Get all APT groups (intrusion sets) that use a specific software/malware.
This is a reverse lookup: Software → Groups.
It follows 'uses' relationships from a software STIX ID (tool/malware)
to intrusion sets.
Args:
software_stix_id: STIX ID of the software object
(e.g., "malware--UUID", "tool--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include group descriptions.
Returns:
{
"software": {
"attack_id": "SXXXX or similar" | null,
"name": "<software name or null>",
"stix_id": "<software STIX ID>",
"type": "<tool|malware|...> or null",
"description": "<text or null>",
} | null,
"count": <number of groups>,
"groups": [
{
"attack_id": "GXXXX" | null,
"name": "<group name>",
"aliases": [...],
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of groups>",
"message": "<status summary>"
}