T1055.002: T1055.002
Essential information
- MITRE technique ID
T1055.002- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 08/04/2026 13:00
- Author / Source
- The MITRE Corporation
Aliases
Portable Executable Injection
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (14)
-
TeamPCP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/03/2026 22:18 · Modified 20/03/2026 22:18
-
RastaFarEye usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:13 · Modified 21/12/2025 05:13
-
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
Jewelbug usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:58 · Modified 21/12/2025 18:58
-
LegionLoader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:51 · Modified 21/12/2025 09:51
-
The MITRE Corporation Confidence 100
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
Water Sigbin usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:03 · Modified 21/12/2025 05:03
-
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
Gorgon Group usesThe MITRE Corporation Confidence 100
[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
Lumma Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:16 · Modified 21/12/2025 07:16
-
VasyGrek usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:48 · Modified 21/12/2025 05:48
-
ClickFix usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:24 · Modified 21/12/2025 14:24
-
China-nexus APT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:48 · Modified 21/12/2025 15:49
-
Rocke usesThe MITRE Corporation Confidence 100
[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
Malware (25 / 80)
-
FakeBat usesFamilyPublished 11/11/2024 09:50 · Modified 11/11/2024 09:50
-
AsyncRAT usesFamilyPublished 11/06/2026 16:31 · Modified 11/06/2026 16:31
-
CastleStealer usesFamilyPublished 30/04/2026 14:41 · Modified 30/04/2026 14:41
-
Core Impact usesFamilyPublished 17/07/2024 13:57 · Modified 17/07/2024 13:57
-
Squidoor usesFamilyPublished 24/10/2025 09:16 · Modified 24/10/2025 09:16
-
Remus usesFamilyPublished 06/05/2026 10:26 · Modified 06/05/2026 10:26
-
Pikabot usesFamilyPublished 21/10/2024 10:59 · Modified 21/10/2024 10:59
-
PureCrypter usesFamilyPublished 10/10/2025 08:25 · Modified 10/10/2025 08:25
-
RemcosRAT usesFamilyPublished 22/04/2026 07:06 · Modified 22/04/2026 07:06
- sysmon.py
-
update4.exe usesFamilyPublished 20/08/2024 08:38 · Modified 20/08/2024 08:38
-
SectopRAT usesFamilyPublished 26/05/2026 15:20 · Modified 26/05/2026 15:20
-
PureHVNC usesFamilyPublished 31/10/2025 09:32 · Modified 31/10/2025 09:32
- WarzoneRAT
-
MetaStealer usesFamilyPublished 30/08/2025 09:10 · Modified 30/08/2025 09:10
-
CastleLoader usesFamilyPublished 04/06/2026 22:52 · Modified 04/06/2026 22:52
-
Gootloader usesFamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
- InvisiMole
-
XWorm usesFamilyPublished 27/03/2026 08:45 · Modified 27/03/2026 08:45
-
update7.ps1 usesFamilyPublished 20/08/2024 08:38 · Modified 20/08/2024 08:38
-
update5.dll usesFamilyPublished 20/08/2024 08:38 · Modified 20/08/2024 08:38
-
Raspberry Robin usesFamilyPublished 08/08/2025 07:53 · Modified 08/08/2025 07:53
-
TeamViewer usesFamilyPublished 23/02/2026 09:34 · Modified 23/02/2026 09:34
-
Freeze usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:41 · Modified 21/12/2025 06:41
-
Pathloader usesFamilyPublished 24/10/2025 09:16 · Modified 24/10/2025 09:16
Reports (21)
-
19 MITREs 2 Malwares 4 ObservablesPublished 26/05/2026 15:20 · Modified 27/05/2026 13:59
-
AlienVault Confidence 100 18 MITREs 3 Malwares 23 IOCs 23 Observables 1 APTPublished 30/04/2026 16:41 · Modified 04/05/2026 11:59 · threat-report
-
AlienVault Confidence 100 16 MITREs 1 Malware 4 IOCs 4 ObservablesPublished 10/04/2026 10:15 · Modified 10/04/2026 10:07 · threat-report
-
AlienVault Confidence 100 19 MITREs 6 Malwares 88 IOCs 88 Observables 1 APTPublished 08/04/2026 11:16 · Modified 08/04/2026 11:01 · threat-report
-
LegionLoader exposed! related12 MITREs 4 Malwares 108 Observables 1 APTPublished 10/02/2025 13:54 · Modified 10/02/2025 15:29
-
7 MITREs 1 MalwarePublished 04/12/2024 17:00 · Modified 05/12/2024 09:54
-
Raspberry Robin Analysis related2 CVEs 20 MITREs 2 Malwares 126 ObservablesPublished 19/11/2024 21:59 · Modified 20/11/2024 09:29
-
7 MITREs 1 MalwarePublished 24/10/2024 12:59 · Modified 24/10/2024 14:21
-
10 MITREs 2 Malwares 13 ObservablesPublished 28/08/2024 09:27 · Modified 28/08/2024 09:35
-
1 CVE 7 MITREs 10 Malwares 43 ObservablesPublished 20/08/2024 08:38 · Modified 20/08/2024 08:59
-
10 MITREs 4 Malwares 18 ObservablesPublished 09/08/2024 11:25 · Modified 09/08/2024 11:39
-
18 MITREs 4 Malwares 7 ObservablesPublished 05/08/2024 08:33 · Modified 05/08/2024 09:04
-
3 CVEs 18 MITREs 4 Malwares 99 Observables 1 APTPublished 17/07/2024 13:57 · Modified 17/07/2024 14:35
-
31 MITREs 9 Malwares 131 Observables 1 APTPublished 10/07/2024 09:49 · Modified 10/07/2024 10:18
-
10 MITREs 1 Malware 5 ObservablesPublished 25/06/2024 13:07 · Modified 25/06/2024 13:22
-
DarkGate again but... Improved? related37 MITREs 2 Malwares 200 Observables 1 APTPublished 06/06/2024 08:16 · Modified 06/06/2024 09:06
-
20 MITREs 2 Malwares 61 ObservablesPublished 31/05/2024 12:22 · Modified 31/05/2024 12:35
-
2 CVEs 8 MITREs 9 Observables 1 APTPublished 30/05/2024 07:03 · Modified 30/05/2024 07:31
-
11 MITREs 2 Malwares 17 ObservablesPublished 22/05/2024 07:38 · Modified 22/05/2024 07:53
-
13 MITREs 1 Malware 4 ObservablesPublished 08/05/2024 11:03 · Modified 08/05/2024 17:22
-
8 MITREs 1 Malware 6 ObservablesPublished 29/04/2024 18:18 · Modified 01/05/2024 23:08
Vulnerabilities (CVE) (9)
Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys …
- Attack vector
- Local
- Published
- 04/03/2024
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 24/04/2017
- Modified
- 22/04/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic …
- Attack vector
- Network
- Published
- 01/05/2023
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Attack patterns (MITRE) (1)
-
T1055 subtechnique-ofProcess Injection
Course Of Action (1)
- Behavior Prevention on Endpoint mitigates
Campaign (1)
- 3CX Supply Chain Attack uses
Tool (1)
-
Brute Ratel C4 usesThe MITRE Corporation Confidence 100
[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by …
Published 07/02/2023 21:26 · Modified 27/03/2026 01:07