{ "type": "bundle", "id": "bundle--191433e1-aeba-400d-9969-7644aaeff9ca", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.443242Z", "modified": "2026-06-14T11:57:33.443242Z", "name": "The Hunters Ledger", "identity_class": "organization" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--85585027-108d-5823-87aa-f7482165e252", "value": "91.215.85.22" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57e9b5ea-6509-56d5-8a98-ba6b3f553142", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.443861Z", "modified": "2026-06-14T11:57:33.443861Z", "name": "ipv4: 91.215.85.22", "indicator_types": [ "malicious-activity" ], "pattern": "[ipv4-addr:value = '91.215.85.22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 95, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 95 }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--b0cc2f56-5c61-5c99-86d5-a844a89701bb", "value": "91.215.43.200" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e96dc3e-a201-586c-a57b-2d344b893ce3", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.445224Z", "modified": "2026-06-14T11:57:33.445224Z", "name": "ipv4: 91.215.43.200", "indicator_types": [ "malicious-activity" ], "pattern": "[ipv4-addr:value = '91.215.43.200']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 95, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 95 }, { "type": "url", "spec_version": "2.1", "id": "url--a8efc53b-5ed1-5770-ad9e-73064fb8d911", "value": "http://91.215.85.22/pay_or_leak/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--334aa285-19b3-5633-87ae-20cb154dec1e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.445849Z", "modified": "2026-06-14T11:57:33.445849Z", "name": "url: http://91.215.85.22/pay_or_leak/", "indicator_types": [ "malicious-activity" ], "pattern": "[url:value = 'http://91.215.85.22/pay_or_leak/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 95, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 95 }, { "type": "url", "spec_version": "2.1", "id": "url--d151e72f-ae01-586f-a2c7-e796da422dba", "value": "http://91.215.85.22/pay_or_leak/INFORMATION.txt" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4af72e9c-223c-502e-aefe-662a0ee3aff8", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.446466Z", "modified": "2026-06-14T11:57:33.446466Z", "name": "url: http://91.215.85.22/pay_or_leak/INFORMATION.txt", "indicator_types": [ "malicious-activity" ], "pattern": "[url:value = 'http://91.215.85.22/pay_or_leak/INFORMATION.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 95, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 95 }, { "type": "url", "spec_version": "2.1", "id": "url--9935facd-f07c-510f-8214-3531539662f9", "value": "https://shinyhunte.rs/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--031c3154-8923-5ae5-ac36-a04a5793041a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.447067Z", "modified": "2026-06-14T11:57:33.447067Z", "name": "url: https://shinyhunte.rs/", "indicator_types": [ "malicious-activity" ], "pattern": "[url:value = 'https://shinyhunte.rs/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 95, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 95 }, { "type": "url", "spec_version": "2.1", "id": "url--c4730001-9c33-5dbe-8320-2023146876f6", "value": "https://shinyhunte.rs/newpgp" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d7a63bf4-db56-5e57-b166-ab7e323698cb", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.447568Z", "modified": "2026-06-14T11:57:33.447568Z", "name": "url: https://shinyhunte.rs/newpgp", "indicator_types": [ "malicious-activity" ], "pattern": "[url:value = 'https://shinyhunte.rs/newpgp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 80, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 80 }, { "type": "url", "spec_version": "2.1", "id": "url--a1fb9f46-66e0-5a22-874c-8cb621988ccd", "value": "https://pastebin.com/raw/sb7aB9eU" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d848fd1c-47f9-5b7a-8277-2cc71c636c4e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.448069Z", "modified": "2026-06-14T11:57:33.448069Z", "name": "url: https://pastebin.com/raw/sb7aB9eU", "indicator_types": [ "malicious-activity" ], "pattern": "[url:value = 'https://pastebin.com/raw/sb7aB9eU']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 80, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 80 }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--f194d404-fa16-5700-bf0f-fa53f817e82d", "value": "shinyhunte.rs" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--31d0fe4a-98c8-5e9a-b93b-b42731d8bc14", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.448528Z", "modified": "2026-06-14T11:57:33.448528Z", "name": "domain: shinyhunte.rs", "indicator_types": [ "malicious-activity" ], "pattern": "[domain-name:value = 'shinyhunte.rs']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 95, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 95 }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--55c8bc3b-747f-5faf-ace6-62501724eac1", "value": "pro-spero.ru" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--88e9262a-21c5-5858-8697-d9bd060ca835", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.449027Z", "modified": "2026-06-14T11:57:33.449027Z", "name": "domain: pro-spero.ru", "indicator_types": [ "malicious-activity" ], "pattern": "[domain-name:value = 'pro-spero.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2026-04-17T00:00:00Z", "confidence": 95, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_opencti_detection": false, "x_opencti_score": 95 }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--db177dd3-3823-541f-ba0d-1adfaf07b99e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.449735Z", "modified": "2026-06-14T11:57:33.449735Z", "name": "MALW_ShinyHunters_RansomNote", "indicator_types": [ "malicious-activity" ], "pattern": "rule MALW_ShinyHunters_RansomNote\n{\n meta:\n description = \"Detects ShinyHunters Data Leak Site ransom note (INFORMATION.txt) by exact opening phrase and .onion mirror references distributed in actor ransom packages; presence on an enterprise file share is a high-confidence exfiltration indicator\"\n author = \"The Hunters Ledger\"\n date = \"2026-04-17\"\n reference = \"https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\"\n hash_sha256 = \"N/A\"\n family = \"ShinyHunters-DLS\"\n\n strings:\n $s1 = \"This file has been downloaded from the ShinyHunters Data Leak Site (DLS)\" ascii\n $s2 = \"leaked on the ShinyHunters DLS because the victim did not pay a ransom\" ascii\n $s3 = \"shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion\" ascii\n $s4 = \"shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion\" ascii\n $s5 = \"toolatedhs5dtr2pv6h5kdraneak5gs3sxrecqhoufc5e45edior7mqd.onion\" ascii\n $s6 = \"pay_or_leak\" ascii\n\n condition:\n filesize < 500KB and\n ($s1 or $s2) and\n (1 of ($s3, $s4, $s5) or $s6)\n}", "pattern_type": "yara", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5797fc71-1164-5c97-83a3-35ca9881119c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.449905Z", "modified": "2026-06-14T11:57:33.449905Z", "name": "MALW_ShinyHunters_TauntFilename", "indicator_types": [ "malicious-activity" ], "pattern": "rule MALW_ShinyHunters_TauntFilename\n{\n meta:\n description = \"Detects ShinyHunters actor-branded taunt filename patterns embedded in archive names and file-system paths; 26 of 30 DLS archives carry this naming convention as actor branding and victim-pressure mechanism\"\n author = \"The Hunters Ledger\"\n date = \"2026-04-17\"\n reference = \"https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\"\n hash_sha256 = \"N/A\"\n family = \"ShinyHunters-DLS\"\n\n strings:\n $s1 = \"shouldve_paid_the_ransom\" nocase ascii wide\n $s2 = \"should_have_paid_the_ransom\" nocase ascii wide\n $s3 = \"pay_the_ransom_next_time\" nocase ascii wide\n $s4 = \"didnt_pay_the_ransom\" nocase ascii wide\n $s5 = \"you_shouldve_paid\" nocase ascii wide\n $actor = \"shinyhunters\" nocase ascii wide\n\n condition:\n filesize < 10MB and\n $actor and\n 1 of ($s1, $s2, $s3, $s4, $s5)\n}", "pattern_type": "yara", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f4f3b9ff-cfd2-597b-afc7-670ffffbfe8d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45004Z", "modified": "2026-06-14T11:57:33.45004Z", "name": "MALW_ShinyHunters_PGP_Identity", "indicator_types": [ "malicious-activity" ], "pattern": "rule MALW_ShinyHunters_PGP_Identity\n{\n meta:\n description = \"Detects ShinyHunters actor identity documents by known PGP key fingerprints published on shinyhunte.rs across three key-rotation events (2020 Empire, 2020 RaidForums, 2025-12, 2026 current); presence on an enterprise endpoint indicates direct contact with DLS actor infrastructure\"\n author = \"The Hunters Ledger\"\n date = \"2026-04-17\"\n reference = \"https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\"\n hash_sha256 = \"N/A\"\n family = \"ShinyHunters-DLS\"\n\n strings:\n $s1 = \"F4953411767DE71BEDCDABCB76F4E26F7A20978A\" ascii\n $s2 = \"1FC4D0B1DEE914BB05B57FABF1F1B98A51C989B3\" ascii\n $s3 = \"828537C15F43F135A8317153CD16A1660CC7CE51\" ascii\n $s4 = \"E80C1308A09EC1ADC418C3F02578988F69BCA3FC\" ascii\n $s5 = \"shinyhunte.rs\" ascii\n $s6 = \"Scattered LAPSUS$ Hunters\" ascii\n\n condition:\n filesize < 200KB and\n (1 of ($s1, $s2, $s3, $s4) or ($s5 and $s6))\n}", "pattern_type": "yara", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5f6554f3-5bdd-505f-b876-be9d45b926c1", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.450175Z", "modified": "2026-06-14T11:57:33.450175Z", "name": "MALW_ShinyHunters_DLS_HTML", "indicator_types": [ "malicious-activity" ], "pattern": "rule MALW_ShinyHunters_DLS_HTML\n{\n meta:\n description = \"Detects ShinyHunters clearnet identity page (shinyhunte.rs) HTML artifacts by page title, full PGP URL path, and .onion mirror references co-occurring in HTML content; intended for threat-intel collection review, proxy-cache hunting, and CASB alerting\"\n author = \"The Hunters Ledger\"\n date = \"2026-04-17\"\n reference = \"https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\"\n hash_sha256 = \"N/A\"\n family = \"ShinyHunters-DLS\"\n\n strings:\n $s1 = \"Scattered LAPSUS$ Hunters | DLS\" ascii\n $s2 = \"ShinyHunters Data Leak Site\" ascii\n $s3 = \"shinyhunte.rs/newpgp\" ascii\n $s4 = \"shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd\" ascii\n $s5 = \"/pay_or_leak/\" ascii\n\n condition:\n filesize < 2MB and\n ($s1 or $s2) and\n 1 of ($s3, $s4, $s5)\n}", "pattern_type": "yara", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ce2a6ae4-e06d-584b-99b0-8530fb569089", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.450302Z", "modified": "2026-06-14T11:57:33.450302Z", "name": "ShinyHunters DLS \u2014 DNS Query for Actor-Controlled Domains", "indicator_types": [ "malicious-activity" ], "pattern": "title: ShinyHunters DLS \u2014 DNS Query for Actor-Controlled Domains\nid: a1b2c3d4-e5f6-4890-abcd-ef1234567890\nstatus: experimental\ndescription: Detects DNS queries from enterprise endpoints to ShinyHunters-controlled clearnet domains (shinyhunte.rs, pro-spero.ru). A query originating from a managed endpoint indicates direct contact with extortion actor infrastructure \u2014 either a victim system retrieving ransom materials or a compromised host beacon-checking actor domains.\nreferences:\n - https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\nauthor: The Hunters Ledger\ndate: 2026/04/17\ntags:\n - attack.command-and-control\n - attack.exfiltration\nlogsource:\n category: dns_query\n product: windows\ndetection:\n selection:\n QueryName|endswith:\n - 'shinyhunte.rs'\n - 'pro-spero.ru'\n condition: selection\nfalsepositives:\n - Threat intelligence platforms performing automated domain lookups\n - Security researchers conducting active investigation of ShinyHunters infrastructure\n - Honeypot or sandbox environments conducting threat-intel crawling\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9f58167d-8319-5ed7-9f47-f13a10a191dd", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.450431Z", "modified": "2026-06-14T11:57:33.450431Z", "name": "ShinyHunters DLS \u2014 Outbound Connection to DLS IP Infrastructure", "indicator_types": [ "malicious-activity" ], "pattern": "title: ShinyHunters DLS \u2014 Outbound Connection to DLS IP Infrastructure\nid: b2c3d4e5-f6a7-4901-bcde-f12345678901\nstatus: experimental\ndescription: Detects outbound network connections from managed endpoints to ShinyHunters Data Leak Site IP infrastructure. 91.215.85.22 hosts the clearnet DLS directory; 91.215.43.200 hosts the shinyhunte.rs actor-identity page. A direct connection from a managed endpoint to either IP warrants immediate investigation as a possible exfiltration indicator or ransom-material retrieval.\nreferences:\n - https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\nauthor: The Hunters Ledger\ndate: 2026/04/17\ntags:\n - attack.command-and-control\n - attack.exfiltration\nlogsource:\n category: network_connection\n product: windows\ndetection:\n selection:\n DestinationIp:\n - '91.215.85.22'\n - '91.215.43.200'\n condition: selection\nfalsepositives:\n - Threat intelligence platforms performing automated scanning of known threat infrastructure\n - Security researchers actively pivoting on ShinyHunters infrastructure\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6bcdb391-a8e9-5830-ab57-03973c0ab8a8", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45056Z", "modified": "2026-06-14T11:57:33.45056Z", "name": "ShinyHunters DLS \u2014 Web Proxy Hit on DLS URL Paths", "indicator_types": [ "malicious-activity" ], "pattern": "title: ShinyHunters DLS \u2014 Web Proxy Hit on DLS URL Paths\nid: c3d4e5f6-a7b8-4012-cdef-123456789012\nstatus: experimental\ndescription: Detects HTTP proxy requests to ShinyHunters DLS URL paths (/pay_or_leak/ directory or INFORMATION.txt ransom note). These paths are exclusive to the ShinyHunters extortion infrastructure at 91.215.85.22 and shinyhunte.rs. A hit from an internal host indicates retrieval of ransom materials following extortion contact or active exfiltration confirmation by a threat actor using a compromised endpoint.\nreferences:\n - https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\nauthor: The Hunters Ledger\ndate: 2026/04/17\ntags:\n - attack.exfiltration\n - attack.impact\nlogsource:\n category: proxy\ndetection:\n selection_path:\n cs-uri-stem|contains:\n - '/pay_or_leak/'\n - 'INFORMATION.txt'\n selection_host:\n cs-host|contains:\n - '91.215.85.22'\n - 'shinyhunte.rs'\n condition: selection_path or selection_host\nfalsepositives:\n - Threat intelligence analysts or security researchers manually retrieving DLS content for analysis\n - Automated threat-intel crawler services indexing extortion infrastructure\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--49c8a353-a9ec-5f12-80d0-d13836c2080b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.450711Z", "modified": "2026-06-14T11:57:33.450711Z", "name": "ShinyHunters DLS \u2014 Salesforce Bulk Export OAuth App Authorization", "indicator_types": [ "malicious-activity" ], "pattern": "title: ShinyHunters DLS \u2014 Salesforce Bulk Export OAuth App Authorization\nid: d4e5f6a7-b8c9-4123-defa-234567890123\nstatus: experimental\ndescription: Detects Salesforce OAuth connected application authorizations involving DataLoader or DataExporter family app names. The ShinyHunters 2026 campaign used vishing to convince helpdesk to authorize Salesforce bulk-export OAuth apps, enabling mass CRM data exfiltration across 28+ confirmed victims. This rule targets Salesforce Shield Event Monitoring logs (ConnectedApp event type). Note \u2014 the Salesforce native DataLoader application is filtered; alerts will fire on third-party or unrecognized DataLoader variants.\nreferences:\n - https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\n - https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_endpoints.htm\nauthor: The Hunters Ledger\ndate: 2026/04/17\ntags:\n - attack.credential-access\n - attack.collection\nlogsource:\n product: salesforce\n service: event_monitoring\ndetection:\n selection:\n EventType: 'ConnectedApp'\n AppName|contains:\n - 'DataLoader'\n - 'DataExporter'\n - 'DataImporter'\n - 'Bulk API'\n filter_known_good:\n AppName|contains:\n - 'Salesforce DataLoader'\n condition: selection and not filter_known_good\nfalsepositives:\n - Legitimate use of Salesforce Data Loader by authorized administrators performing data migrations\n - ETL pipeline integrations using Salesforce Bulk API with app names matching these patterns\nlevel: medium", "pattern_type": "sigma", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--19e9f2bd-5226-5e85-9207-87446ffb003d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.450849Z", "modified": "2026-06-14T11:57:33.450849Z", "name": "ShinyHunters DLS \u2014 Okta MFA Factor Deactivation or Unexpected Enrollment", "indicator_types": [ "malicious-activity" ], "pattern": "title: ShinyHunters DLS \u2014 Okta MFA Factor Deactivation or Unexpected Enrollment\nid: e5f6a7b8-c9d0-4234-efab-345678901234\nstatus: experimental\ndescription: Detects Okta MFA factor deactivation or new factor enrollment events that match the ShinyHunters vishing TTP. Threat actors impersonate employees to convince IT support to reset MFA (user.mfa.factor.deactivate), then immediately enroll an actor-controlled authenticator device (user.mfa.factor.activate). For maximum fidelity, correlate these two event types by target user ID within a 30-minute window in your SIEM \u2014 this rule fires on either event individually to ensure coverage.\nreferences:\n - https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\nauthor: The Hunters Ledger\ndate: 2026/04/17\ntags:\n - attack.credential-access\n - attack.persistence\n - attack.initial-access\nlogsource:\n product: okta\n service: system_log\ndetection:\n selection_reset:\n eventType: 'user.mfa.factor.deactivate'\n selection_enroll:\n eventType: 'user.mfa.factor.activate'\n condition: selection_reset or selection_enroll\nfalsepositives:\n - Legitimate employee MFA resets followed by self-enrollment on a new device\n - IT administrators assisting users with routine device replacement\n - Bulk MFA enrollment during onboarding campaigns\nlevel: medium", "pattern_type": "sigma", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55e860b7-9fa6-5d06-ad26-dc85a0ec624b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.451002Z", "modified": "2026-06-14T11:57:33.451002Z", "name": "ShinyHunters DLS \u2014 PROSPERO Bulletproof Hosting CIDR Range Access", "indicator_types": [ "malicious-activity" ], "pattern": "title: ShinyHunters DLS \u2014 PROSPERO Bulletproof Hosting CIDR Range Access\nid: f6a7b8c9-d0e1-4345-fabc-456789012345\nstatus: experimental\ndescription: Detects network connections to PROSPERO AS200593 IP prefixes associated with ShinyHunters DLS infrastructure and co-hosted extortion campaigns. These CIDR blocks are bulletproof hosting ranges and have been observed hosting multiple threat actor operations beyond ShinyHunters. This is a lower-fidelity, context-dependent indicator \u2014 enrich with destination reputation and correlate with other ShinyHunters indicators before actioning.\nreferences:\n - https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/\nauthor: The Hunters Ledger\ndate: 2026/04/17\ntags:\n - attack.command-and-control\n - attack.resource-development\nlogsource:\n product: firewall\ndetection:\n selection:\n DestinationIp|cidr:\n - '91.215.85.0/24'\n - '91.202.233.0/24'\n - '193.24.123.0/24'\n condition: selection\nfalsepositives:\n - Legitimate services co-hosted on PROSPERO AS200593 \u2014 shared bulletproof hosting environment where other tenants may include unrelated or lower-risk operations\n - Threat intelligence platform automated scanning of known malicious ranges\nlevel: low", "pattern_type": "sigma", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--977b0f79-d88c-58eb-aba8-2fa7054837b4", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.451204Z", "modified": "2026-06-14T11:57:33.451204Z", "name": "THL ShinyHunters DLS - HTTP Host Header shinyhunte.rs", "indicator_types": [ "malicious-activity" ], "pattern": "alert http $HOME_NET any -> $EXTERNAL_NET any (\n msg:\"THL ShinyHunters DLS - HTTP Host Header shinyhunte.rs\";\n flow:established,to_server;\n http.host;\n content:\"shinyhunte.rs\";\n endswith;\n nocase;\n classtype:trojan-activity;\n sid:9001001;\n rev:1;\n metadata:author \"The Hunters Ledger\",\n reference https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/,\n created_at 2026-04-17,\n attack_target Client_Endpoint,\n mitre_tactic_id TA0011,\n mitre_technique_id T1583.001;\n)\n\nalert tls $HOME_NET any -> $EXTERNAL_NET any (\n msg:\"THL ShinyHunters DLS - TLS SNI shinyhunte.rs\";\n flow:established,to_server;\n tls.sni;\n content:\"shinyhunte.rs\";\n endswith;\n nocase;\n classtype:trojan-activity;\n sid:9001002;\n rev:1;\n metadata:author \"The Hunters Ledger\",\n reference https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/,\n created_at 2026-04-17,\n attack_target Client_Endpoint,\n mitre_tactic_id TA0011,\n mitre_technique_id T1583.001;\n)", "pattern_type": "suricata", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9fad0131-4bac-5e31-a92c-457a3c460c31", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.451424Z", "modified": "2026-06-14T11:57:33.451424Z", "name": "THL ShinyHunters DLS - Direct HTTP Connection to DLS Host 91.215.85.22", "indicator_types": [ "malicious-activity" ], "pattern": "alert http $HOME_NET any -> 91.215.85.22 any (\n msg:\"THL ShinyHunters DLS - Direct HTTP Connection to DLS Host 91.215.85.22\";\n flow:established,to_server;\n http.method;\n content:\"GET\";\n classtype:trojan-activity;\n threshold:type limit, track by_src, seconds 300, count 1;\n sid:9001003;\n rev:1;\n metadata:author \"The Hunters Ledger\",\n reference https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/,\n created_at 2026-04-17,\n attack_target Client_Endpoint,\n mitre_tactic_id TA0040,\n mitre_technique_id T1657;\n)", "pattern_type": "suricata", "valid_from": "2026-04-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.451673Z", "modified": "2026-06-14T11:57:33.451673Z", "name": "ShinyHunters", "is_family": true, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.451894Z", "modified": "2026-06-14T11:57:33.451894Z", "name": "Scattered LAPSUS$ Hunters 2026 cluster", "is_family": true, "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--8e773df3-b3cc-54bd-83db-4028fe946d79", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.452087Z", "modified": "2026-06-14T11:57:33.452087Z", "name": "Financial Theft", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1657", "external_id": "T1657" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--40b34036-0c2f-5429-b133-afcd52bb880c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.452257Z", "modified": "2026-06-14T11:57:33.452257Z", "name": "Phishing: Spearphishing Voice (vishing)", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1566/004", "external_id": "T1566.004" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d1d66d90-5aa7-5866-9753-179f8e1fdc18", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.452446Z", "modified": "2026-06-14T11:57:33.452446Z", "name": "Supply Chain Compromise: Compromise Software Supply Chain", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1195/002", "external_id": "T1195.002" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f04532fb-150d-5d27-99b3-5392af504899", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45271Z", "modified": "2026-06-14T11:57:33.45271Z", "name": "Steal Application Access Token", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1528", "external_id": "T1528" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--1076c468-8982-548b-9292-726a22f83ecb", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.452938Z", "modified": "2026-06-14T11:57:33.452938Z", "name": "Unsecured Credentials: Credentials In Files", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1552/001", "external_id": "T1552.001" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e42939d6-6332-5a6c-8dac-6195c79081bc", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.453159Z", "modified": "2026-06-14T11:57:33.453159Z", "name": "Data from Information Repositories", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1213", "external_id": "T1213" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--cda30ca1-c824-539f-932b-fb0809cbd444", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.453383Z", "modified": "2026-06-14T11:57:33.453383Z", "name": "Data from Cloud Storage", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1530", "external_id": "T1530" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--ed69c65f-7bc6-5a49-accd-759abe8c1c1b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.453598Z", "modified": "2026-06-14T11:57:33.453598Z", "name": "Exfiltration Over Web Service: to Cloud Storage", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1567/002", "external_id": "T1567.002" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c4d23a10-7ecd-543e-af65-13160caed625", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.453837Z", "modified": "2026-06-14T11:57:33.453837Z", "name": "Proxy: Multi-hop Proxy (Tor mirrors)", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1090/003", "external_id": "T1090.003" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d81b46ce-ef63-5c04-a945-180b77ff6da7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45407Z", "modified": "2026-06-14T11:57:33.45407Z", "name": "Acquire Infrastructure: Domains", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/001", "external_id": "T1583.001" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--5b7a06ed-32c6-5260-95a8-8e82d3f41f1f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45425Z", "modified": "2026-06-14T11:57:33.45425Z", "name": "Acquire Infrastructure: VPS (bulletproof hosting)", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/003", "external_id": "T1583.003" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2897b2f1-408a-5653-857f-ba8d519a3780", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45438Z", "modified": "2026-06-14T11:57:33.45438Z", "name": "Data Destruction (adversary-side leak as punitive impact)", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1485", "external_id": "T1485" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "infrastructure", "spec_version": "2.1", "id": "infrastructure--ea0cf03e-e0b2-5f37-abfe-bbecb74785e3", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.454513Z", "modified": "2026-06-14T11:57:33.454513Z", "name": "shinyhunters-dls-91-215-85-22-20260417 infrastructure", "infrastructure_types": [ "command-and-control", "hosting" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a2959639-d316-5c96-8824-efbde5eaa252", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.455219Z", "modified": "2026-06-14T11:57:33.455219Z", "relationship_type": "indicates", "source_ref": "indicator--57e9b5ea-6509-56d5-8a98-ba6b3f553142", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e7681a84-6ac0-5a11-90f1-3c839314b5b8", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.455376Z", "modified": "2026-06-14T11:57:33.455376Z", "relationship_type": "indicates", "source_ref": "indicator--1e96dc3e-a201-586c-a57b-2d344b893ce3", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e54b527d-ed26-5850-ac5e-805a79d43aa5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.455497Z", "modified": "2026-06-14T11:57:33.455497Z", "relationship_type": "indicates", "source_ref": "indicator--334aa285-19b3-5633-87ae-20cb154dec1e", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--95cfe951-edd8-57ed-ab82-2e39823a2896", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.455609Z", "modified": "2026-06-14T11:57:33.455609Z", "relationship_type": "indicates", "source_ref": "indicator--4af72e9c-223c-502e-aefe-662a0ee3aff8", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--249711a0-9086-53b7-a114-e49afc7600e3", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.455719Z", "modified": "2026-06-14T11:57:33.455719Z", "relationship_type": "indicates", "source_ref": "indicator--031c3154-8923-5ae5-ac36-a04a5793041a", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1bdc4413-00f3-56b2-b394-ef851dc2d7d8", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.455828Z", "modified": "2026-06-14T11:57:33.455828Z", "relationship_type": "indicates", "source_ref": "indicator--d7a63bf4-db56-5e57-b166-ab7e323698cb", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cfe24c43-f9e2-553b-95bf-a7fad8a7e69f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.455933Z", "modified": "2026-06-14T11:57:33.455933Z", "relationship_type": "indicates", "source_ref": "indicator--d848fd1c-47f9-5b7a-8277-2cc71c636c4e", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--53d9d52d-29e5-5e0b-98e6-02ddb8cfe12d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.456038Z", "modified": "2026-06-14T11:57:33.456038Z", "relationship_type": "indicates", "source_ref": "indicator--31d0fe4a-98c8-5e9a-b93b-b42731d8bc14", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8971e1a1-8594-5b72-a9b1-008000205160", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.456157Z", "modified": "2026-06-14T11:57:33.456157Z", "relationship_type": "indicates", "source_ref": "indicator--88e9262a-21c5-5858-8697-d9bd060ca835", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ce4954a5-8243-5318-bb63-ac636ba09cc0", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.456272Z", "modified": "2026-06-14T11:57:33.456272Z", "relationship_type": "indicates", "source_ref": "indicator--db177dd3-3823-541f-ba0d-1adfaf07b99e", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--29e8aa6a-6ec5-54de-9e52-0e0e7d0daf44", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.456387Z", "modified": "2026-06-14T11:57:33.456387Z", "relationship_type": "indicates", "source_ref": "indicator--5797fc71-1164-5c97-83a3-35ca9881119c", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--22cade48-536f-514f-983f-92d24de507bd", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.456507Z", "modified": "2026-06-14T11:57:33.456507Z", "relationship_type": "indicates", "source_ref": "indicator--f4f3b9ff-cfd2-597b-afc7-670ffffbfe8d", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f5098a94-8961-58d3-b6e6-5bde54dd551f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.456635Z", "modified": "2026-06-14T11:57:33.456635Z", "relationship_type": "indicates", "source_ref": "indicator--5f6554f3-5bdd-505f-b876-be9d45b926c1", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4cf730b7-275b-53ad-9508-c4cf46e77b5d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.456766Z", "modified": "2026-06-14T11:57:33.456766Z", "relationship_type": "indicates", "source_ref": "indicator--ce2a6ae4-e06d-584b-99b0-8530fb569089", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--966cf0d0-7b8b-56f9-a8f5-e76735b644cd", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.456894Z", "modified": "2026-06-14T11:57:33.456894Z", "relationship_type": "indicates", "source_ref": "indicator--9f58167d-8319-5ed7-9f47-f13a10a191dd", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--566fa847-06ea-5889-837c-4c0efd2a26d6", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.457022Z", "modified": "2026-06-14T11:57:33.457022Z", "relationship_type": "indicates", "source_ref": "indicator--6bcdb391-a8e9-5830-ab57-03973c0ab8a8", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--54f0431d-f132-5bd2-b584-ab9f16a6de87", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45715Z", "modified": "2026-06-14T11:57:33.45715Z", "relationship_type": "indicates", "source_ref": "indicator--49c8a353-a9ec-5f12-80d0-d13836c2080b", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--62dd3c1c-4806-5b91-9289-4a9c8f93723f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.457265Z", "modified": "2026-06-14T11:57:33.457265Z", "relationship_type": "indicates", "source_ref": "indicator--19e9f2bd-5226-5e85-9207-87446ffb003d", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b2dde0b4-4304-5027-8622-5ffab28945b1", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.457388Z", "modified": "2026-06-14T11:57:33.457388Z", "relationship_type": "indicates", "source_ref": "indicator--55e860b7-9fa6-5d06-ad26-dc85a0ec624b", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2f316de0-6d1b-5b88-a305-f5c68e53aadb", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.457503Z", "modified": "2026-06-14T11:57:33.457503Z", "relationship_type": "indicates", "source_ref": "indicator--977b0f79-d88c-58eb-aba8-2fa7054837b4", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b3ee3787-0029-5974-95ff-0eba85941633", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.457622Z", "modified": "2026-06-14T11:57:33.457622Z", "relationship_type": "indicates", "source_ref": "indicator--9fad0131-4bac-5e31-a92c-457a3c460c31", "target_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--27b51760-2c35-5a7f-8362-52f56a195571", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.457741Z", "modified": "2026-06-14T11:57:33.457741Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--8e773df3-b3cc-54bd-83db-4028fe946d79", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5352c2f4-8a1b-5c40-824a-ef22ac4ee753", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.457855Z", "modified": "2026-06-14T11:57:33.457855Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--40b34036-0c2f-5429-b133-afcd52bb880c", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--594f2b8e-ee39-579d-b877-38f32f4f4541", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45797Z", "modified": "2026-06-14T11:57:33.45797Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--d1d66d90-5aa7-5866-9753-179f8e1fdc18", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--da0e2159-c0d0-5838-9c6b-e57de250f097", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.458081Z", "modified": "2026-06-14T11:57:33.458081Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--f04532fb-150d-5d27-99b3-5392af504899", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1ab3144a-bf20-5a46-a3c6-5be731aca57d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.458188Z", "modified": "2026-06-14T11:57:33.458188Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--1076c468-8982-548b-9292-726a22f83ecb", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--20a4d845-eea7-5452-be86-ec5956840ff3", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.458297Z", "modified": "2026-06-14T11:57:33.458297Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--e42939d6-6332-5a6c-8dac-6195c79081bc", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--58059be1-7984-5c90-b1e1-20c4b805bc96", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.458432Z", "modified": "2026-06-14T11:57:33.458432Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--cda30ca1-c824-539f-932b-fb0809cbd444", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e03f5773-f720-5ae4-8786-d1488cfcbcfe", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.458581Z", "modified": "2026-06-14T11:57:33.458581Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--ed69c65f-7bc6-5a49-accd-759abe8c1c1b", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--189e2eea-cf34-5294-9af9-999c7e19de6b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.458734Z", "modified": "2026-06-14T11:57:33.458734Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--c4d23a10-7ecd-543e-af65-13160caed625", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--59da7c4e-7e2c-5f17-91ff-584b0dbe282b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.458875Z", "modified": "2026-06-14T11:57:33.458875Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--d81b46ce-ef63-5c04-a945-180b77ff6da7", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--63aa7746-121b-5a65-979a-cc45d17014cb", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.459099Z", "modified": "2026-06-14T11:57:33.459099Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--5b7a06ed-32c6-5260-95a8-8e82d3f41f1f", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c464e416-d77a-57ea-8215-ea2b4972da5c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.459326Z", "modified": "2026-06-14T11:57:33.459326Z", "relationship_type": "uses", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "attack-pattern--2897b2f1-408a-5653-857f-ba8d519a3780", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--75364517-aa52-5031-a9f3-4219efd2a560", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.459539Z", "modified": "2026-06-14T11:57:33.459539Z", "relationship_type": "communicates-with", "source_ref": "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "target_ref": "infrastructure--ea0cf03e-e0b2-5f37-abfe-bbecb74785e3", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f28125e3-5d46-5299-8422-4ef0848fd15e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.459742Z", "modified": "2026-06-14T11:57:33.459742Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--8e773df3-b3cc-54bd-83db-4028fe946d79", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5a2aac12-2470-5cc5-9b0d-9f56ea56c26b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.45994Z", "modified": "2026-06-14T11:57:33.45994Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--40b34036-0c2f-5429-b133-afcd52bb880c", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7449024c-67de-5a34-a66d-f7c2404dc2a9", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.460139Z", "modified": "2026-06-14T11:57:33.460139Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--d1d66d90-5aa7-5866-9753-179f8e1fdc18", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ef3b6e3e-3225-5f25-b7b7-6d393a7e9eae", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.460339Z", "modified": "2026-06-14T11:57:33.460339Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--f04532fb-150d-5d27-99b3-5392af504899", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3d1fa1ca-c6b2-5e76-a95a-6be0803c7348", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.460529Z", "modified": "2026-06-14T11:57:33.460529Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--1076c468-8982-548b-9292-726a22f83ecb", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4ed35bff-3c5c-5acc-9293-d382020bd1bf", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.460684Z", "modified": "2026-06-14T11:57:33.460684Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--e42939d6-6332-5a6c-8dac-6195c79081bc", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fc014b6c-1d93-5750-9af2-1813a5986d2a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.460791Z", "modified": "2026-06-14T11:57:33.460791Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--cda30ca1-c824-539f-932b-fb0809cbd444", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--465a65c3-b69d-5d80-b6a5-6919f7f182ff", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.460894Z", "modified": "2026-06-14T11:57:33.460894Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--ed69c65f-7bc6-5a49-accd-759abe8c1c1b", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b54d3d0d-62e4-57a7-b991-000df7aa31e5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.460996Z", "modified": "2026-06-14T11:57:33.460996Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--c4d23a10-7ecd-543e-af65-13160caed625", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0f3e5117-d669-5659-b9c9-e7f761349c43", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.461116Z", "modified": "2026-06-14T11:57:33.461116Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--d81b46ce-ef63-5c04-a945-180b77ff6da7", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1ec65e27-538e-5076-909a-8f3ae9cdf18a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.46123Z", "modified": "2026-06-14T11:57:33.46123Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--5b7a06ed-32c6-5260-95a8-8e82d3f41f1f", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c8142fcf-c61b-5ff4-b9a1-a3287f91d78d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.461351Z", "modified": "2026-06-14T11:57:33.461351Z", "relationship_type": "uses", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "attack-pattern--2897b2f1-408a-5653-857f-ba8d519a3780", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8f2891b1-e8f5-5215-8b97-e8cbe25c18a6", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.461468Z", "modified": "2026-06-14T11:57:33.461468Z", "relationship_type": "communicates-with", "source_ref": "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "target_ref": "infrastructure--ea0cf03e-e0b2-5f37-abfe-bbecb74785e3", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "report", "spec_version": "2.1", "id": "report--5ff1b5a0-5d02-5631-a253-1a04ccb6db3a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:33.461715Z", "modified": "2026-06-14T11:57:33.461715Z", "name": "ShinyHunters Data Leak Site at 91.215.85.22 \u2014 Infrastructure, Victims, and Attribution", "report_types": [ "threat-report" ], "published": "2026-04-17T00:00:00Z", "object_refs": [ "ipv4-addr--85585027-108d-5823-87aa-f7482165e252", "indicator--57e9b5ea-6509-56d5-8a98-ba6b3f553142", "ipv4-addr--b0cc2f56-5c61-5c99-86d5-a844a89701bb", "indicator--1e96dc3e-a201-586c-a57b-2d344b893ce3", "url--a8efc53b-5ed1-5770-ad9e-73064fb8d911", "indicator--334aa285-19b3-5633-87ae-20cb154dec1e", "url--d151e72f-ae01-586f-a2c7-e796da422dba", "indicator--4af72e9c-223c-502e-aefe-662a0ee3aff8", "url--9935facd-f07c-510f-8214-3531539662f9", "indicator--031c3154-8923-5ae5-ac36-a04a5793041a", "url--c4730001-9c33-5dbe-8320-2023146876f6", "indicator--d7a63bf4-db56-5e57-b166-ab7e323698cb", "url--a1fb9f46-66e0-5a22-874c-8cb621988ccd", "indicator--d848fd1c-47f9-5b7a-8277-2cc71c636c4e", "domain-name--f194d404-fa16-5700-bf0f-fa53f817e82d", "indicator--31d0fe4a-98c8-5e9a-b93b-b42731d8bc14", "domain-name--55c8bc3b-747f-5faf-ace6-62501724eac1", "indicator--88e9262a-21c5-5858-8697-d9bd060ca835", "indicator--db177dd3-3823-541f-ba0d-1adfaf07b99e", "indicator--5797fc71-1164-5c97-83a3-35ca9881119c", "indicator--f4f3b9ff-cfd2-597b-afc7-670ffffbfe8d", "indicator--5f6554f3-5bdd-505f-b876-be9d45b926c1", "indicator--ce2a6ae4-e06d-584b-99b0-8530fb569089", "indicator--9f58167d-8319-5ed7-9f47-f13a10a191dd", "indicator--6bcdb391-a8e9-5830-ab57-03973c0ab8a8", "indicator--49c8a353-a9ec-5f12-80d0-d13836c2080b", "indicator--19e9f2bd-5226-5e85-9207-87446ffb003d", "indicator--55e860b7-9fa6-5d06-ad26-dc85a0ec624b", "indicator--977b0f79-d88c-58eb-aba8-2fa7054837b4", "indicator--9fad0131-4bac-5e31-a92c-457a3c460c31", "malware--9f4260d7-9f11-52f2-ad26-814dac3b4afa", "malware--baca93a4-3ee5-57ca-9a08-8af8d3cd445e", "attack-pattern--8e773df3-b3cc-54bd-83db-4028fe946d79", "attack-pattern--40b34036-0c2f-5429-b133-afcd52bb880c", "attack-pattern--d1d66d90-5aa7-5866-9753-179f8e1fdc18", "attack-pattern--f04532fb-150d-5d27-99b3-5392af504899", "attack-pattern--1076c468-8982-548b-9292-726a22f83ecb", "attack-pattern--e42939d6-6332-5a6c-8dac-6195c79081bc", "attack-pattern--cda30ca1-c824-539f-932b-fb0809cbd444", "attack-pattern--ed69c65f-7bc6-5a49-accd-759abe8c1c1b", "attack-pattern--c4d23a10-7ecd-543e-af65-13160caed625", "attack-pattern--d81b46ce-ef63-5c04-a945-180b77ff6da7", "attack-pattern--5b7a06ed-32c6-5260-95a8-8e82d3f41f1f", "attack-pattern--2897b2f1-408a-5653-857f-ba8d519a3780", "infrastructure--ea0cf03e-e0b2-5f37-abfe-bbecb74785e3", "relationship--a2959639-d316-5c96-8824-efbde5eaa252", "relationship--e7681a84-6ac0-5a11-90f1-3c839314b5b8", "relationship--e54b527d-ed26-5850-ac5e-805a79d43aa5", "relationship--95cfe951-edd8-57ed-ab82-2e39823a2896", "relationship--249711a0-9086-53b7-a114-e49afc7600e3", "relationship--1bdc4413-00f3-56b2-b394-ef851dc2d7d8", "relationship--cfe24c43-f9e2-553b-95bf-a7fad8a7e69f", "relationship--53d9d52d-29e5-5e0b-98e6-02ddb8cfe12d", "relationship--8971e1a1-8594-5b72-a9b1-008000205160", "relationship--ce4954a5-8243-5318-bb63-ac636ba09cc0", "relationship--29e8aa6a-6ec5-54de-9e52-0e0e7d0daf44", "relationship--22cade48-536f-514f-983f-92d24de507bd", "relationship--f5098a94-8961-58d3-b6e6-5bde54dd551f", "relationship--4cf730b7-275b-53ad-9508-c4cf46e77b5d", "relationship--966cf0d0-7b8b-56f9-a8f5-e76735b644cd", "relationship--566fa847-06ea-5889-837c-4c0efd2a26d6", "relationship--54f0431d-f132-5bd2-b584-ab9f16a6de87", "relationship--62dd3c1c-4806-5b91-9289-4a9c8f93723f", "relationship--b2dde0b4-4304-5027-8622-5ffab28945b1", "relationship--2f316de0-6d1b-5b88-a305-f5c68e53aadb", "relationship--b3ee3787-0029-5974-95ff-0eba85941633", "relationship--27b51760-2c35-5a7f-8362-52f56a195571", "relationship--5352c2f4-8a1b-5c40-824a-ef22ac4ee753", "relationship--594f2b8e-ee39-579d-b877-38f32f4f4541", "relationship--da0e2159-c0d0-5838-9c6b-e57de250f097", "relationship--1ab3144a-bf20-5a46-a3c6-5be731aca57d", "relationship--20a4d845-eea7-5452-be86-ec5956840ff3", "relationship--58059be1-7984-5c90-b1e1-20c4b805bc96", "relationship--e03f5773-f720-5ae4-8786-d1488cfcbcfe", "relationship--189e2eea-cf34-5294-9af9-999c7e19de6b", "relationship--59da7c4e-7e2c-5f17-91ff-584b0dbe282b", "relationship--63aa7746-121b-5a65-979a-cc45d17014cb", "relationship--c464e416-d77a-57ea-8215-ea2b4972da5c", "relationship--75364517-aa52-5031-a9f3-4219efd2a560", "relationship--f28125e3-5d46-5299-8422-4ef0848fd15e", "relationship--5a2aac12-2470-5cc5-9b0d-9f56ea56c26b", "relationship--7449024c-67de-5a34-a66d-f7c2404dc2a9", "relationship--ef3b6e3e-3225-5f25-b7b7-6d393a7e9eae", "relationship--3d1fa1ca-c6b2-5e76-a95a-6be0803c7348", "relationship--4ed35bff-3c5c-5acc-9293-d382020bd1bf", "relationship--fc014b6c-1d93-5750-9af2-1813a5986d2a", "relationship--465a65c3-b69d-5d80-b6a5-6919f7f182ff", "relationship--b54d3d0d-62e4-57a7-b991-000df7aa31e5", "relationship--0f3e5117-d669-5659-b9c9-e7f761349c43", "relationship--1ec65e27-538e-5076-909a-8f3ae9cdf18a", "relationship--c8142fcf-c61b-5ff4-b9a1-a3287f91d78d", "relationship--8f2891b1-e8f5-5215-8b97-e8cbe25c18a6" ], "labels": [ "Exfil", "Cred Theft", "Open Dir", "Threat" ], "external_references": [ { "source_name": "The Hunters Ledger", "url": "https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] } ] }