{ "type": "bundle", "id": "bundle--9029625f-eef7-433d-af8d-09022d6a4f03", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--676c8c5c-1b96-4043-89a0-aab775bc0f92", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--165bbc75-45f9-4458-854f-62c29893a0d3", "start_refs": [ "attack-action--55bbc7ec-ffb7-4185-b180-eb5f35bc61dc" ], "name": "Mac Malware Steals Crypto", "description": "Analysis of a malware family, OSX.DarthMiner, that targets MacOS.", "scope": "malware", "external_references": [ { "source_name": "Palo Alto", "description": "Blog", "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" } ] }, { "type": "identity", "id": "identity--165bbc75-45f9-4458-854f-62c29893a0d3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "name": "Eric Kannampuzha", "contact_information": "ekannampuzha@mitre.org" }, { "type": "attack-action", "id": "attack-action--85e081c4-ab67-472b-b3a2-ff359bc464e2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Unix Shell", "description": "Webshell copies the Safari browser's cookies to a folder", "asset_refs": [ "attack-asset--fea3da59-f16c-4fca-b0d0-a437ff8272b0" ], "effect_refs": [ "attack-action--6de07b72-bae0-4bed-a641-002b74461961" ] }, { "type": "attack-action", "id": "attack-action--6de07b72-bae0-4bed-a641-002b74461961", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "description": "Uploads browser cookies to a remote server", "effect_refs": [ "attack-operator--763cc208-162e-439b-84df-c4e9ea32a9e2" ] }, { "type": "attack-asset", "id": "attack-asset--fea3da59-f16c-4fca-b0d0-a437ff8272b0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Safari browser cookies", "description": "Targets cookies associated with cryptocurrency exchanges and any website having \"blockchain\" in its domain name" }, { "type": "infrastructure", "id": "infrastructure--9aced747-538e-4e99-9738-60fbb466b957", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "name": "46.226.108.171:8000", "description": "Remote Server", "infrastructure_types": [ "exfiltration" ] }, { "type": "tool", "id": "tool--d2a5c2be-74d2-4eca-bd36-16a3058868a6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "name": "curldrop", "description": "Hosted on the remote server; allows users to upload files with curl", "tool_types": [ "unknown" ] }, { "type": "attack-action", "id": "attack-action--9e267c9d-ab5c-446f-b1e1-b57fe510ce86", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Python", "description": "Python script extracts saved login credentials and credit card information from Chrome's local data storage", "effect_refs": [ "attack-action--77409eed-e668-4a19-bd85-9c55b48bc59d" ] }, { "type": "attack-action", "id": "attack-action--55bbc7ec-ffb7-4185-b180-eb5f35bc61dc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Initial Access", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "description": "CookieMiner targets different web browsers", "effect_refs": [ "attack-action--85e081c4-ab67-472b-b3a2-ff359bc464e2", "attack-action--9e267c9d-ab5c-446f-b1e1-b57fe510ce86" ] }, { "type": "tool", "id": "tool--cf4f914f-ea4d-43a8-bccd-471468562dcc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "name": "harmlesslittlecode.py", "description": "Python script", "tool_types": [ "information-gathering", "credential-exploitation" ] }, { "type": "attack-action", "id": "attack-action--77409eed-e668-4a19-bd85-9c55b48bc59d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploitation for Defense Evasion", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1211", "technique_ref": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b", "description": "Abuses Google Chromium's techniques for decryption and extraction to steal credit card information and saved login credentials", "effect_refs": [ "attack-action--9083cb76-8b62-472b-9ae2-56c90258ce69" ] }, { "type": "attack-action", "id": "attack-action--9083cb76-8b62-472b-9ae2-56c90258ce69", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "description": "Uploads stolen information to a remote server, including wallet-related file paths and private keys for the wallets", "effect_refs": [ "attack-operator--763cc208-162e-439b-84df-c4e9ea32a9e2" ] }, { "type": "attack-operator", "id": "attack-operator--763cc208-162e-439b-84df-c4e9ea32a9e2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--5be1aafd-dc2a-4a68-aab0-745bd70b7427" ] }, { "type": "attack-action", "id": "attack-action--5be1aafd-dc2a-4a68-aab0-745bd70b7427", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Mach-O executable used for mining cryptocurrency (Koto) on the listed mining address", "asset_refs": [ "attack-asset--f46b3cad-aad1-4256-9487-5f1e060e76a7" ], "effect_refs": [ "attack-action--f07bd6fe-b4cb-4d42-89f2-8235297b880a" ] }, { "type": "attack-action", "id": "attack-action--f07bd6fe-b4cb-4d42-89f2-8235297b880a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Python", "description": "Establishes remote control on the victim's machine", "effect_refs": [ "attack-action--afbd6c13-5d78-4812-aeb5-523ae08c3053" ] }, { "type": "infrastructure", "id": "infrastructure--609da3e1-e06b-4014-bb01-5836972cf8c6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "name": "hxxps://ptpb[.]pw/OAZG", "description": "location of the Python script", "infrastructure_types": [ "hosting-malware" ] }, { "type": "attack-action", "id": "attack-action--afbd6c13-5d78-4812-aeb5-523ae08c3053", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Security Software Discovery", "description": "Checks if an application firewall (Little Snitch) is running. Terminates if this firewall is running", "asset_refs": [ "attack-asset--90108ce3-8b52-4b4e-89b7-e4d0a6869e04" ] }, { "type": "attack-asset", "id": "attack-asset--90108ce3-8b52-4b4e-89b7-e4d0a6869e04", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Little Snitch" }, { "type": "infrastructure", "id": "infrastructure--5c516cf9-609d-4c30-bf40-fbe9292abc51", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "name": "Remote Server", "infrastructure_types": [ "exfiltration" ] }, { "type": "note", "id": "note--b65eea35-480d-4d94-8ca1-559f39577e13", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "content": "If iTunes is used to backup files, then attackers can collect text messages (SMSFILE) from the victim", "object_refs": [ "attack-action--85e081c4-ab67-472b-b3a2-ff359bc464e2" ] }, { "type": "malware", "id": "malware--fc9b2357-e209-45f4-80f2-2fb4d101be1f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "name": "xmrig", "description": "Mach-O executable for mining cryptocurrency", "malware_types": [ "resource-exploitation" ], "is_family": true }, { "type": "artifact", "id": "artifact--d7cdf078-5fce-4a15-85b7-5dedaf775b2c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "payload_bin": "k1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H=" }, { "type": "url", "id": "url--64b32701-235c-4f48-8c0e-1c8b750adcfe", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "value": "hxxps://ptpb[.]pw/OAZG" }, { "type": "malware", "id": "malware--86b9c251-4f43-4166-9163-ac356a1e13b3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "name": "EmPyre", "description": "Python post-exploitation agent; used by the attacker to send commands remotely to the victim's machine", "malware_types": [ "remote-access-trojan" ], "is_family": true, "capabilities": [ "communicates-with-c2" ] }, { "type": "attack-asset", "id": "attack-asset--f46b3cad-aad1-4256-9487-5f1e060e76a7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Cryptocurrency Wallet", "object_ref": "artifact--d7cdf078-5fce-4a15-85b7-5dedaf775b2c" }, { "type": "relationship", "id": "relationship--6b0c3848-17f1-40c0-a5ec-86650702e3fa", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "relationship_type": "related-to", "source_ref": "attack-action--6de07b72-bae0-4bed-a641-002b74461961", "target_ref": "infrastructure--9aced747-538e-4e99-9738-60fbb466b957" }, { "type": "relationship", "id": "relationship--283e7fe5-aa6c-4929-a17e-ec9000133789", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "relationship_type": "related-to", "source_ref": "attack-action--6de07b72-bae0-4bed-a641-002b74461961", "target_ref": "tool--d2a5c2be-74d2-4eca-bd36-16a3058868a6" }, { "type": "relationship", "id": "relationship--945286cb-5427-449b-ab66-931a01f5d525", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "relationship_type": "related-to", "source_ref": "attack-action--9e267c9d-ab5c-446f-b1e1-b57fe510ce86", "target_ref": "tool--cf4f914f-ea4d-43a8-bccd-471468562dcc" }, { "type": "relationship", "id": "relationship--9d2b3707-96f6-49e3-b908-c0c50c91c3e7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "relationship_type": "related-to", "source_ref": "attack-action--9083cb76-8b62-472b-9ae2-56c90258ce69", "target_ref": "infrastructure--5c516cf9-609d-4c30-bf40-fbe9292abc51" }, { "type": "relationship", "id": "relationship--0c729d7f-db91-4a4a-9b97-c6df573aedfd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "relationship_type": "related-to", "source_ref": "attack-action--5be1aafd-dc2a-4a68-aab0-745bd70b7427", "target_ref": "malware--fc9b2357-e209-45f4-80f2-2fb4d101be1f" }, { "type": "relationship", "id": "relationship--4008afc7-2cf6-4b96-802d-053aa80a6a85", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "relationship_type": "related-to", "source_ref": "attack-action--f07bd6fe-b4cb-4d42-89f2-8235297b880a", "target_ref": "infrastructure--609da3e1-e06b-4014-bb01-5836972cf8c6" }, { "type": "relationship", "id": "relationship--82338b4c-be22-452f-b845-449cf3a55663", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "relationship_type": "related-to", "source_ref": "attack-action--f07bd6fe-b4cb-4d42-89f2-8235297b880a", "target_ref": "malware--86b9c251-4f43-4166-9163-ac356a1e13b3" }, { "type": "relationship", "id": "relationship--60dd92bc-2647-4f54-957a-2b9989bcf398", "spec_version": "2.1", "created": "2026-06-11T23:57:51.531Z", "modified": "2026-06-11T23:57:51.531Z", "relationship_type": "related-to", "source_ref": "infrastructure--609da3e1-e06b-4014-bb01-5836972cf8c6", "target_ref": "url--64b32701-235c-4f48-8c0e-1c8b750adcfe" } ] }