SOC Incident Toolkit
Back to Campaigns
Operation HookedWing

Operation HookedWing

Operation HookedWingPhishingCredential HarvestingAviationHookedWing

A persistent phishing operation active since 2022, leveraging a custom kit deployed on github.io, vercel.app and on-fleek.app to harvest corporate credentials. Lures impersonate HR, Microsoft, Outlook and Google Drive notifications, redirecting victims to landing pages that dynamically inject PHP forms from compromised C2 servers. The campaign targets aviation operators, civil aviation authorities, ground handling, ministries and energy infrastructure across air corridors linking West and East Africa with the Persian Gulf, South Asia and Southeast Asia. Over 2,500 victims and 500 organizations identified across 22 C2 servers and 100 distribution domains.

Indicators of Compromise

Domains (9)

file-712.github.iopdf-viewer-online.github.ioe578eb340bebd4fe6q.github.ioarchived-document-file-2026.github.ioexcel-file-document-2024.github.iogoogle-file-document.github.ioonedrive1-preview.github.iomicrosoft-file.github.iobc1qxy2kgdygjrsqtzq2n0yrf2493.github.io

Hashes (2)

557ff81c43c01b13c9743be96a19090aebec31f7104d77ea578b779b99bf4e4e632705d808341aedb0f8ee2f1fa1e2d0a765e6373379111cb86cb9438407cb25

Notes

<div><span id="docs-internal-guid-5bc2c2f8-7fff-7180-c2e5-037bc1465150"><span style="font-size: 16pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION</span></span></div><div><br></div><div><span style="color: rgb(0, 0, 0); font-family: Arial, sans-serif; font-size: 14.6667px; text-align: justify; white-space: pre-wrap;">Operation HookedWing represents one of the most persistent and least publicly documented phishing operations identified to date, sustaining continuous activity for more than four years while remaining largely invisible to public threat intelligence sources until SOCRadar's investigation. The threat actor demonstrates mature operational tradecraft through the deliberate separation of distribution and credential-capture layers, the exclusive use of URL-fragment-based access controls that prevent passive correlation through hosting platform logs, and the reuse of compromised legitimate infrastructure to inherit domain reputation and bypass reputation-based security filters. The kit's consistent technical fingerprint — including the stef namespace, the /genl/ path, dynamically injected PHP forms, and Base64-encoded C2 references — has enabled correlation across at least four distinct campaign variants (Campaign 1, 1.5, 2, and 3), suggesting a centrally distributed builder shared among multiple operators or a single actor managing parallel kits. The deliberate concentration on aviation operators, civil aviation authorities, ground handling and catering providers, ministries of foreign affairs, defense, and energy infrastructure across the air corridors connecting West/East Africa, the Persian Gulf, South Asia, and Southeast Asia rules out opportunistic targeting and points to an intelligence-driven operation interested in human movement, cargo manifests, passenger lists, and route planning. With more than 2,500 unique victims across 500+ organizations and over 22 distinct C2 servers identified, the operational scale demands layered defense that cannot rely solely on signature-based email security. For comprehensive threat hunting, SOCRadar's IOC Radar capabilities should be leveraged to identify Operation HookedWing distribution domains (github.io, vercel.app, on-fleek.app), C2 paths under /genl/, /hl/, and /zm/, and recurring kit assets across enterprise environments. Dark Web Monitoring is essential to detect aviation, government, and energy sector credentials being traded on stealer marketplaces and underground forums, since the captured list.txt records are often resold to follow-on actors. Continuous Cyber Threat Intelligence updates on Operation HookedWing variants will improve detection accuracy as the actor rotates distribution infrastructure quarterly while preserving backend C2 access. Brand Protection services should monitor for typosquatting domains mimicking aviation operators, civil aviation authorities, and Microsoft/Google services, while Attack Surface Management provides visibility into exposed web servers, abandoned subdomains, and shared hosting accounts (HostGator, cPanel) that could be hijacked and converted into C2 nodes hosting the /genl/ directory structure characteristic of this operation.</span></div>

Mitigation

<span id="docs-internal-guid-188c7530-7fff-f51d-4b6b-b26b15aac144"><span style="font-size: 16pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITRE ATT&amp;CK Mitigation Table <span style="font-weight:normal;" id="docs-internal-guid-95035132-7fff-1d9e-66fb-0760f08173b8"><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col><col></colgroup><thead><tr style="height:0pt;"><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#2e5496;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline;">Technique ID</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#2e5496;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline;">Technique Name</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#2e5496;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline;">Tactic</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#2e5496;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline;">Mitigation ID</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#2e5496;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline;">Description</span></p></th></tr></thead><tbody><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1566.002</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Spearphishing Link</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1049</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Antivirus/Antimalware — Deploy advanced email security solutions with URL rewriting and time-of-click analysis to inspect links pointing to github.io, vercel.app, on-fleek.app, and netlify.app domains, blocking those with embedded email addresses in URL fragments (#user@domain pattern).</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1566.002</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Spearphishing Link</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1017</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">User Training — Conduct targeted awareness training for aviation, government, and energy sector employees on lures impersonating HR, Microsoft, Outlook, and Google Drive notifications, emphasizing verification of sender identity before clicking "OPEN IN PDF" or "Sign in" buttons.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1583.001</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Acquire Infrastructure: Domains</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Resource Development</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1056</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Pre-compromise — Subscribe to threat intelligence feeds and brand monitoring services to detect newly registered typosquatting domains mimicking legitimate aviation operators, DocuSign, OneDrive, or Microsoft services that could be used as future C2 servers.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1584.001</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Compromise Infrastructure: Domains</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Resource Development</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1056</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Pre-compromise — Monitor for unauthorized creation of /genl/, /hl/, /zm/ directories on owned web servers and audit hosting accounts (HostGator, cPanel) for credential exposure on stealer marketplaces and dark web forums.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1584.006</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Compromise Infrastructure: Web Services</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Resource Development</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1021</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Restrict Web-Based Content — Block or proxy-inspect outbound traffic to *.github.io, *.vercel.app, and *.on-fleek.app from corporate networks where these platforms are not required for business operations, particularly for non-development users.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1059.007</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Command and Scripting Interpreter: JavaScript</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Execution</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1021</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Restrict Web-Based Content — Implement Content Security Policy (CSP) and browser isolation for high-risk users; use enterprise browsers that prevent execution of inline JavaScript loaded from untrusted static hosting platforms.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1546</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Event Triggered Execution</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Persistence</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1031</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Network Intrusion Prevention — Deploy DNS filtering and TLS inspection rules to detect repeated connections to dormant github.io repositories, since the kit reactivates landing pages by simply updating srv.js with a new C2 endpoint.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1027</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Obfuscated Files or Information</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1049</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Antivirus/Antimalware — Deploy YARA rules and JavaScript analyzers capable of detecting Base64-encoded /genl/ paths, the window.stef.srv_loc variable, and the preloader_container_stef CSS identifier across HTML/JS responses.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1036</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Masquerading</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1017</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">User Training — Train users to verify the URL bar carefully — landing pages hosted on github.io subdomains (e.g., microsoft-office365-*.github.io, restriction-de-compte-serveur-*.github.io) are never legitimate Microsoft, Outlook, or corporate authentication portals.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1556</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Modify Authentication Process</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1032</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Multi-factor Authentication — Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all corporate, aviation operational, and webmail accounts to prevent credential reuse even when victims fall for the forced retry / fake error message social engineering.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1056.003</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Input Capture: Web Portal Capture</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Credential Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1054</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Software Configuration — Configure SSO and Conditional Access policies to require device compliance and trusted network access; disable legacy authentication protocols that allow direct credential validation outside Conditional Access enforcement.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1598</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Phishing for Information</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Credential Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1017</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">User Training — Educate employees that legitimate authentication portals never display unsolicited "Account does not exist. Email is invalid" errors before login attempts and never embed user emails in URL fragments.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1185</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Browser Session Hijacking</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Collection</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1021</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Restrict Web-Based Content — Deploy browser isolation or remote browser solutions for users in high-risk roles (government, civil aviation authorities, ground handling, ministries) that prevent client-side scripts from accessing geolocation APIs (api.ipdata.co) and submitting form data to untrusted endpoints.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1041</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Exfiltration Over C2 Channel</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Exfiltration</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1037</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Filter Network Traffic — Block outbound POST requests from corporate browsers to suspicious paths such as /genl/, /hl/, /zm/, /inde-s.php, /result.php, and /login.php?[token] on non-allowlisted domains; alert on any reference to list.txt retrieval.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1102</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Web Service</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1031</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Network Intrusion Prevention — Block access to known malicious github.io repositories and inspect Vercel/on-fleek/Netlify subdomains; integrate IOC feeds (SOCRadar) covering Operation HookedWing distribution domains into the secure web gateway.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">T1071.001</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Application Layer Protocol: Web Protocols</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">M1037</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Filter Network Traffic — Inspect HTTPS traffic for anomalous POST patterns containing fields em-field, em-field2, pwd-field, pidt-field, ocdt-field, auth_status_, and UrlDom_main consistent with Operation HookedWing form schema.</span></p></td></tr></tbody></table></div></span></span></span>