T1074: T1074

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1074
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Data Staged

Platforms

windows macos linux IaaS ESXi

Description

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

Mandiant M-Trends 2020
mitre-attack (T1074)
PWC Cloud Hopper April 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (52)

Sapphire Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group, Kimsuky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Crimson Collective uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sea Turtle uses Teal KurmaCosmic Wolf

The MITRE Corporation Confidence 100

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Stargazer Goblin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAC-0173 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PhantomCaptcha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 52

TetraLoader uses

Family
Zagrebator.Stealer uses

Family
Vidar uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Interlock uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
China Chopper - S0020 uses

Family
Batavia uses

Family
LightlessCan uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AnonDoor uses

Family
Agent Racoon uses
Rondo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
W32.File.MalParent uses

Family
DcRAT uses

Family

← Previous

Page / 7

49–60 of 80

Leveling Up with NightSpire Ransomware related

16 MITREs 1 Malware 2 Observables 1 APT
Supply Chain Attack: Malicious PyPI Packages related

12 MITREs 1 Observable 1 APT
CVE-2026-33017: How attackers compromised Langflow AI pipelines in … related

2 CVEs 9 MITREs 1 Observable
Punishing Owl Attacks Russia: A New Owl in … related

14 MITREs 1 Malware 7 Observables 1 APT
341 Malicious Clawed Skills Found by the Bot … related

12 MITREs 1 Malware 13 Observables 1 APT
Interlock Ransomware: New Techniques, Same Old Tricks related

1 CVE 10 MITREs 4 Malwares 8 Observables 1 APT
Weekly Threat Bulletin – January 28th, 2026 related

16 CVEs 20 MITREs 40 Malwares 37 Observables 1 APT
PurpleBravo’s Targeting of the IT Software Supply Chain related

20 MITREs 187 Observables 1 APT
Analyzing React2Shell Threat Actors related

10 CVEs 16 MITREs 2 Malwares 9 Observables
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT
Arkanix Stealer: Newly discovered short term profit malware related

25 MITREs 2 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (63)

CVE-2025-55184 targets

7.5 High

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the …

Attack vector: NETWORK
Published: 11/12/2025
Modified: 21/12/2025

Modified

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2020-1380 KEV targets

7.8 High

Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user.

Attack vector: LOCAL
Published: 03/11/2021
Modified: 26/02/2026

CVE-2025-24893 KEV targets

9.8 Critical

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary …

Attack vector: Network
Published: 30/10/2025
Modified: 28/01/2026

Awaiting Analysis

CVE-2025-3248 targets

9.8 Critical

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted …

Published: 07/04/2025
Modified: 07/04/2025

Received

CVE-2025-0944 targets

6.3 Medium

A vulnerability was found in itsourcecode Tailoring Management System 1.0. It has been rated as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 01/02/2025
Modified: 21/12/2025

Analyzed

CVE-2018-0798 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 27/05/2026

CVE-2021-30869 KEV targets

Apple iOS, iPadOS, and macOS contain a type confusion vulnerability in the XNU which may allow a malicious application to execute code …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-68645 KEV targets

8.8 High

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper …

Attack vector: Network
Published: 22/12/2025
Modified: 28/01/2026

Undergoing Analysis

CVE-2022-22947 KEV targets

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Published: 16/05/2022
Modified: 20/12/2025

CVE-2023-20891

targets

CVE-2026-1102 targets

5.3 Medium

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 …

Attack vector: NETWORK
Published: 22/01/2026
Modified: 28/01/2026

Received

← Previous

Page / 6

13–24 of 63

Contact About Legal notice Privacy policy Terms of use

T1074: T1074

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (52)

Malware (80)

Reports (50)

Vulnerabilities (CVE) (63)