T1091: T1091
Essential information
- MITRE technique ID
T1091- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:31
- Modified
- 27/03/2026 10:28
- Author / Source
- The MITRE Corporation
Aliases
Replication Through Removable Media
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | initial-access |
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (19)
-
STEADY#URSA usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Tangerine Turkey usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Aoqin Dragon usesThe MITRE Corporation Confidence 100
[Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, education, and telecommunication organizations…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LuminousMoth usesThe MITRE Corporation Confidence 100
[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNC4191 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage…
First seen 01/01/1970 · Last seen 16/11/5138 · -
APT-C-53 (Gamaredon) usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-35 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RevengeHotels usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (82)
-
Raspberry Robin usesFamily The MITRE Corporation Confidence 100
[Raspberry Robin](https://attack.mitre.org/software/S1130) is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Thoper usesThe MITRE Corporation Confidence 100
[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CBROVER usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
njRAT - S0385 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Moudoor usesThe MITRE Corporation Confidence 100
[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb…
First seen 01/01/1970 · Last seen 16/11/5138 · -
FDMTP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Muhstik usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Agent.btz usesFamily The MITRE Corporation Confidence 100
[Agent.btz](https://attack.mitre.org/software/S0092) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Gorem usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DARKDEW usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
YoudaoGui.exe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (17)
-
AlienVault Confidence 100 9 MITREs 2 Malwares 26 IOCs 10 Observables
-
2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
19 MITREs 1 Malware 1 Observable
-
AlienVault Confidence 100 13 MITREs 2 Malwares 5 IOCs 3 Observables
-
1 CVE 19 MITREs 10 Malwares 34 Observables
-
1 CVE 14 MITREs 11 Malwares 1 APT
-
22 MITREs 7 Observables 1 APT
-
8 MITREs 4 Malwares 6 Observables
-
12 MITREs 6 Observables 1 APT
-
12 MITREs 3 Malwares 10 Observables 1 APT
-
20 MITREs 7 Malwares 41 Observables
Vulnerabilities (CVE) (5)
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/04/2017
- Modified
- 22/04/2026
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 12/08/2025
- Modified
- 27/05/2026
WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution
- Published
- 15/02/2022
- Modified
- 02/06/2026
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …
- Attack vector
- NETWORK
- Published
- 07/01/2026
- Modified
- 09/03/2026
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Course Of Action (3)
-
Limit Hardware Installation mitigates
-
Disable or Remove Feature or Program mitigates
-
Behavior Prevention on Endpoint mitigates