T1102.001: T1102.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/03/2020 23:24 · Modified 15/04/2026 12:25

Essential information

MITRE technique ID: T1102.001
Confidence: 100/100
Revoked: No
Published: 14/03/2020 23:24
Modified: 15/04/2026 12:25
Author / Source: The MITRE Corporation

Aliases

Dead Drop Resolver

Platforms

windows macos linux ESXi

Description

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1102.001)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (25)

Crazy Evil uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA455 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rocke uses

The MITRE Corporation Confidence 100

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1087 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gootloader uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FreeDrain uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LummaC2 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlueDelta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA829 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 25

D3F@ck Loader uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Amadey - S1025 uses

Family
Rescoms uses

Family
Brute Ratel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BADNEWS uses
Morpheus uses

Family
Shai-Hulud uses

AlienVault Confidence 100

[Shai-Hulud](https://attack.mitre.org/software/S9008) is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RTM uses

Family The MITRE Corporation Confidence 100

[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gootloader uses

The MITRE Corporation Confidence 100

[Gootloader](https://attack.mitre.org/software/S1138) is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, [Cobalt Strike](https://attack.mitre.org/software/S0154), [REvil](https://attack.mitre.org/software/S0496), and others.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Grandoreiro uses
SlipScreen uses

Family
LummaC2 uses

Family

← Previous

Page / 7

13–24 of 75

Not Just Annoying Ads: Adware Bundles Delivering Gh0st … related

1 CVE 19 MITREs 3 Malwares 2 Observables
Silent Crypto Wallet Takeover Unlimited USDT Approval Exploitation … related

21 MITREs 3 Observables
EtherRAT Targeting Windows Disguised as a Game Mod … related

14 MITREs 3 Malwares 12 Observables
10 Things I Hate About Attribution: RomCom vs. … related

19 MITREs 9 Malwares 103 Observables 1 APT
Unmasking the FreeDrain Network related

14 MITREs 1 APT
Gootloader Returns: Malware Hidden in Google Ads for … related

6 MITREs 1 Malware 1 APT
Amateur Hacker Leverages Bulletproof Hosting Server to Spread … related

13 MITREs 6 Malwares 6 Observables 1 APT
Fake Zoom Ends in BlackSuit Ransomware related

32 MITREs 6 Malwares
Fake Cloudflare Verification Results in LummaStealer Trojan Infections related

10 MITREs 2 Malwares 4 Observables
VHDs Used to Distribute VenomRAT and Other Malware related

11 MITREs 1 Malware
Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment … related

11 MITREs 3 Malwares 1 APT
Unmasking GrassCall Campaign: The APT Behind Job Recruitment … related

11 MITREs 3 Malwares 14 Observables 1 APT

← Previous

Page / 3

13–24 of 36

Vulnerabilities (CVE) (7)

CVE-2023-27350 KEV targets

9.8 Critical

PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context …

Attack vector: Network
Published: 21/04/2023
Modified: 21/12/2025

CVE-2025-20265 targets

10.0 Critical

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: Network
Published: 14/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2026-0628 targets

8.8 High

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …

Attack vector: NETWORK
Published: 07/01/2026
Modified: 09/03/2026

Undergoing Analysis

CVE-2018-20250 KEV targets

WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution

Published: 15/02/2022
Modified: 02/06/2026

CVE-2025-7775 KEV targets

9.2 Critical

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured …

Attack vector: Network
Published: 26/08/2025
Modified: 27/05/2026

Analyzed

CVE-2024-7593 KEV targets

9.8 Critical

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass …

Attack vector: Network
Complexity: LOW
Published: 13/08/2024
Modified: 06/06/2026

CWE-287 Received

Attack patterns (MITRE) (1)

T1102 subtechnique-of

Web Service MITRE

Campaign (2)

C0017 uses
3CX Supply Chain Attack uses

Course Of Action (1)

Restrict Web-Based Content mitigates

Contact About Legal notice Privacy policy Terms of use