Get all software (malware and tools) used by a specific APT group,
identified by its STIX ID.
This uses MITRE's `get_software_used_by_group` to follow 'uses'
relationships from an intrusion set (group) to software objects.
Args:
group_stix_id: STIX ID of the group (e.g., "intrusion-set--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include software descriptions.
Returns:
{
"group": {
"attack_id": "GXXXX" | null,
"name": "<group name or null>",
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>"
} | null,
"count": <number of software objects>,
"software": [
{
"attack_id": "SXXXX or similar" | null,
"name": "<software name>",
"stix_id": "<STIX ID>",
"type": "<malware|tool|...>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of software>",
"message": "<status summary>"
}