cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a.json

{
    "type": "bundle",
    "id": "bundle--512f7360-3e9f-41ca-878f-d813af97ea7e",
    "spec_version": "2.0",
    "objects": [
        {
            "aliases": [
                "Windigo"
            ],
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "id": "intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a",
            "type": "intrusion-set",
            "created": "2021-02-10T19:57:38.042Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "external_id": "G0124",
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/groups/G0124"
                },
                {
                    "source_name": "ESET Windigo Mar 2014",
                    "url": "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/",
                    "description": "Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., L\u00e9veill\u00e9, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo \u2013 the vivisection of a large Linux server\u2011side credential\u2011stealing malware campaign. Retrieved February 10, 2021."
                },
                {
                    "source_name": "CERN Windigo June 2019",
                    "url": "https://security.web.cern.ch/advisories/windigo/windigo.shtml",
                    "description": "CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021."
                }
            ],
            "modified": "2021-04-26T22:32:57.046Z",
            "name": "Windigo",
            "description": "The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)",
            "x_mitre_version": "1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}