{
  "name": "The Good, the Bad and the Ugly in Cybersecurity \u2013 Week 20",
  "slug": "the-good-the-bad-and-the-ugly-in-cybersecurity-week-20",
  "description": "This intelligence update covers recent cybersecurity events. In positive developments, global authorities disrupted a major botnet, arrested a ransomware actor, and dismantled a dark web marketplace. On the negative side, a malicious NPM package was discovered hiding multi-stage malware using Unicode and Google Calendar. The most concerning development involves cyberspies exploiting a zero-day vulnerability in Output Messenger to target Kurdish military users in Iraq, showcasing increased capabilities of the Marbled Dust threat group.",
  "published": "2025-05-16T14:33:03+00:00",
  "created_at": "2025-05-16T14:33:03+00:00",
  "modified_at": "2025-05-21T18:49:08+00:00",
  "created_at_opencti": "2025-05-16T14:33:03+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-16",
    "CVE-2025-27920",
    "botnet",
    "dark web",
    "dns hijacking",
    "doppelpaymer",
    "kurdish military",
    "npm",
    "omclientservice.exe",
    "omserverservice.exe",
    "output messenger",
    "ransomware",
    "zero-day"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "api.wordinfos.com"
      }
    ],
    "malware": [
      {
        "id": "7c60408b-2226-411e-bdd5-4418aa3f254c",
        "name": "DoppelPaymer",
        "slug": "doppelpaymer"
      }
    ],
    "intrusion_sets": [
      {
        "id": "legacy:intrusion:af109c3d22222c51",
        "name": "Marbled Dust",
        "slug": "marbled-dust"
      }
    ],
    "attack_patterns": [
      {
        "id": "4bbdf41c-817c-448a-9513-aaea6bfbe8b4",
        "name": "T1568"
      },
      {
        "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd",
        "name": "T1588.001"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "6a146066-5a78-493c-a26a-133b62c1149e",
        "name": "T1588.002"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-27920"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Kosovo"
      },
      {
        "id": "",
        "name": "Iraq"
      },
      {
        "id": "",
        "name": "Moldova, Republic of"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-20-6",
    "https://otx.alienvault.com/pulse/682768bfc09a2c586edd469a"
  ]
}