T1091: T1091
Essential information
- MITRE technique ID
T1091- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:31
- Modified
- 27/03/2026 10:28
- Author / Source
- The MITRE Corporation
Aliases
Replication Through Removable Media
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | initial-access |
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (19)
-
STEADY#URSA usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Tangerine Turkey usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Aoqin Dragon usesThe MITRE Corporation Confidence 100
[Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, education, and telecommunication organizations…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LuminousMoth usesThe MITRE Corporation Confidence 100
[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNC4191 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage…
First seen 01/01/1970 · Last seen 16/11/5138 · -
APT-C-53 (Gamaredon) usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-35 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RevengeHotels usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (82)
-
windowsfilters.exe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ANDROMEDA - S1074 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Crimson usesFamily The MITRE Corporation Confidence 100
[Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)
First seen 01/01/1970 · Last seen 16/11/5138 · -
MISTCLOAK usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
W32.Stuxnet usesThe MITRE Corporation Confidence 100
[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple…
First seen 01/01/1970 · Last seen 16/11/5138 · -
qaxreporter.exe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cylance Ransomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GammaSteel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CHOPSTICK usesFamily The MITRE Corporation Confidence 100
[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ANDROMEDA usesFamily The MITRE Corporation Confidence 100
[ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
H1N1 usesFamily The MITRE Corporation Confidence 100
[H1N1](https://attack.mitre.org/software/S0132) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mongall usesFamily The MITRE Corporation Confidence 100
[Mongall](https://attack.mitre.org/software/S1026) is a backdoor that has been used since at least 2013, including by [Aoqin Dragon](https://attack.mitre.org/groups/G1007).(Citation: SentinelOne Aoqin Dragon June 2022)
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (17)
-
AlienVault Confidence 100 9 MITREs 2 Malwares 26 IOCs 10 Observables
-
2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
19 MITREs 1 Malware 1 Observable
-
AlienVault Confidence 100 13 MITREs 2 Malwares 5 IOCs 3 Observables
-
1 CVE 19 MITREs 10 Malwares 34 Observables
-
1 CVE 14 MITREs 11 Malwares 1 APT
-
22 MITREs 7 Observables 1 APT
-
8 MITREs 4 Malwares 6 Observables
-
12 MITREs 6 Observables 1 APT
-
12 MITREs 3 Malwares 10 Observables 1 APT
-
20 MITREs 7 Malwares 41 Observables
Vulnerabilities (CVE) (5)
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/04/2017
- Modified
- 22/04/2026
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 12/08/2025
- Modified
- 27/05/2026
WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution
- Published
- 15/02/2022
- Modified
- 02/06/2026
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …
- Attack vector
- NETWORK
- Published
- 07/01/2026
- Modified
- 09/03/2026
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Course Of Action (3)
-
Limit Hardware Installation mitigates
-
Disable or Remove Feature or Program mitigates
-
Behavior Prevention on Endpoint mitigates