T1074: T1074

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1074
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Data Staged

Platforms

windows macos linux IaaS ESXi

Description

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

Mandiant M-Trends 2020
mitre-attack (T1074)
PWC Cloud Hopper April 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

Sapphire Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group, Kimsuky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Crimson Collective uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sea Turtle uses Teal KurmaCosmic Wolf

The MITRE Corporation Confidence 100

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Stargazer Goblin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAC-0173 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PhantomCaptcha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 54

Mirai uses

Family
Cthulhu Stealer uses

Family
AmateraStealer uses

Family
Kevin uses
Mimilite uses
ThiefQuest - S0595 uses

Family
zOMiner uses
SectopRAT uses

Family
MgBot uses

Family
VIPKeyLogger uses

Family
Margulas uses
Proton - S0279 uses

Family

← Previous

Page / 9

1–12 of 107

Leveling Up with NightSpire Ransomware related

16 MITREs 1 Malware 2 Observables 1 APT
Supply Chain Attack: Malicious PyPI Packages related

12 MITREs 1 Observable 1 APT
CVE-2026-33017: How attackers compromised Langflow AI pipelines in … related

2 CVEs 9 MITREs 1 Observable
Punishing Owl Attacks Russia: A New Owl in … related

14 MITREs 1 Malware 7 Observables 1 APT
341 Malicious Clawed Skills Found by the Bot … related

12 MITREs 1 Malware 13 Observables 1 APT
Interlock Ransomware: New Techniques, Same Old Tricks related

1 CVE 10 MITREs 4 Malwares 8 Observables 1 APT
Weekly Threat Bulletin – January 28th, 2026 related

16 CVEs 20 MITREs 40 Malwares 37 Observables 1 APT
PurpleBravo’s Targeting of the IT Software Supply Chain related

20 MITREs 187 Observables 1 APT
Analyzing React2Shell Threat Actors related

10 CVEs 16 MITREs 2 Malwares 9 Observables
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT
Arkanix Stealer: Newly discovered short term profit malware related

25 MITREs 2 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (63)

CVE-2023-3519 KEV targets

9.8 Critical

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Attack vector: Network
Published: 19/07/2023
Modified: 27/05/2026

CVE-2025-34026 KEV targets

9.2 Critical

The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to …

Attack vector: Network
Published: 22/01/2026
Modified: 28/01/2026

Received

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2025-27921 targets

6.1 Medium

A reflected cross-site scripting (XSS) vulnerability was discovered in Output Messenger before 2.0.63, where unsanitized input could be injected into the web …

Attack vector: NETWORK
Published: 05/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-54313 KEV targets

7.5 High

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js …

Attack vector: Network
Published: 19/07/2025
Modified: 28/01/2026

Received

CVE-2023-3467 targets

8.0 High

Privilege Escalation to root administrator (nsroot)

Attack vector: ADJACENT_NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2025-13927 targets

7.5 High

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 …

Attack vector: NETWORK
Published: 22/01/2026
Modified: 28/01/2026

Received

CVE-2025-55183 targets

5.3 Medium

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …

Attack vector: NETWORK
Published: 11/12/2025
Modified: 21/12/2025

Analyzed

CVE-2025-13335 targets

6.5 Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 …

Attack vector: NETWORK
Published: 22/01/2026
Modified: 28/01/2026

Received

CVE-2018-0802 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-26078

targets

CVE-2023-3732

targets

← Previous

Page / 6

1–12 of 63

T1074.001 subtechnique-of

Local Data Staging MITRE

Contact About Legal notice Privacy policy Terms of use

T1074: T1074

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (54)

Malware (107)

Reports (50)

Vulnerabilities (CVE) (63)

Attack patterns (MITRE) (1)