{"generated_at": "2026-07-01T04:27:37.420788+00:00", "mode": "live", "parameters": {"days": 3, "limit": 100, "source_ids": ["openphish", "cisa_kev", "threatfox", "urlhaus_recent", "malwarebazaar_recent", "fortiguard_outbreak", "fortiguard_psirt", "ransomware_live_victims", "first_epss_top", "otx_pulses", "misp_rest_search", "local_intel_drop", "nvd_recent_cves", "cisa_cybersecurity_advisories", "cisa_news_alerts", "microsoft_msrc_rss", "paloalto_unit42_rss", "cisco_talos_rss", "thehackernews_rss", "bleepingcomputer_security_rss", "telegram_breachsense_public"]}, "source_statuses": [{"source_id": "openphish", "name": "OpenPhish Public Feed", "docs_url": "https://openphish.com/", "feed_url": "https://openphish.com/feed.txt", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 100, "error": "", "description": "Public phishing URL feed."}, {"source_id": "cisa_kev", "name": "CISA Known Exploited Vulnerabilities", "docs_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", "feed_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 100, "error": "", "description": "Catalog of vulnerabilities known to be exploited in the wild."}, {"source_id": "threatfox", "name": "ThreatFox Community API", "docs_url": "https://threatfox.abuse.ch/api/", "feed_url": "https://threatfox-api.abuse.ch/api/v1/", "requires_auth": true, "auth_configured": true, "status": "ok", "record_count": 100, "error": "", "description": "Free IOC feed with malware family and threat-type context."}, {"source_id": "urlhaus_recent", "name": "URLhaus Recent URLs", "docs_url": "https://urlhaus-api.abuse.ch/", "feed_url": "https://urlhaus-api.abuse.ch/v1/urls/recent/", "requires_auth": true, "auth_configured": true, "status": "ok", "record_count": 100, "error": "", "description": "Recent malware and phishing delivery URLs from URLhaus."}, {"source_id": "malwarebazaar_recent", "name": "MalwareBazaar Recent Samples", "docs_url": "https://bazaar.abuse.ch/api/", "feed_url": "https://mb-api.abuse.ch/api/v1/", "requires_auth": true, "auth_configured": true, "status": "ok", "record_count": 2, "error": "", "description": "Recent malware sample metadata from MalwareBazaar."}, {"source_id": "fortiguard_outbreak", "name": "FortiGuard Outbreak Alerts RSS", "docs_url": "https://www.fortiguard.com/rss-feeds", "feed_url": "https://filestore.fortinet.com/fortiguard/rss/outbreakalert.xml", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 20, "error": "", "description": "Official FortiGuard outbreak alerts feed."}, {"source_id": "fortiguard_psirt", "name": "FortiGuard PSIRT Advisories RSS", "docs_url": "https://www.fortiguard.com/rss-feeds", "feed_url": "https://filestore.fortinet.com/fortiguard/rss/ir.xml", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 50, "error": "", "description": "Official FortiGuard PSIRT advisories feed."}, {"source_id": "ransomware_live_victims", "name": "Ransomware.live Victims", "docs_url": "https://www.ransomware.live/", "feed_url": "https://api.ransomware.live/v2/searchvictims/mongolia", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 6, "error": "", "description": "Ransomware victim and group tracking for Mongolia mentions via ransomware.live search."}, {"source_id": "first_epss_top", "name": "FIRST EPSS Top Exploitation Probability", "docs_url": "https://www.first.org/epss/api", "feed_url": "https://api.first.org/data/v1/epss?order=!epss", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 100, "error": "", "description": "Public EPSS vulnerability exploitation probability feed for CVE risk enrichment."}, {"source_id": "otx_pulses", "name": "AlienVault OTX Pulses", "docs_url": "https://otx.alienvault.com/api", "feed_url": "https://otx.alienvault.com/api/v1/pulses/subscribed", "requires_auth": true, "auth_configured": true, "status": "auth_error", "record_count": 0, "error": "Authentication failed or source access was denied.", "description": "OTX subscribed pulses and indicators from AlienVault Open Threat Exchange."}, {"source_id": "misp_rest_search", "name": "MISP RestSearch", "docs_url": "https://www.misp-project.org/openapi/", "feed_url": "", "requires_auth": true, "auth_configured": false, "status": "skipped_auth_missing", "record_count": 0, "error": "", "description": "Trusted-sharing MISP events and attributes via /events/restSearch."}, {"source_id": "local_intel_drop", "name": "Local Intel Drop Folder", "docs_url": "local", "feed_url": "data/incoming_intel", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 0, "error": "", "description": "Reads JSON exports dropped into data/incoming_intel for CERT, Shadowserver, MISP, or commercial reports."}, {"source_id": "nvd_recent_cves", "name": "NVD Recent CVEs", "docs_url": "https://nvd.nist.gov/developers/vulnerabilities", "feed_url": "https://services.nvd.nist.gov/rest/json/cves/2.0/", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 100, "error": "", "description": "Rolling NVD CVE metadata for vulnerability enrichment, using the collector --days lookback."}, {"source_id": "cisa_cybersecurity_advisories", "name": "CISA Cybersecurity Advisories RSS", "docs_url": "https://www.cisa.gov/cybersecurity-advisories", "feed_url": "https://www.cisa.gov/cybersecurity-advisories/all.xml", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 30, "error": "", "description": "CISA advisories for active exploitation and defensive guidance."}, {"source_id": "cisa_news_alerts", "name": "CISA News and Alerts RSS", "docs_url": "https://www.cisa.gov/news-events", "feed_url": "https://www.cisa.gov/news.xml", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 10, "error": "", "description": "CISA news and alerts for operational cyber context."}, {"source_id": "microsoft_msrc_rss", "name": "Microsoft MSRC RSS", "docs_url": "https://msrc.microsoft.com/update-guide", "feed_url": "https://api.msrc.microsoft.com/update-guide/rss", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 100, "error": "", "description": "Microsoft vulnerability and patch intelligence from MSRC."}, {"source_id": "paloalto_unit42_rss", "name": "Palo Alto Unit 42 RSS", "docs_url": "https://unit42.paloaltonetworks.com/", "feed_url": "https://unit42.paloaltonetworks.com/feed/", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 15, "error": "", "description": "Threat actor, malware, ransomware, and campaign reporting from Unit 42."}, {"source_id": "cisco_talos_rss", "name": "Cisco Talos RSS", "docs_url": "https://blog.talosintelligence.com/", "feed_url": "https://blog.talosintelligence.com/rss/", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 15, "error": "", "description": "Cisco Talos threat research, malware, and vulnerability reporting."}, {"source_id": "thehackernews_rss", "name": "The Hacker News RSS", "docs_url": "https://thehackernews.com/", "feed_url": "https://feeds.feedburner.com/TheHackersNews", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 50, "error": "", "description": "Broad cyber threat and vulnerability news feed for contextual enrichment."}, {"source_id": "bleepingcomputer_security_rss", "name": "BleepingComputer Security RSS", "docs_url": "https://www.bleepingcomputer.com/", "feed_url": "https://www.bleepingcomputer.com/feed/", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 15, "error": "", "description": "Security news, ransomware, malware, and vulnerability reporting."}, {"source_id": "telegram_breachsense_public", "name": "Telegram Threat Actor Channels", "docs_url": "https://www.breachsense.com/threat-actor-channels/", "feed_url": "data/telegram_channels.json", "requires_auth": false, "auth_configured": true, "status": "ok", "record_count": 47, "error": "", "description": "Public Telegram web-preview posts from VALID/ONLINE threat actor channels listed by Breachsense; private/invite channels are cataloged but not fetched."}], "source_catalog": [{"id": "sample_file", "name": "Local Sample Intel", "kind": "sample_file", "feed_url": "data/sample_intel.json", "docs_url": "local", "requires_auth": false, "auth_env": "", "default_modes": ["sample", "hybrid"], "description": "Offline sample dataset for safe local testing.", "auth_configured": true, "enabled_for_mode": false}, {"id": "openphish", "name": "OpenPhish Public Feed", "kind": "openphish", "feed_url": "https://openphish.com/feed.txt", "docs_url": "https://openphish.com/", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Public phishing URL feed.", "auth_configured": true, "enabled_for_mode": true}, {"id": "cisa_kev", "name": "CISA Known Exploited Vulnerabilities", "kind": "cisa_kev", "feed_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", "docs_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Catalog of vulnerabilities known to be exploited in the wild.", "auth_configured": true, "enabled_for_mode": true}, {"id": "threatfox", "name": "ThreatFox Community API", "kind": "threatfox", "feed_url": "https://threatfox-api.abuse.ch/api/v1/", "docs_url": "https://threatfox.abuse.ch/api/", "requires_auth": true, "auth_env": "THREATFOX_API_KEY", "default_modes": ["live", "hybrid"], "description": "Free IOC feed with malware family and threat-type context.", "auth_configured": true, "enabled_for_mode": true}, {"id": "urlhaus_recent", "name": "URLhaus Recent URLs", "kind": "urlhaus_recent", "feed_url": "https://urlhaus-api.abuse.ch/v1/urls/recent/", "docs_url": "https://urlhaus-api.abuse.ch/", "requires_auth": true, "auth_env": "URLHAUS_API_KEY", "default_modes": ["live", "hybrid"], "description": "Recent malware and phishing delivery URLs from URLhaus.", "auth_configured": true, "enabled_for_mode": true}, {"id": "malwarebazaar_recent", "name": "MalwareBazaar Recent Samples", "kind": "malwarebazaar_recent", "feed_url": "https://mb-api.abuse.ch/api/v1/", "docs_url": "https://bazaar.abuse.ch/api/", "requires_auth": true, "auth_env": "MALWAREBAZAAR_API_KEY", "default_modes": ["live", "hybrid"], "description": "Recent malware sample metadata from MalwareBazaar.", "auth_configured": true, "enabled_for_mode": true}, {"id": "fortiguard_outbreak", "name": "FortiGuard Outbreak Alerts RSS", "kind": "rss_generic", "feed_url": "https://filestore.fortinet.com/fortiguard/rss/outbreakalert.xml", "docs_url": "https://www.fortiguard.com/rss-feeds", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Official FortiGuard outbreak alerts feed.", "confidence": 0.7, "tags": ["vendor_rss", "fortiguard", "outbreak_alert"], "targeted_sectors": ["critical_infrastructure"], "auth_configured": true, "enabled_for_mode": true}, {"id": "fortiguard_psirt", "name": "FortiGuard PSIRT Advisories RSS", "kind": "rss_generic", "feed_url": "https://filestore.fortinet.com/fortiguard/rss/ir.xml", "docs_url": "https://www.fortiguard.com/rss-feeds", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Official FortiGuard PSIRT advisories feed.", "confidence": 0.75, "tags": ["vendor_rss", "fortiguard", "psirt", "active_exploitation"], "targeted_sectors": ["critical_infrastructure", "telecommunications"], "auth_configured": true, "enabled_for_mode": true}, {"id": "ransomware_live_victims", "name": "Ransomware.live Victims", "kind": "ransomware_live_victims", "feed_url": "https://api.ransomware.live/v2/searchvictims/mongolia", "docs_url": "https://www.ransomware.live/", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Ransomware victim and group tracking for Mongolia mentions via ransomware.live search.", "tags": ["ransomware", "victimology"], "auth_configured": true, "enabled_for_mode": true}, {"id": "first_epss_top", "name": "FIRST EPSS Top Exploitation Probability", "kind": "epss", "feed_url": "https://api.first.org/data/v1/epss?order=!epss", "docs_url": "https://www.first.org/epss/api", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Public EPSS vulnerability exploitation probability feed for CVE risk enrichment.", "tags": ["epss", "vulnerability", "enrichment"], "auth_configured": true, "enabled_for_mode": true}, {"id": "otx_pulses", "name": "AlienVault OTX Pulses", "kind": "otx_pulses", "feed_url": "https://otx.alienvault.com/api/v1/pulses/subscribed", "docs_url": "https://otx.alienvault.com/api", "requires_auth": true, "auth_env": "OTX_API_KEY", "default_modes": ["live", "hybrid"], "description": "OTX subscribed pulses and indicators from AlienVault Open Threat Exchange.", "tags": ["otx", "pulse"], "auth_configured": true, "enabled_for_mode": true}, {"id": "misp_rest_search", "name": "MISP RestSearch", "kind": "misp_rest_search", "feed_url": "${MISP_URL}", "feed_url_env": "MISP_URL", "docs_url": "https://www.misp-project.org/openapi/", "requires_auth": true, "auth_env": "MISP_API_KEY", "required_env": ["MISP_URL", "MISP_API_KEY"], "default_modes": ["live", "hybrid"], "description": "Trusted-sharing MISP events and attributes via /events/restSearch.", "tags": ["misp", "trusted_sharing"], "auth_configured": false, "enabled_for_mode": true}, {"id": "local_intel_drop", "name": "Local Intel Drop Folder", "kind": "local_intel_folder", "feed_url": "data/incoming_intel", "docs_url": "local", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Reads JSON exports dropped into data/incoming_intel for CERT, Shadowserver, MISP, or commercial reports.", "tags": ["local_intel", "partner_feed"], "auth_configured": true, "enabled_for_mode": true}, {"id": "nvd_recent_cves", "name": "NVD Recent CVEs", "kind": "nvd_cve", "feed_url": "https://services.nvd.nist.gov/rest/json/cves/2.0/", "docs_url": "https://nvd.nist.gov/developers/vulnerabilities", "requires_auth": false, "auth_env": "NVD_API_KEY", "default_modes": ["live", "hybrid"], "description": "Rolling NVD CVE metadata for vulnerability enrichment, using the collector --days lookback.", "tags": ["nvd", "cve", "enrichment"], "auth_configured": true, "enabled_for_mode": true}, {"id": "cisa_cybersecurity_advisories", "name": "CISA Cybersecurity Advisories RSS", "kind": "rss_generic", "feed_url": "https://www.cisa.gov/cybersecurity-advisories/all.xml", "docs_url": "https://www.cisa.gov/cybersecurity-advisories", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "CISA advisories for active exploitation and defensive guidance.", "confidence": 0.78, "tags": ["cisa", "advisory", "active_exploitation"], "targeted_sectors": ["critical_infrastructure", "government"], "auth_configured": true, "enabled_for_mode": true}, {"id": "cisa_news_alerts", "name": "CISA News and Alerts RSS", "kind": "rss_generic", "feed_url": "https://www.cisa.gov/news.xml", "docs_url": "https://www.cisa.gov/news-events", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "CISA news and alerts for operational cyber context.", "confidence": 0.66, "tags": ["cisa", "alert", "vendor_rss"], "targeted_sectors": ["critical_infrastructure", "government"], "auth_configured": true, "enabled_for_mode": true}, {"id": "microsoft_msrc_rss", "name": "Microsoft MSRC RSS", "kind": "rss_generic", "feed_url": "https://api.msrc.microsoft.com/update-guide/rss", "docs_url": "https://msrc.microsoft.com/update-guide", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Microsoft vulnerability and patch intelligence from MSRC.", "confidence": 0.72, "tags": ["microsoft", "msrc", "vulnerability", "vendor_rss"], "targeted_sectors": ["government", "banking", "telecommunications", "critical_infrastructure"], "auth_configured": true, "enabled_for_mode": true}, {"id": "paloalto_unit42_rss", "name": "Palo Alto Unit 42 RSS", "kind": "rss_generic", "feed_url": "https://unit42.paloaltonetworks.com/feed/", "docs_url": "https://unit42.paloaltonetworks.com/", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Threat actor, malware, ransomware, and campaign reporting from Unit 42.", "confidence": 0.68, "tags": ["unit42", "vendor_rss", "threat_report"], "auth_configured": true, "enabled_for_mode": true}, {"id": "cisco_talos_rss", "name": "Cisco Talos RSS", "kind": "rss_generic", "feed_url": "https://blog.talosintelligence.com/rss/", "docs_url": "https://blog.talosintelligence.com/", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Cisco Talos threat research, malware, and vulnerability reporting.", "confidence": 0.68, "tags": ["talos", "vendor_rss", "threat_report"], "auth_configured": true, "enabled_for_mode": true}, {"id": "thehackernews_rss", "name": "The Hacker News RSS", "kind": "rss_generic", "feed_url": "https://feeds.feedburner.com/TheHackersNews", "docs_url": "https://thehackernews.com/", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Broad cyber threat and vulnerability news feed for contextual enrichment.", "confidence": 0.52, "tags": ["news", "threat_report", "enrichment"], "auth_configured": true, "enabled_for_mode": true}, {"id": "bleepingcomputer_security_rss", "name": "BleepingComputer Security RSS", "kind": "rss_generic", "feed_url": "https://www.bleepingcomputer.com/feed/", "docs_url": "https://www.bleepingcomputer.com/", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Security news, ransomware, malware, and vulnerability reporting.", "confidence": 0.55, "tags": ["news", "ransomware", "malware", "enrichment"], "auth_configured": true, "enabled_for_mode": true}, {"id": "telegram_breachsense_public", "name": "Telegram Threat Actor Channels", "kind": "telegram_public_channels", "feed_url": "data/telegram_channels.json", "docs_url": "https://www.breachsense.com/threat-actor-channels/", "requires_auth": false, "auth_env": "", "default_modes": ["live", "hybrid"], "description": "Public Telegram web-preview posts from VALID/ONLINE threat actor channels listed by Breachsense; private/invite channels are cataloged but not fetched.", "confidence": 0.58, "channel_limit": 25, "post_limit": 3, "tags": ["telegram", "breachsense", "threat_actor_channels", "osint"], "auth_configured": true, "enabled_for_mode": true}], "raw_record_count": 960, "finding_count": 6, "ioc_total": 14, "highest_risk": 75, "merged_state_count": 10, "severity_counts": {"high": 4, "medium": 2}, "actors": {"funksec": 5, "spacebears": 1}, "sectors": {"government": 4, "critical_infrastructure": 1, "energy": 1, "healthcare": 1}, "mitre": {}, "findings": [{"timestamp": "2026-07-01T04:27:37.419541+00:00", "severity": "high", "threat_type": "ransomware", "malware_family": "", "ransomware_group": "funksec", "affected_sector": "government", "target_country": "Mongolia", "confidence_score": "0.82", "ioc_count": "2", "cves": [], "malicious_ips": [], "domains": ["barilga.gov.mn", "funknqn44slwmgwgnewne6bintbooauwkaupik4yrlgtycew3ergraid.onion"], "hashes": [], "summary": "Ransomware victim report: barilga.gov.mn MN funksec Public Sector", "recommended_actions": ["Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.", "Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.", "Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.", "Validate offline backups, test restoration paths, and review lateral movement controls.", "Escalate to national-level coordination and verify protective monitoring on critical services."], "executive_summary": "High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.", "technical_summary": "Ransomware victim report: barilga.gov.mn MN funksec Public Sector", "threat_actor_attribution": ["funksec"], "risk_score": 75, "mitre_attack_mapping": [], "first_seen": "2025-01-15T15:24:20.897975+00:00", "last_seen": "2025-01-15T15:24:20.897975+00:00"}, {"timestamp": "2026-07-01T04:27:37.419541+00:00", "severity": "high", "threat_type": "ransomware", "malware_family": "", "ransomware_group": "funksec", "affected_sector": "government", "target_country": "Mongolia", "confidence_score": "0.82", "ioc_count": "3", "cves": [], "malicious_ips": [], "domains": ["7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion", "bayan-ulgii.cfga.gov.mn", "cfga.gov.mn"], "hashes": [], "summary": "Ransomware victim report: bayan-ulgii.cfga.gov.mn MN funksec Public Sector", "recommended_actions": ["Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.", "Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.", "Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.", "Validate offline backups, test restoration paths, and review lateral movement controls.", "Escalate to national-level coordination and verify protective monitoring on critical services."], "executive_summary": "High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.", "technical_summary": "Ransomware victim report: bayan-ulgii.cfga.gov.mn MN funksec Public Sector", "threat_actor_attribution": ["funksec"], "risk_score": 75, "mitre_attack_mapping": [], "first_seen": "2025-01-05T02:28:19.840621+00:00", "last_seen": "2025-01-05T02:28:21.836484+00:00"}, {"timestamp": "2026-07-01T04:27:37.419541+00:00", "severity": "high", "threat_type": "ransomware", "malware_family": "", "ransomware_group": "funksec", "affected_sector": "critical_infrastructure, government", "target_country": "Mongolia", "confidence_score": "0.82", "ioc_count": "2", "cves": [], "malicious_ips": [], "domains": ["7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion", "tsag-agaar.gov.mn"], "hashes": [], "summary": "Ransomware victim report: tsag-agaar.gov.mn MN funksec Transportation/Logistics", "recommended_actions": ["Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.", "Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.", "Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.", "Validate offline backups, test restoration paths, and review lateral movement controls.", "Escalate to national-level coordination and verify protective monitoring on critical services."], "executive_summary": "High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.", "technical_summary": "Ransomware victim report: tsag-agaar.gov.mn MN funksec Transportation/Logistics", "threat_actor_attribution": ["funksec"], "risk_score": 75, "mitre_attack_mapping": [], "first_seen": "2024-12-31T09:14:07.551045+00:00", "last_seen": "2024-12-31T09:14:09.806680+00:00"}, {"timestamp": "2026-07-01T04:27:37.419541+00:00", "severity": "high", "threat_type": "ransomware", "malware_family": "", "ransomware_group": "funksec", "affected_sector": "government", "target_country": "Mongolia", "confidence_score": "0.82", "ioc_count": "2", "cves": [], "malicious_ips": [], "domains": ["7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion", "rtdc.gov.mn"], "hashes": [], "summary": "Ransomware victim report: rtdc.gov.mn MN funksec Public Sector", "recommended_actions": ["Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.", "Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.", "Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.", "Validate offline backups, test restoration paths, and review lateral movement controls.", "Escalate to national-level coordination and verify protective monitoring on critical services."], "executive_summary": "High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.", "technical_summary": "Ransomware victim report: rtdc.gov.mn MN funksec Public Sector", "threat_actor_attribution": ["funksec"], "risk_score": 75, "mitre_attack_mapping": [], "first_seen": "2024-12-17T10:24:44.336915+00:00", "last_seen": "2024-12-17T10:24:46.481246+00:00"}, {"timestamp": "2026-07-01T04:27:37.419541+00:00", "severity": "medium", "threat_type": "ransomware", "malware_family": "", "ransomware_group": "funksec", "affected_sector": "energy", "target_country": "Mongolia", "confidence_score": "0.82", "ioc_count": "2", "cves": [], "malicious_ips": [], "domains": ["7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion", "ndc.energy.mn"], "hashes": [], "summary": "Ransomware victim report: ndc.energy.mn MN funksec Energy", "recommended_actions": ["Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.", "Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.", "Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.", "Validate offline backups, test restoration paths, and review lateral movement controls."], "executive_summary": "Medium ransomware activity relevant to Mongolia was identified across 1 corroborating observations.", "technical_summary": "Ransomware victim report: ndc.energy.mn MN funksec Energy", "threat_actor_attribution": ["funksec"], "risk_score": 67, "mitre_attack_mapping": [], "first_seen": "2024-12-20T16:43:09.783836+00:00", "last_seen": "2024-12-20T16:43:13.204101+00:00"}, {"timestamp": "2026-07-01T04:27:37.419541+00:00", "severity": "medium", "threat_type": "ransomware", "malware_family": "", "ransomware_group": "spacebears", "affected_sector": "healthcare", "target_country": "Mongolia", "confidence_score": "0.82", "ioc_count": "3", "cves": [], "malicious_ips": [], "domains": ["5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion", "intermed.mn", "www.intermed.mn"], "hashes": [], "summary": "Ransomware victim report: Intermed Hospital Mongolia MN spacebears Healthcare", "recommended_actions": ["Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.", "Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.", "Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.", "Validate offline backups, test restoration paths, and review lateral movement controls."], "executive_summary": "Medium ransomware activity relevant to Mongolia was identified across 1 corroborating observations.", "technical_summary": "Ransomware victim report: Intermed Hospital Mongolia MN spacebears Healthcare", "threat_actor_attribution": ["spacebears"], "risk_score": 67, "mitre_attack_mapping": [], "first_seen": "2024-10-30T00:00:00+00:00", "last_seen": "2024-11-08T05:24:13.716398+00:00"}], "text_report": "[1] HIGH | risk=75 | ransomware\nExecutive summary: High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\nTechnical summary: Ransomware victim report: barilga.gov.mn MN funksec Public Sector\nAffected sector: government\nThreat actor attribution: funksec\nMITRE ATT&CK: none\nCVEs: none\nIPs: none\nDomains: barilga.gov.mn, funknqn44slwmgwgnewne6bintbooauwkaupik4yrlgtycew3ergraid.onion\nHashes: none\nRecommended mitigations:\n- Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\n- Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\n- Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\n- Validate offline backups, test restoration paths, and review lateral movement controls.\n- Escalate to national-level coordination and verify protective monitoring on critical services.\n\n[2] HIGH | risk=75 | ransomware\nExecutive summary: High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\nTechnical summary: Ransomware victim report: bayan-ulgii.cfga.gov.mn MN funksec Public Sector\nAffected sector: government\nThreat actor attribution: funksec\nMITRE ATT&CK: none\nCVEs: none\nIPs: none\nDomains: 7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion, bayan-ulgii.cfga.gov.mn, cfga.gov.mn\nHashes: none\nRecommended mitigations:\n- Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\n- Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\n- Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\n- Validate offline backups, test restoration paths, and review lateral movement controls.\n- Escalate to national-level coordination and verify protective monitoring on critical services.\n\n[3] HIGH | risk=75 | ransomware\nExecutive summary: High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\nTechnical summary: Ransomware victim report: tsag-agaar.gov.mn MN funksec Transportation/Logistics\nAffected sector: critical_infrastructure, government\nThreat actor attribution: funksec\nMITRE ATT&CK: none\nCVEs: none\nIPs: none\nDomains: 7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion, tsag-agaar.gov.mn\nHashes: none\nRecommended mitigations:\n- Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\n- Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\n- Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\n- Validate offline backups, test restoration paths, and review lateral movement controls.\n- Escalate to national-level coordination and verify protective monitoring on critical services.\n\n[4] HIGH | risk=75 | ransomware\nExecutive summary: High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\nTechnical summary: Ransomware victim report: rtdc.gov.mn MN funksec Public Sector\nAffected sector: government\nThreat actor attribution: funksec\nMITRE ATT&CK: none\nCVEs: none\nIPs: none\nDomains: 7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion, rtdc.gov.mn\nHashes: none\nRecommended mitigations:\n- Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\n- Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\n- Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\n- Validate offline backups, test restoration paths, and review lateral movement controls.\n- Escalate to national-level coordination and verify protective monitoring on critical services.\n\n[5] MEDIUM | risk=67 | ransomware\nExecutive summary: Medium ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\nTechnical summary: Ransomware victim report: ndc.energy.mn MN funksec Energy\nAffected sector: energy\nThreat actor attribution: funksec\nMITRE ATT&CK: none\nCVEs: none\nIPs: none\nDomains: 7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion, ndc.energy.mn\nHashes: none\nRecommended mitigations:\n- Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\n- Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\n- Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\n- Validate offline backups, test restoration paths, and review lateral movement controls.\n\n[6] MEDIUM | risk=67 | ransomware\nExecutive summary: Medium ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\nTechnical summary: Ransomware victim report: Intermed Hospital Mongolia MN spacebears Healthcare\nAffected sector: healthcare\nThreat actor attribution: spacebears\nMITRE ATT&CK: none\nCVEs: none\nIPs: none\nDomains: 5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion, intermed.mn, www.intermed.mn\nHashes: none\nRecommended mitigations:\n- Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\n- Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\n- Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\n- Validate offline backups, test restoration paths, and review lateral movement controls.", "json_report": "[\n  {\n    \"timestamp\": \"2026-07-01T04:27:37.419541+00:00\",\n    \"severity\": \"high\",\n    \"threat_type\": \"ransomware\",\n    \"malware_family\": \"\",\n    \"ransomware_group\": \"funksec\",\n    \"affected_sector\": \"government\",\n    \"target_country\": \"Mongolia\",\n    \"confidence_score\": \"0.82\",\n    \"ioc_count\": \"2\",\n    \"cves\": [],\n    \"malicious_ips\": [],\n    \"domains\": [\n      \"barilga.gov.mn\",\n      \"funknqn44slwmgwgnewne6bintbooauwkaupik4yrlgtycew3ergraid.onion\"\n    ],\n    \"hashes\": [],\n    \"summary\": \"Ransomware victim report: barilga.gov.mn MN funksec Public Sector\",\n    \"recommended_actions\": [\n      \"Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\",\n      \"Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\",\n      \"Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\",\n      \"Validate offline backups, test restoration paths, and review lateral movement controls.\",\n      \"Escalate to national-level coordination and verify protective monitoring on critical services.\"\n    ],\n    \"executive_summary\": \"High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\",\n    \"technical_summary\": \"Ransomware victim report: barilga.gov.mn MN funksec Public Sector\",\n    \"threat_actor_attribution\": [\n      \"funksec\"\n    ],\n    \"risk_score\": 75,\n    \"mitre_attack_mapping\": [],\n    \"first_seen\": \"2025-01-15T15:24:20.897975+00:00\",\n    \"last_seen\": \"2025-01-15T15:24:20.897975+00:00\"\n  },\n  {\n    \"timestamp\": \"2026-07-01T04:27:37.419541+00:00\",\n    \"severity\": \"high\",\n    \"threat_type\": \"ransomware\",\n    \"malware_family\": \"\",\n    \"ransomware_group\": \"funksec\",\n    \"affected_sector\": \"government\",\n    \"target_country\": \"Mongolia\",\n    \"confidence_score\": \"0.82\",\n    \"ioc_count\": \"3\",\n    \"cves\": [],\n    \"malicious_ips\": [],\n    \"domains\": [\n      \"7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion\",\n      \"bayan-ulgii.cfga.gov.mn\",\n      \"cfga.gov.mn\"\n    ],\n    \"hashes\": [],\n    \"summary\": \"Ransomware victim report: bayan-ulgii.cfga.gov.mn MN funksec Public Sector\",\n    \"recommended_actions\": [\n      \"Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\",\n      \"Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\",\n      \"Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\",\n      \"Validate offline backups, test restoration paths, and review lateral movement controls.\",\n      \"Escalate to national-level coordination and verify protective monitoring on critical services.\"\n    ],\n    \"executive_summary\": \"High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\",\n    \"technical_summary\": \"Ransomware victim report: bayan-ulgii.cfga.gov.mn MN funksec Public Sector\",\n    \"threat_actor_attribution\": [\n      \"funksec\"\n    ],\n    \"risk_score\": 75,\n    \"mitre_attack_mapping\": [],\n    \"first_seen\": \"2025-01-05T02:28:19.840621+00:00\",\n    \"last_seen\": \"2025-01-05T02:28:21.836484+00:00\"\n  },\n  {\n    \"timestamp\": \"2026-07-01T04:27:37.419541+00:00\",\n    \"severity\": \"high\",\n    \"threat_type\": \"ransomware\",\n    \"malware_family\": \"\",\n    \"ransomware_group\": \"funksec\",\n    \"affected_sector\": \"critical_infrastructure, government\",\n    \"target_country\": \"Mongolia\",\n    \"confidence_score\": \"0.82\",\n    \"ioc_count\": \"2\",\n    \"cves\": [],\n    \"malicious_ips\": [],\n    \"domains\": [\n      \"7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion\",\n      \"tsag-agaar.gov.mn\"\n    ],\n    \"hashes\": [],\n    \"summary\": \"Ransomware victim report: tsag-agaar.gov.mn MN funksec Transportation/Logistics\",\n    \"recommended_actions\": [\n      \"Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\",\n      \"Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\",\n      \"Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\",\n      \"Validate offline backups, test restoration paths, and review lateral movement controls.\",\n      \"Escalate to national-level coordination and verify protective monitoring on critical services.\"\n    ],\n    \"executive_summary\": \"High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\",\n    \"technical_summary\": \"Ransomware victim report: tsag-agaar.gov.mn MN funksec Transportation/Logistics\",\n    \"threat_actor_attribution\": [\n      \"funksec\"\n    ],\n    \"risk_score\": 75,\n    \"mitre_attack_mapping\": [],\n    \"first_seen\": \"2024-12-31T09:14:07.551045+00:00\",\n    \"last_seen\": \"2024-12-31T09:14:09.806680+00:00\"\n  },\n  {\n    \"timestamp\": \"2026-07-01T04:27:37.419541+00:00\",\n    \"severity\": \"high\",\n    \"threat_type\": \"ransomware\",\n    \"malware_family\": \"\",\n    \"ransomware_group\": \"funksec\",\n    \"affected_sector\": \"government\",\n    \"target_country\": \"Mongolia\",\n    \"confidence_score\": \"0.82\",\n    \"ioc_count\": \"2\",\n    \"cves\": [],\n    \"malicious_ips\": [],\n    \"domains\": [\n      \"7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion\",\n      \"rtdc.gov.mn\"\n    ],\n    \"hashes\": [],\n    \"summary\": \"Ransomware victim report: rtdc.gov.mn MN funksec Public Sector\",\n    \"recommended_actions\": [\n      \"Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\",\n      \"Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\",\n      \"Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\",\n      \"Validate offline backups, test restoration paths, and review lateral movement controls.\",\n      \"Escalate to national-level coordination and verify protective monitoring on critical services.\"\n    ],\n    \"executive_summary\": \"High ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\",\n    \"technical_summary\": \"Ransomware victim report: rtdc.gov.mn MN funksec Public Sector\",\n    \"threat_actor_attribution\": [\n      \"funksec\"\n    ],\n    \"risk_score\": 75,\n    \"mitre_attack_mapping\": [],\n    \"first_seen\": \"2024-12-17T10:24:44.336915+00:00\",\n    \"last_seen\": \"2024-12-17T10:24:46.481246+00:00\"\n  },\n  {\n    \"timestamp\": \"2026-07-01T04:27:37.419541+00:00\",\n    \"severity\": \"medium\",\n    \"threat_type\": \"ransomware\",\n    \"malware_family\": \"\",\n    \"ransomware_group\": \"funksec\",\n    \"affected_sector\": \"energy\",\n    \"target_country\": \"Mongolia\",\n    \"confidence_score\": \"0.82\",\n    \"ioc_count\": \"2\",\n    \"cves\": [],\n    \"malicious_ips\": [],\n    \"domains\": [\n      \"7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion\",\n      \"ndc.energy.mn\"\n    ],\n    \"hashes\": [],\n    \"summary\": \"Ransomware victim report: ndc.energy.mn MN funksec Energy\",\n    \"recommended_actions\": [\n      \"Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\",\n      \"Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\",\n      \"Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\",\n      \"Validate offline backups, test restoration paths, and review lateral movement controls.\"\n    ],\n    \"executive_summary\": \"Medium ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\",\n    \"technical_summary\": \"Ransomware victim report: ndc.energy.mn MN funksec Energy\",\n    \"threat_actor_attribution\": [\n      \"funksec\"\n    ],\n    \"risk_score\": 67,\n    \"mitre_attack_mapping\": [],\n    \"first_seen\": \"2024-12-20T16:43:09.783836+00:00\",\n    \"last_seen\": \"2024-12-20T16:43:13.204101+00:00\"\n  },\n  {\n    \"timestamp\": \"2026-07-01T04:27:37.419541+00:00\",\n    \"severity\": \"medium\",\n    \"threat_type\": \"ransomware\",\n    \"malware_family\": \"\",\n    \"ransomware_group\": \"spacebears\",\n    \"affected_sector\": \"healthcare\",\n    \"target_country\": \"Mongolia\",\n    \"confidence_score\": \"0.82\",\n    \"ioc_count\": \"3\",\n    \"cves\": [],\n    \"malicious_ips\": [],\n    \"domains\": [\n      \"5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion\",\n      \"intermed.mn\",\n      \"www.intermed.mn\"\n    ],\n    \"hashes\": [],\n    \"summary\": \"Ransomware victim report: Intermed Hospital Mongolia MN spacebears Healthcare\",\n    \"recommended_actions\": [\n      \"Block confirmed malicious indicators across firewalls, email gateways, DNS, and EDR controls.\",\n      \"Hunt for the listed IOCs across Mongolia-facing infrastructure, cloud logs, proxy logs, and endpoint telemetry.\",\n      \"Validate whether exposed internet-facing systems map to any referenced CVEs and patch or isolate immediately.\",\n      \"Validate offline backups, test restoration paths, and review lateral movement controls.\"\n    ],\n    \"executive_summary\": \"Medium ransomware activity relevant to Mongolia was identified across 1 corroborating observations.\",\n    \"technical_summary\": \"Ransomware victim report: Intermed Hospital Mongolia MN spacebears Healthcare\",\n    \"threat_actor_attribution\": [\n      \"spacebears\"\n    ],\n    \"risk_score\": 67,\n    \"mitre_attack_mapping\": [],\n    \"first_seen\": \"2024-10-30T00:00:00+00:00\",\n    \"last_seen\": \"2024-11-08T05:24:13.716398+00:00\"\n  }\n]"}