00:00Z","last_seen":"2025-03-31T00:00:00Z","created":"2025-06-17T14:41:34.384657Z","modified":"2025-06-17T14:41:34.384662Z","campaign_attack_id":"C3111","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"aa964ed4-bb42-4ab2-968e-dc5fd72ee2b1","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"a478a876-f01a-4687-a391-193b28127870","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"8225d037-7246-4129-a108-4fcb5f88c417","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"70ea07b8-9d20-5395-9bd8-7fd0e56ed4a7"},{"id":"e2f4f987-10e6-4e7f-b396-4c1fca8dd1c0","name":"ValleyRAT Job Seeker Campaign","description":"A campaign targeting job seekers via email lures, using weaponized Foxit PDF Reader and DLL side-loading to deploy ValleyRAT. The campaign leverages social engineering, obfuscated archive structures, and multi-stage payload delivery.<sup>[[Trend Micro December 03 2025](/references/9ef527df-db8d-421e-82b4-2f50c8ab50f8)]</sup>","first_seen":"2024-10-31T00:00:00Z","last_seen":"2025-12-03T00:00:00Z","created":"2025-12-10T14:15:29.602666Z","modified":"2025-12-10T14:15:29.602669Z","campaign_attack_id":"C3204","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e858048e-e90e-4444-8cb1-da8b79f9414f","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d92ea4de-7621-496f-a469-28b03048d0bb","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"2e4c5f7e-c667-5c1c-8e9d-6920de703847"},{"id":"b6cfa057-a574-472a-89fe-48f98f752d4c","name":"ValleyRAT_S2 Chinese campaign","description":"A campaign involving the deployment of the ValleyRAT S2 payload via fake software installers, DLL side-loading, phishing emails, and supply chain compromise, targeting Chinese-speaking regions for espionage and financial gain.<sup>[[Medium January 11 2026](/references/6cb12d3f-0296-47f7-9131-fc21ea806383)]</sup>","first_seen":"2025-01-02T00:00:00Z","last_seen":"2025-01-03T00:00:00Z","created":"2026-01-14T13:32:08.555863Z","modified":"2026-01-14T13:32:08.555868Z","campaign_attack_id":"C3264","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a2a02d4b-c146-478e-8032-876c0a918088","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4aa647b2-0669-4cb2-af08-08bd06ed4ab9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e05135b6-641e-58ff-b64b-08c3f7dacce8"},{"id":"75a7eccf-dd32-4cce-a0af-06589b4a041a","name":"VEILDrive","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-07-01T00:00:00Z","last_seen":"2024-11-04T00:00:00Z","created":"2024-11-08T20:32:59.256602Z","modified":"2024-11-08T20:32:59.256607Z","campaign_attack_id":"C3068","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"9d849bda-05e8-4a5d-a173-6f2b4e3baf5c","tag":"15f2277a-a17e-4d85-8acd-480bf84f16b4"},{"id":"3f9a0146-4a16-4c39-a252-bbdd4e1d9614","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"87d35f90-1fb4-4fe8-9dc5-5f33467b5234","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"24db7f95-3bd2-4f8d-9459-08cb47ea9525","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"5d67b277-2649-5db8-8ac1-ea5f1f8de2bd"},{"id":"bcf6bb5b-443f-4adb-ab6b-f864ea27614d","name":"Velvet Ant Cisco Network Switches Exploit Activity (CVE-2024-20399)","description":"Researchers observed suspected \"China-nexus\" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute \"previously unknown custom malware\" on the devices' operating systems. Researchers first observed \"zero-day\" exploit activity in the wild at an undisclosed point \"during the past year\", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.\n\nThe vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.<sup>[[The Hacker News Velvet Ant Cisco July 2 2024](/references/e3949201-c949-4126-9e02-34bfad4713c0)]</sup><sup>[[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]</sup>","first_seen":"2023-07-01T00:00:00Z","last_seen":"2024-07-01T00:00:00Z","created":"2024-07-03T15:44:05.979750Z","modified":"2024-07-03T15:44:05.979754Z","campaign_attack_id":"C3046","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"4b68003b-4512-4639-aff7-3274fafff9b4","tag":"72bc70fa-3979-4d3b-a0e9-b9ebebcf2a38"},{"id":"858f4955-c97a-40b5-a4b2-f2da2af3ba98","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"52df1d8f-3680-4d77-8a22-0125238dabcf","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"cb321ec9-e4d8-4c5e-a26d-74adbb928b1d","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"460bf713-a472-465d-a8db-ce57213fa6b1","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"1625d53e-9b63-5ef6-9c29-dd89b3c18f7f"},{"id":"b78565ce-8eec-49ad-b762-8d2107fa9ce7","name":"Velvet Ant F5 BIG-IP Espionage Activity","description":"This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected \"China-nexus\" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network – residing and remaining active there for around three years – notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.<sup>[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)]</sup><sup>[[BleepingComputer Velvet Ant June 17 2024](/references/70235e47-f8bb-4d16-9933-9f4923f08f5d)]</sup>","first_seen":"2020-12-01T00:00:00Z","last_seen":"2023-12-01T00:00:00Z","created":"2024-07-03T15:44:05.560701Z","modified":"2024-07-03T15:44:05.560706Z","campaign_attack_id":"C3044","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"d78a1cc3-ff45-49bd-8635-b687c823f53e","tag":"a159c91c-5258-49ea-af7d-e803008d97d3"},{"id":"aff19a14-d0fc-40cb-a978-504d5f250f58","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4024d5c8-6f60-4cfc-bd2f-eb921f330972","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f090e0f1-977a-58ba-b822-e93f89703df8"},{"id":"e28a09b7-885f-5556-b56e-7ad3e0581ac0","name":"Versa Director Zero Day Exploitation","description":"[Versa Director Zero Day Exploitation](https://app.tidalcyber.com/campaigns/e28a09b7-885f-5556-b56e-7ad3e0581ac0) was conducted by [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. [Versa Director Zero Day Exploitation](https://app.tidalcyber.com/campaigns/e28a09b7-885f-5556-b56e-7ad3e0581ac0) was followed by the delivery of the [VersaMem](https://app.tidalcyber.com/software/ea857bb3-408e-566f-a693-96d9dc4f3c90) web shell for both credential theft and follow-on code execution.<sup>[[Lumen Versa 2024](https://app.tidalcyber.com/references/1d7f40f7-76e6-5ba2-8561-17f3646cf407)]</sup>","first_seen":"2024-06-01T06:00:00Z","last_seen":"2024-08-01T06:00:00Z","created":"2024-10-31T16:28:09.882952Z","modified":"2024-10-31T16:28:09.882957Z","campaign_attack_id":"C0039","source":"MITRE","owner_name":null,"tags":[{"id":"40301cf1-722d-4eda-9590-1f5c425e905c","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"69b2e38f-648a-437b-bf0c-9aeffa671d64","tag":"712d4124-8860-488a-a780-2938f9df6313"}],"tidal_id":"e28a09b7-885f-5556-b56e-7ad3e0581ac0"},{"id":"a62d81f8-d721-44d0-bea3-30d3ba42d314","name":"VMConnect Lazarus Group Campaign","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2023-08-01T00:00:00Z","last_seen":"2024-09-10T00:00:00Z","created":"2025-02-03T21:09:24.751807Z","modified":"2025-02-03T21:09:24.751811Z","campaign_attack_id":"C3084","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"51378304-02ea-4b23-9879-b38dba70b7e2","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"ace9e744-3048-4e17-87a1-98ec4047214c","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"d278ba1b-68b6-565a-9e8d-8a1b54934ef4"},{"id":"e7ecfe3d-a366-409f-9dd6-ccf82250dafb","name":"Void Arachne campaign targeting Chinese-speaking users with Winos 4.0","description":"A campaign by the Void Arachne group distributing malicious MSI installers via SEO poisoning and Telegram, targeting Chinese-speaking users with bundled AI, VPN, and language pack software containing the Winos 4.0 backdoor.<sup>[[Trend Micro June 19 2024](/references/ca3f8c94-6b26-4361-abaa-0e678aec8651)]</sup>","first_seen":"2024-04-01T00:00:00Z","last_seen":"2024-06-19T00:00:00Z","created":"2026-01-14T13:32:07.694181Z","modified":"2026-01-14T13:32:07.694192Z","campaign_attack_id":"C3259","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"bb85a450-0dc1-4356-99fd-904ee984a180","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"cf306fe7-dc9b-4aa7-bc1e-d487e0f597a9","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f635e383-c697-5e16-b273-068706a1aaad"},{"id":"dbe34d5d-91b0-4a50-98c7-4e36ba0bcda6","name":"Void Banshee Zero-Day Exploit Activity","description":"Void Banshee is an advanced persistent threat (APT) group identified by Trend Micro researchers, which is known to target victims in North America, Europe, and Southeast Asia for information theft and financial gain. In May 2024, researchers observed Void Banshee actors exploiting CVE-2024-38112, a remote code execution vulnerability in the \"MSHTML\" web browser software component. The vulnerability had not been previously disclosed, so the campaign was characterized as \"zero-day\" exploit activity. Actors delivered the Atlantida infostealer malware during the observed attacks.<sup>[[Trend Micro Void Banshee July 15 2024](/references/02c4dda2-3aae-43ec-9b14-df282b200def)]</sup>\n\nLater, researchers noted that Void Banshee also exploited a separate MSHTML-related vulnerability, CVE-2024-43461, as a zero-day during attacks culminating in Atlantida infostealer deployments.<sup>[[BleepingComputer Void Banshee September 16 2024](/references/2c9a2355-02c5-4718-ad6e-b2fac9ad4096)]</sup>","first_seen":"2024-05-15T00:00:00Z","last_seen":"2024-07-15T00:00:00Z","created":"2024-09-20T15:10:58.994245Z","modified":"2024-09-20T15:10:58.994249Z","campaign_attack_id":"C3054","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"92cd2cd8-9710-4b57-b044-c3866f647618","tag":"0281a78d-1eb1-4e10-9327-2032928e37d9"},{"id":"69eefdff-89da-4d16-bfa1-8df35e171a40","tag":"ff8a2e10-4bf7-45f0-954c-8847fdcb9612"},{"id":"a33007a8-77d8-4d07-baa2-96ac5ab131f1","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"0bfb55c2-4a2d-482c-8788-9e56d211b391","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"21cf1fca-b984-44f2-b826-4526e157d849","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"8e4a4a37-08a6-5b1a-99d0-b694432535d2"},{"id":"e740e392-98cb-428a-ab92-b0a4d1d546b7","name":"Voldemort Malware Delivery Campaign","description":"This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.","first_seen":"2024-08-05T00:00:00Z","last_seen":"2024-08-29T00:00:00Z","created":"2024-09-06T15:14:38.850878Z","modified":"2024-09-06T15:14:38.850882Z","campaign_attack_id":"C3050","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7465c988-8f98-465c-a941-bcd8b6794004","tag":"fe28cf32-a15c-44cf-892c-faa0360d6109"},{"id":"912497c1-e7e9-4862-8e7b-4d7fd14c1ae8","tag":"82009876-294a-4e06-8cfc-3236a429bda4"},{"id":"4bbebbd5-ba64-4285-b706-c6805b080e23","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4001f029-f20f-40df-ad92-b88265938bb2","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"e7618329-b39b-5a0d-8a90-030ca697f2ef"},{"id":"92f2bb7e-e08b-476e-a3a2-f94ff1182e72","name":"Wagemole","description":"Wagemole refers to a series of campaigns associated with North Korean IT workers who aim to infiltrate Western companies by gaining employment under false identities, with the ultimate goal of stealing intellectual property and in some cases, demanding ransoms. Their activities are financially motivated and seek to advance North Korea's strategic and financial interests.<sup>[[Unit 42 November 21 2023](/references/930228c3-a93b-4664-ab7d-65af212211fc)]</sup><sup>[[The Hacker News Nickel Tapestry October 20 2024](/references/43a8823e-e213-49a2-a3a3-80a9cc534706)]</sup><sup>[[Secureworks North Korea IT Workers October 16 2024](/references/0eff6062-2b77-414b-a26e-fb0c2958d80d)]</sup>","first_seen":"2022-08-01T00:00:00Z","last_seen":"2024-07-01T00:00:00Z","created":"2025-06-03T14:14:56.294681Z","modified":"2025-06-03T14:14:56.294686Z","campaign_attack_id":"C3107","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"517f2565-0c30-41ee-82dc-3b4df8f2a92e","tag":"dae3e667-b5db-4063-aaae-8e8e0b8127a0"},{"id":"f8735e5f-de8b-49d5-86ef-b8e45f37abd0","tag":"c16092ee-468a-4935-8ee1-18bd423ecc52"},{"id":"163ec43d-b821-47a3-871e-84c6e6686700","tag":"5e7433ad-a894-4489-93bc-41e90da90019"},{"id":"3aedc872-6052-404a-842b-4c47a6881a6e","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"9567a8bc-4806-4442-b2be-f420afcd54c2","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"9fdf9acc-0f4d-529b-ab2f-7cb6b1d03ac1"},{"id":"681b23ff-b297-4178-a819-4dbc2206a1fc","name":"WARP PANDA VMware and Cloud Intrusion Campaign (2023-2025)","description":"A campaign by WARP PANDA targeting VMware vCenter and ESXi environments, as well as Microsoft Azure and Office 365 cloud services, at U.S.-based legal, technology, and manufacturing entities for long-term covert access and intelligence collection.<sup>[[CrowdStrike.com December 04 2025](/references/24d4a6ac-2f5a-4155-bb14-7fb68a977fce)]</sup>","first_seen":"2023-12-01T00:00:00Z","last_seen":"2025-12-04T00:00:00Z","created":"2025-12-10T14:15:27.298550Z","modified":"2025-12-10T14:15:27.298554Z","campaign_attack_id":"C3197","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e9f1e528-1847-43ae-82a9-ee715e74f554","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"adb0e76d-77f4-4596-802d-56d29495c245","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"db257621-264e-51c6-8c9c-d41de0e80620"},{"id":"5b6d5717-676d-5e8b-a2a3-2717c62f6450","name":"Water Curupira Pikabot Distribution","description":"[Pikabot](https://app.tidalcyber.com/software/fb1b0624-3290-5977-abbc-bc9609b51f8d) was distributed in [Water Curupira Pikabot Distribution](https://app.tidalcyber.com/campaigns/5b6d5717-676d-5e8b-a2a3-2717c62f6450) throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea), with several technical overlaps and similarities with [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea), indicating a possible connection. The identified activity led to the deployment of tools such as [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), while coinciding with campaigns delivering [DarkGate](https://app.tidalcyber.com/software/39d81c48-8f7c-54cb-8fac-485598e31a55) and [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433) en route to ransomware deployment.<sup>[[TrendMicro Pikabot 2024](https://app.tidalcyber.com/references/a2a22246-d49e-5847-9d20-dac64f1df3ea)]</sup>","first_seen":"2023-01-01T05:00:00Z","last_seen":"2023-12-01T05:00:00Z","created":"2024-10-31T16:28:09.732933Z","modified":"2024-10-31T16:28:09.732936Z","campaign_attack_id":"C0037","source":"MITRE","owner_name":null,"tags":[],"tidal_id":"5b6d5717-676d-5e8b-a2a3-2717c62f6450"},{"id":"3d84d2c7-ce1c-4f32-87d1-a0d818d72571","name":"Water Gamayun MSC EvilTwin Campaign","description":"A campaign by Water Gamayun exploiting the MSC EvilTwin zero-day (CVE-2025-26633) to deliver custom payloads, steal data, and maintain persistence using a variety of malware and LOLBins.<sup>[[Trend Micro Water Gamayun March 28 2025](/references/feaae1f3-fccc-491a-bd07-7ecaea2cb813)]</sup>","first_seen":"2024-07-26T00:00:00Z","last_seen":"2025-03-28T00:00:00Z","created":"2025-12-10T14:15:26.535066Z","modified":"2025-12-10T14:15:26.535072Z","campaign_attack_id":"C3193","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"51922a96-ecdc-482d-a0be-2ad83433320a","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"093517f4-d172-4838-ba66-852b4248555f","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"6ef27feb-0f05-5baa-a0f0-8c7dd0ec50cd"},{"id":"de46f467-8390-4ef0-b10e-101061ef40d4","name":"Water Saci WhatsApp Banking Trojan Campaign","description":"A multi-stage, self-propagating malware campaign in Brazil leveraging WhatsApp to deliver banking trojans via layered infection chains, including HTA, ZIP, PDF, and MSI files, with automation and AI-enhanced code conversion for propagation.<sup>[[Trend Micro December 02 2025](/references/329e7423-e145-4390-96df-fe0744b51b19)]</sup>","first_seen":"2025-01-01T00:00:00Z","last_seen":"2025-12-02T00:00:00Z","created":"2025-12-10T14:15:28.945721Z","modified":"2025-12-10T14:15:28.945725Z","campaign_attack_id":"C3200","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"6b1576f5-4339-425d-955a-3c7b40c07d69","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"4f7b3249-97bd-4a4d-a62e-66b329ca6a8e","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"f06d82dc-3203-5315-9562-5715ddb950fa"},{"id":"635edcc0-f8af-4b61-85ba-2589df9f3c58","name":"WebDAV Malware Delivery Activity","description":"Security researchers observed adversaries using Web Distributed Authoring and Versioning (WebDAV) remote file management technology - hosted via free, development/testing-focused Cloudflare servers - to deliver various malware payloads, including AsyncRAT, XWorm, VenomRAT, and the PureLogs infostealer. One infection involved an unspecified organization in the government sector.<sup>[[Esentire July 31 2024](/references/18185ffd-8a66-4531-86de-4ba4dd9f675b)]</sup>","first_seen":"2024-07-01T00:00:00Z","last_seen":"2024-07-31T00:00:00Z","created":"2024-10-14T19:20:50.517099Z","modified":"2024-10-14T19:20:50.517104Z","campaign_attack_id":"C3059","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"46df411d-769a-41be-9946-a5b4054cf98e","tag":"61085b71-eb19-46d8-a9e6-1ab9d2f3c08d"},{"id":"d0d6d286-98c9-496a-8fec-037cee8d7dd3","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"0545bada-f839-4c53-b5af-e172719afcf6","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0563fd46-e971-5776-ae81-9e2cbfb41afc"},{"id":"22265193-4c7d-4edb-8e4e-727dcefd0a09","name":"Windows SmartScreen Bypass (CVE-2024-21412) DarkGate Campaign","description":"Researchers observed a campaign that used phishing communications to trick victims into clicking links that would redirect them to compromised websites hosting a zero-day vulnerability exploit to bypass Microsoft Windows SmartScreen security technology (CVE-2024-21412). The exploit activity involved additional redirect activity, including via internet shortcut files hosted on an adversary WebDAV server. The attacks culminated in delivery of the DarkGate loader/remote access trojan.<sup>[[Trend Micro March 13 2024](/references/0574a0a7-694b-4858-b053-8f7911c8ce54)]</sup>","first_seen":"2024-01-15T00:00:00Z","last_seen":"2024-02-13T00:00:00Z","created":"2024-10-14T19:20:50.865075Z","modified":"2024-10-14T19:20:50.865079Z","campaign_attack_id":"C3061","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"a4665bef-f84d-4364-8f29-169828370d2d","tag":"5187cea7-601f-4829-8b41-306044200b64"},{"id":"712ef62c-d810-475a-81b2-9e0cfb7c5167","tag":"a98d7a43-f227-478e-81de-e7299639a355"},{"id":"94dcbbfe-506e-42b1-ad81-a3b981f874ed","tag":"61085b71-eb19-46d8-a9e6-1ab9d2f3c08d"},{"id":"962fa3fa-7ad4-4ad3-bd3b-04ec18576d75","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"cca54a5e-56e9-40b9-9640-3da254ab2da4","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"0df4bae6-ad00-5faa-bb6b-397eeb24b604"},{"id":"5b556f49-70df-45b0-9f68-335c4cd2b561","name":"Winnti campaign targeting Sri Lankan government entities (August 2022)","description":"A targeted campaign by the Winnti group against Sri Lankan government entities, leveraging the country's economic crisis and using Dropbox as C2, with a multi-stage malware chain culminating in the deployment of the KEYPLUG backdoor.<sup>[[web.archive.org October 18 2022](/references/da8f4fd8-aaa1-4ba9-97e3-13bee02c97f5)]</sup>","first_seen":"2022-08-04T00:00:00Z","last_seen":"2022-08-15T00:00:00Z","created":"2026-01-23T20:31:39.887043Z","modified":"2026-01-23T20:31:39.887046Z","campaign_attack_id":"C3286","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"7b614bfd-2d61-4391-b459-07d859509be6","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"e16b0e87-2d6a-4102-aca1-e64da13fb44e","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"84181deb-1225-536d-a520-d724dbfd1a98"},{"id":"1de1e712-c154-4def-b8b2-46e4e26a5ab6","name":"World Nuclear Exhibition Infrastructure Masquerading","description":"Suspected campaign infrastructure setup by UTA0355 in 2025, involving domains impersonating the World Nuclear Exhibition, possibly for future or prior phishing operations.<sup>[[Volexity December 04 2025](/references/766e12b5-5336-49c8-9466-997cce7c47fe)]</sup>","first_seen":"2025-11-04T00:00:00Z","last_seen":"2025-11-06T00:00:00Z","created":"2025-12-10T14:15:29.436423Z","modified":"2025-12-10T14:15:29.436427Z","campaign_attack_id":"C3203","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"e63c49d9-c381-4227-8e9f-655bf521d212","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"525fa89e-28ad-4d3d-bd13-047ba5e7686a","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"11c0a1f4-859b-54e8-bac5-dd4ec9e9d14e"},{"id":"ee09b8e2-395d-4f56-b44b-57556ce2037d","name":"XWorm RAT Multi-Stage Phishing Campaign (2025)","description":"A phishing campaign delivering XWorm RAT via a multi-stage process involving malicious Office documents, shellcode, .NET loaders, and reflective DLL injection, ultimately exfiltrating data to XWorm C2 infrastructure.<sup>[[Forcepoint September 26 2025 09 26 2025](/references/3a396064-d3a4-4923-a8b7-8b4395d0a5ef)]</sup>","first_seen":"2025-09-26T00:00:00Z","last_seen":"2025-09-26T00:00:00Z","created":"2025-10-13T17:29:36.530830Z","modified":"2025-10-13T17:29:36.530846Z","campaign_attack_id":"C3138","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"cbcac5ef-5400-4cd1-8720-146f3a2dfcf5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"d8abd481-cd97-42d4-bc81-d867b6cbfe97","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"ca010a2a-512f-50c5-853c-5f6296aa9c08"},{"id":"9a266576-3942-47e9-bbbc-b07af93f13ca","name":"YouTube Ghost Network Game Cheats and Cracked Software Campaign","description":"A campaign using compromised YouTube accounts to distribute malware via videos advertising game cheats and cracked software, leading to the deployment of GachiLoader and ultimately the Rhadamanthys infostealer.<sup>[[Check Point Research December 17 2025](/references/bbf7695b-4eee-412c-b080-6abaefa14ef3)]</sup>","first_seen":"2024-12-22T00:00:00Z","last_seen":"2025-09-17T00:00:00Z","created":"2025-12-29T17:41:32.833193Z","modified":"2025-12-29T17:41:32.833198Z","campaign_attack_id":"C3245","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"1c16e4d0-e4a4-48c2-918d-0a9b0d6320a5","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"2636b943-8030-4b7a-98cb-ab57c0ccfc62","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"b4e1e94d-f114-525e-bf0d-4554452ed481"},{"id":"396e073e-76d7-4fcf-97b4-9343d0a0b819","name":"Zloader & Ursnif Affiliate Campaign 2020-22","description":"A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.<sup>[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]</sup>","first_seen":"2020-10-01T00:00:00Z","last_seen":"2022-04-13T00:00:00Z","created":"2024-06-13T20:12:36.299678Z","modified":"2024-06-13T20:12:36.299683Z","campaign_attack_id":"C3001","source":"Tidal Cyber","owner_name":"TidalCyberIan","tags":[{"id":"c9c2d75e-65ab-415d-8c3b-156479f7ab4d","tag":"c6e1f516-1a18-4ff9-b563-e6ac8103b104"},{"id":"58a1b656-2850-4352-ba3e-b674415f4fab","tag":"ebec1bf0-e06c-48b2-adeb-fc0669306bc8"},{"id":"d3e5f3cd-684c-4cc6-b9ec-cdb810ac1127","tag":"39357cc1-dbb1-49e4-9fe0-ff24032b94d5"},{"id":"91e466e4-c24b-4349-bbb0-9918de050e79","tag":"e7681e16-9106-4d0a-a915-9958989161a3"},{"id":"3e837c8d-16e0-473d-ac42-1ede8d8a2c4d","tag":"2feda37d-5579-4102-a073-aa02e82cb49f"}],"tidal_id":"cc0a216d-b095-5e60-9b8a-470ee070a8d6"}]}