T1059.006: T1059.006

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1059.006
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Python

Platforms

windows macos linux ESXi

Description

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the `python.exe` interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020) Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Zscaler APT31 Covid-19 October 2020
mitre-attack (T1059.006)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (58)

ReaverBits uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0147 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cinnamon Tempest uses DEV-0401Emperor Dragonfly

The MITRE Corporation Confidence 100

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5812 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke uses IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Phoenix Hyena uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hydra Saiga uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ClickFix uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-9686 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Banana Squad uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dragonfly uses TEMP.IsotopeDYMALLOY

The MITRE Corporation Confidence 100

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 58

VenomRAT uses

Family
redux-ace uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RELOADEXT uses

Family
Pyramid C2 uses

Family
DownTroy uses

Family
UPSTYLE uses
graphflux uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SUNSPINNER uses

Family
Rhadamanthys uses

Family
Kryptina uses

Family
RustDoor uses

Family
AGENTPSD uses

Family

← Previous

Page / 10

1–12 of 120

The Worm That Keeps on Digging: Latest Wave related

17 MITREs 1 Observable 1 APT
ClickFix Evolves with PySoxy Proxying related

20 MITREs 1 Malware 2 Observables
PCPJack | Cloud Worm Evicts TeamPCP and Steals … related

AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables
OceanLotus suspected of distributing ZiChatBot malware via wheel … related

AlienVault Confidence 100 16 MITREs 1 Malware 10 IOCs 10 Observables 1 APT
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT … related

3 CVEs 22 MITREs 5 Malwares 16 Observables 1 APT
Supply Chain Poisoning via PyPI Repository Compromise related

AlienVault Confidence 100 20 MITREs 4 IOCs 4 Observables
Snow Flurries: How UNC6692 Employed Social Engineering to … related

20 MITREs 4 Malwares 7 Observables 1 APT
Malicious Artifacts Found in Official KICS Docker Repository … related

AlienVault Confidence 100 19 MITREs 2 Malwares 14 IOCs 14 Observables 1 APT
npm Packages Hit with TeamPCP-Style CanisterWorm Malware related

AlienVault Confidence 100 17 MITREs 1 Malware 9 IOCs 9 Observables 1 APT
CVE-2026-39987 update: How attackers weaponized marimo to deploy … related

2 CVEs 21 MITREs 2 Malwares 12 Observables
Fake recruiter campaign targets crypto developers with RAT related

AlienVault Confidence 100 18 MITREs 29 Malwares 64 IOCs 64 Observables 1 APT
North Korea's Contagious Interview Campaign Spreads Across 5 … related

AlienVault Confidence 100 16 MITREs 4 IOCs 4 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (49)

CVE-2024-27348 KEV targets

9.8 Critical

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended …

Attack vector: Network
Published: 18/09/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2018-10562 KEV targets

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.

Published: 31/03/2022
Modified: 20/12/2025

CVE-2026-1357 targets

9.8 Critical

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up …

Attack vector: Network
Published: 11/02/2026
Modified: 08/05/2026

Awaiting Analysis

CVE-2016-15047 targets

8.7 High

AVTECH devices that include the CloudSetup.cgi management endpoint are vulnerable to authenticated OS command injection. The `exefile` parameter in CloudSetup.cgi is passed …

EPSS: 0.0037 (P58.9%)
Published: 04/06/2026
Modified: 04/06/2026

Received

CVE-2022-30525 KEV targets

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and …

Published: 16/05/2022
Modified: 20/12/2025

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2021-27137 targets

Published: 04/06/2026
Modified: 04/06/2026

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2022-35914 KEV targets

9.8 Critical

Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed.

Attack vector: Network
Published: 07/03/2023
Modified: 04/06/2026

CVE-2025-34054 targets

10.0 Critical

An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to …

EPSS: 0.0230 (P85.0%)
Published: 04/06/2026
Modified: 04/06/2026

Received

CVE-2023-45311 targets

CVE-2025-33073 KEV targets

8.8 High

Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …

Attack vector: Network
Published: 20/10/2025
Modified: 27/05/2026

Received

← Previous

Page / 5

1–12 of 49

T1059 subtechnique-of

Command and Scripting Interpreter MITRE

Course Of Action (1)

Audit mitigates

Tool (2)

Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…

Contact About Legal notice Privacy policy Terms of use