T1091: T1091
Essential information
- MITRE technique ID
T1091- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:31
- Modified
- 27/03/2026 10:28
- Author / Source
- The MITRE Corporation
Aliases
Replication Through Removable Media
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | initial-access |
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (19)
-
STEADY#URSA usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Tangerine Turkey usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Aoqin Dragon usesThe MITRE Corporation Confidence 100
[Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, education, and telecommunication organizations…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LuminousMoth usesThe MITRE Corporation Confidence 100
[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNC4191 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage…
First seen 01/01/1970 · Last seen 16/11/5138 · -
APT-C-53 (Gamaredon) usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-35 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RevengeHotels usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (82)
-
Dreambot usesThe MITRE Corporation Confidence 100
[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
USBferry usesFamily The MITRE Corporation Confidence 100
[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase…
First seen 01/01/1970 · Last seen 16/11/5138 · -
VenomRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hypnosis loader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NanoCoreRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EggStremeFuel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Backdoor:Win32/Dora usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GammaPhish usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RevengeRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ARCrypter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MoonPeak usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GammaWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (17)
-
AlienVault Confidence 100 9 MITREs 2 Malwares 26 IOCs 10 Observables
-
2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
19 MITREs 1 Malware 1 Observable
-
AlienVault Confidence 100 13 MITREs 2 Malwares 5 IOCs 3 Observables
-
1 CVE 19 MITREs 10 Malwares 34 Observables
-
1 CVE 14 MITREs 11 Malwares 1 APT
-
22 MITREs 7 Observables 1 APT
-
8 MITREs 4 Malwares 6 Observables
-
12 MITREs 6 Observables 1 APT
-
12 MITREs 3 Malwares 10 Observables 1 APT
-
20 MITREs 7 Malwares 41 Observables
Vulnerabilities (CVE) (5)
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/04/2017
- Modified
- 22/04/2026
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 12/08/2025
- Modified
- 27/05/2026
WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution
- Published
- 15/02/2022
- Modified
- 02/06/2026
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …
- Attack vector
- NETWORK
- Published
- 07/01/2026
- Modified
- 09/03/2026
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Course Of Action (3)
-
Limit Hardware Installation mitigates
-
Disable or Remove Feature or Program mitigates
-
Behavior Prevention on Endpoint mitigates