{"leaked-credentials":[{"id":"lkc-001","source":"Combo list — `KS_2025_Q1_breach.txt` (LAB)","discovered_at":"2026-04-22T08:14:00Z","confidence_score":92,"severity":"high","affected_asset":"vpn.user@keensafeglobalbank.com","evidence":"vpn.user@keensafeglobalbank.com:Summer2025!","recommended_action":"Force password reset; revoke all active sessions; check VPN auth logs.","mitre_mapping":["T1078.004","T1110.004"],"compliance_mapping":["NIST 800-53 IA-5","PCI-DSS 8.3","ISO 27001 A.9.2.4"]},{"id":"lkc-002","source":"Telegram channel @combolist_eu (LAB)","discovered_at":"2026-04-21T19:02:00Z","confidence_score":88,"severity":"high","affected_asset":"devops@keensafeglobalbank.com","evidence":"devops@keensafeglobalbank.com:DevOps123!","recommended_action":"Reset, enforce FIDO2, audit Jenkins / Gitea last-90-day actions.","mitre_mapping":["T1078.004"],"compliance_mapping":["NIST CSF PR.AC-1","ISO 27001 A.9.2.4"]},{"id":"lkc-003","source":"BreachForums dump 'EUcorp_2026' (LAB)","discovered_at":"2026-04-20T11:42:00Z","confidence_score":84,"severity":"medium","affected_asset":"employee1@keensafeglobalbank.com","evidence":"employee1@keensafeglobalbank.com:Password123!","recommended_action":"Reset; require new MFA enrolment; check for credential reuse.","mitre_mapping":["T1110.001"],"compliance_mapping":["GDPR Art.32","PCI-DSS 8.6"]},{"id":"lkc-004","source":"DarkWeb scraper — RaidForums alt (LAB)","discovered_at":"2026-04-19T03:11:00Z","confidence_score":76,"severity":"medium","affected_asset":"support.user@keensafeglobalbank.com","evidence":"support.user@keensafeglobalbank.com:Support123!","recommended_action":"Reset; revoke admin-panel sessions; review impersonation logs.","mitre_mapping":["T1078"],"compliance_mapping":["NIST 800-53 AC-2"]},{"id":"lkc-005","source":"Combo list 'EUbanks_2025' (LAB)","discovered_at":"2026-04-18T22:55:00Z","confidence_score":70,"severity":"medium","affected_asset":"customer1@keensafeglobalbank.com","evidence":"customer1@keensafeglobalbank.com:Customer123!","recommended_action":"Notify customer; force password reset on next login.","mitre_mapping":["T1110.004"],"compliance_mapping":["GDPR Art.34"]},{"id":"lkc-006","source":"Pastebin paste 'KS_logins_q1' (LAB)","discovered_at":"2026-04-15T07:00:00Z","confidence_score":65,"severity":"low","affected_asset":"marketing@keensafeglobalbank.com","evidence":"marketing@keensafeglobalbank.com:Marketing2024","recommended_action":"Reset; remove orphaned account if not active.","mitre_mapping":["T1078"],"compliance_mapping":["ISO 27001 A.9.2.6"]},{"id":"lkc-007","source":"Stealer log dump 'redline_KS_18' (LAB)","discovered_at":"2026-04-12T14:23:00Z","confidence_score":95,"severity":"critical","affected_asset":"admin@keensafeglobalbank.com","evidence":"admin@keensafeglobalbank.com:Admin123! (browser-stored)","recommended_action":"IMMEDIATE: rotate, force re-MFA, hunt for unauthorised admin actions in last 30 days.","mitre_mapping":["T1555.003","T1078.004"],"compliance_mapping":["NIST 800-53 IA-5(7)","PCI-DSS 8.2.3","DORA Art.10"]},{"id":"lkc-008","source":"GitHub Gist (deleted, cached) (LAB)","discovered_at":"2026-04-08T11:30:00Z","confidence_score":80,"severity":"high","affected_asset":"ci-runner@keensafeglobalbank.com","evidence":"ci-runner@keensafeglobalbank.com:CI_DeployBot_2025!","recommended_action":"Reset; rotate all CI tokens; inspect Jenkins build history.","mitre_mapping":["T1552.001"],"compliance_mapping":["NIST CSF PR.DS-1","PCI-DSS 6.3"]}],"typosquatting":[{"id":"tsq-001","source":"Passive DNS aggregator (LAB)","discovered_at":"2026-05-02T08:00:00Z","confidence_score":91,"severity":"high","affected_asset":"keensafeglobalbank.com","evidence":"keensaffeglobalbank.com (registered 2026-04-30, NS=ns1.suspicious-host.tld)","recommended_action":"File takedown via registrar; add to phishing blocklist; alert customers.","mitre_mapping":["T1583.001"],"compliance_mapping":["ISO 27001 A.5.7"]},{"id":"tsq-002","source":"WHOIS monitor (LAB)","discovered_at":"2026-05-01T15:30:00Z","confidence_score":88,"severity":"high","affected_asset":"keensafeglobalbank.com","evidence":"keensafe-globabank.com (registered 2026-04-29, hosting on phishing-known IP 198.51.100.42)","recommended_action":"Open takedown ticket; add to email gateway blocklist.","mitre_mapping":["T1583.001","T1566.002"],"compliance_mapping":["NIST CSF DE.CM-1"]},{"id":"tsq-003","source":"Brand monitoring service (LAB)","discovered_at":"2026-04-29T10:14:00Z","confidence_score":84,"severity":"medium","affected_asset":"keensafeglobalbank.com","evidence":"keensafe-globalbnk.com — landing page mimics login flow.","recommended_action":"Capture screenshot, enrich with WHOIS, file at registrar.","mitre_mapping":["T1583.001","T1566.002"],"compliance_mapping":["GDPR Art.32"]},{"id":"tsq-004","source":"TLD permutation engine (LAB)","discovered_at":"2026-04-28T09:00:00Z","confidence_score":78,"severity":"medium","affected_asset":"keensafeglobalbank.com","evidence":"kensafeglobalbank.com — letter omission squat","recommended_action":"Defensive registration if available; otherwise blocklist.","mitre_mapping":["T1583.001"],"compliance_mapping":["ISO 27001 A.5.7"]},{"id":"tsq-005","source":"Phishing-page indexer (LAB)","discovered_at":"2026-04-27T18:45:00Z","confidence_score":95,"severity":"critical","affected_asset":"online.keensafeglobalbank.com","evidence":"keensafe-secure-login.com — pixel-perfect clone of login page; harvests credentials over HTTPS.","recommended_action":"Emergency takedown; notify customers; rotate session secret.","mitre_mapping":["T1566.002","T1056.003"],"compliance_mapping":["GDPR Art.34","DORA Art.19"]},{"id":"tsq-006","source":"Brand monitoring service (LAB)","discovered_at":"2026-04-25T07:20:00Z","confidence_score":70,"severity":"low","affected_asset":"keensafeglobalbank.com","evidence":"keensafeglobalbank.co (parked, no content yet)","recommended_action":"Watchlist for content changes.","mitre_mapping":["T1583.001"],"compliance_mapping":[]}],"github-leaks":[{"id":"ghs-001","source":"GitHub public push-event scanner (LAB)","discovered_at":"2026-04-30T22:11:00Z","confidence_score":96,"severity":"critical","affected_asset":"git.keensafeglobalbank.com / partner SDK","evidence":"https://github.com/ext-partner/keensafe-payouts/blob/c0ffee/src/.env — AKIAFAKEKEYONLY12345 / FAKEsecret/Lab+OnlyDoNotUseInProductionAA","recommended_action":"Rotate AWS keys; file GitHub takedown; revoke key in IAM.","mitre_mapping":["T1552.001"],"compliance_mapping":["NIST 800-53 IA-5","PCI-DSS 6.3.1"]},{"id":"ghs-002","source":"TruffleHog scan (LAB)","discovered_at":"2026-04-29T13:42:00Z","confidence_score":90,"severity":"high","affected_asset":"internal-jenkins-job","evidence":"JWT_SECRET=keensafe-lab-jwt-supersecret-2025 in `infra-pipelines/jenkins/Jenkinsfile`","recommended_action":"Rotate JWT secret; force re-authentication; review token issuance window.","mitre_mapping":["T1552.001","T1606.001"],"compliance_mapping":["NIST CSF PR.DS-1"]},{"id":"ghs-003","source":"GitGuardian webhook (LAB)","discovered_at":"2026-04-27T05:08:00Z","confidence_score":88,"severity":"high","affected_asset":"ext-partner repo / Slack webhook","evidence":"Slack webhook https://hooks.slack.com/services/T0FAKE/B0FAKE/fakeWebhookOnlyForLab","recommended_action":"Revoke webhook; notify Slack workspace owner.","mitre_mapping":["T1552.001"],"compliance_mapping":["ISO 27001 A.8.24"]},{"id":"ghs-004","source":"GitHub gist scanner (LAB)","discovered_at":"2026-04-26T19:01:00Z","confidence_score":70,"severity":"medium","affected_asset":"developer-portal repo","evidence":"Hardcoded API key ks-pub-FAKE-7d2c0a3b1e8f9c2d3f4a5b6c7d8e9f0a in /samples docs","recommended_action":"Rotate the partner key; replace docs sample with placeholder.","mitre_mapping":["T1552.001"],"compliance_mapping":["PCI-DSS 6.3.1"]}],"pastes":[{"id":"pst-001","source":"Pastebin (LAB scrape)","discovered_at":"2026-05-01T10:30:00Z","confidence_score":82,"severity":"high","affected_asset":"internal hosts list","evidence":"https://pastebin.com/abcd1234 — internal_hosts.txt: jenkins.internal.keensafeglobalbank.com, vault.internal.keensafeglobalbank.com, kafka01.internal.keensafeglobalbank.com","recommended_action":"File pastebin removal; review what else may have leaked from same source.","mitre_mapping":["T1593.003"],"compliance_mapping":["ISO 27001 A.5.7"]},{"id":"pst-002","source":"ghostbin alt (LAB)","discovered_at":"2026-04-28T08:55:00Z","confidence_score":76,"severity":"medium","affected_asset":"DB schema","evidence":"Public paste with full schema dump of `keensafebank` (users, accounts, cards, transactions).","recommended_action":"File takedown; review DB exposure surface; rotate read-only DB credentials.","mitre_mapping":["T1213"],"compliance_mapping":["GDPR Art.32"]},{"id":"pst-003","source":"0bin clone (LAB)","discovered_at":"2026-04-26T20:11:00Z","confidence_score":60,"severity":"medium","affected_asset":"PCI scope notes","evidence":"Excerpt from pci_scope_notes.pdf (2024 version) including KMS aliases.","recommended_action":"Confirm authenticity; rotate KMS aliases; investigate insider risk.","mitre_mapping":["T1213.002"],"compliance_mapping":["PCI-DSS 3.5"]}],"darkweb-mentions":[{"id":"dwm-001","source":"DarkOwl (LAB feed)","discovered_at":"2026-05-02T01:10:00Z","confidence_score":87,"severity":"high","affected_asset":"Keensafe Global Bank","evidence":"Forum 'CryptBB' — actor 'silent_finch' offering 'EU bank initial-access broker, Keensafe target' for 1.4 BTC.","recommended_action":"Engage threat-intel reseller for actor profile; tighten admin-panel allowlist.","mitre_mapping":["T1593.001","T1078"],"compliance_mapping":["DORA Art.10","NIST CSF DE.CM-1"]},{"id":"dwm-002","source":"Telegram monitor (LAB)","discovered_at":"2026-04-30T16:42:00Z","confidence_score":78,"severity":"medium","affected_asset":"keensafeglobalbank.com","evidence":"Channel @phishpros — preview of phishing kit referencing 'keensafe-secure-login.com'.","recommended_action":"Cross-correlate with typosquat tsq-005; expedite takedown.","mitre_mapping":["T1566.002"],"compliance_mapping":["GDPR Art.34"]},{"id":"dwm-003","source":"Russian-language forum (LAB)","discovered_at":"2026-04-26T13:02:00Z","confidence_score":68,"severity":"medium","affected_asset":"Keensafe customers","evidence":"Stealer log advert mentions 'EU online banking, keensafe' as one of N targets.","recommended_action":"Treat as broad campaign; raise customer awareness.","mitre_mapping":["T1555"],"compliance_mapping":["DORA Art.19"]}],"iocs":[{"id":"ioc-001","source":"Open-source feed (LAB)","discovered_at":"2026-05-02T07:18:00Z","confidence_score":90,"severity":"high","affected_asset":"perimeter / SOC","type":"domain","evidence":"keensafe-secure-login.com (phishing landing)","recommended_action":"Block in proxy + DNS sinkhole; alert mail gateway.","mitre_mapping":["T1566.002"],"compliance_mapping":[]},{"id":"ioc-002","source":"AbuseIPDB-like (LAB)","discovered_at":"2026-05-02T07:05:00Z","confidence_score":88,"severity":"high","affected_asset":"perimeter","type":"ipv4","evidence":"198.51.100.42 — phishing kit C2","recommended_action":"Block at edge; add to deny list.","mitre_mapping":["T1071.001"],"compliance_mapping":[]},{"id":"ioc-003","source":"VirusTotal-like (LAB)","discovered_at":"2026-04-29T22:00:00Z","confidence_score":92,"severity":"high","affected_asset":"endpoint","type":"sha256","evidence":"f1e2d3c4b5a6978899aabbccddeeff00112233445566778899aabbccddeeff00 (FAKE) — banker payload","recommended_action":"EDR detection rule; block hash.","mitre_mapping":["T1204.002"],"compliance_mapping":[]},{"id":"ioc-004","source":"MISP-like (LAB)","discovered_at":"2026-04-28T14:50:00Z","confidence_score":80,"severity":"medium","affected_asset":"perimeter","type":"domain","evidence":"keensaffeglobalbank.com","recommended_action":"DNS sinkhole.","mitre_mapping":["T1583.001"],"compliance_mapping":[]},{"id":"ioc-005","source":"Open-source feed (LAB)","discovered_at":"2026-04-25T09:14:00Z","confidence_score":70,"severity":"medium","affected_asset":"perimeter","type":"ipv4","evidence":"203.0.113.66 — scanner / brute-force source","recommended_action":"Rate-limit at edge; add to fail2ban-equivalent.","mitre_mapping":["T1110.001"],"compliance_mapping":[]}],"brand-impersonation":[{"id":"bri-001","source":"Social-media monitor (LAB)","discovered_at":"2026-05-01T19:00:00Z","confidence_score":86,"severity":"high","affected_asset":"Keensafe Global Bank brand","evidence":"X / Twitter handle @KeensafeGlobalSupport (created 2026-04-28) impersonating customer support, asking customers to DM seed phrases.","recommended_action":"Report to platform; publish warning on /security.html.","mitre_mapping":["T1585.001"],"compliance_mapping":["GDPR Art.34"]},{"id":"bri-002","source":"App store monitor (LAB)","discovered_at":"2026-04-28T08:11:00Z","confidence_score":80,"severity":"high","affected_asset":"Keensafe mobile","evidence":"Android side-load APK 'KeensafePro.apk' on 3rd-party store mimicking the Keensafe banking app.","recommended_action":"DMCA + brand takedown; alert customers.","mitre_mapping":["T1583.001"],"compliance_mapping":["DORA Art.19"]},{"id":"bri-003","source":"LinkedIn monitor (LAB)","discovered_at":"2026-04-27T11:20:00Z","confidence_score":65,"severity":"medium","affected_asset":"Keensafe staff","evidence":"Fake recruiter profile 'Keensafe Talent Team' contacting staff with malicious 'job spec' Word doc.","recommended_action":"Submit to LinkedIn; warn employees through internal newsletter.","mitre_mapping":["T1566.001","T1583.001"],"compliance_mapping":["NIST CSF PR.AT-1"]}]}