T1102.002: T1102.002

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/03/2020 23:34 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1102.002
Confidence: 100/100
Revoked: No
Published: 14/03/2020 23:34
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Bidirectional Communication

Platforms

windows macos linux ESXi

Description

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1102.002)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AMOS uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA2723 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RolandSkimmer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-60 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT12 related IXESHEDynCalc

The MITRE Corporation Confidence 100

[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT31 related Violet TyphoonZIRCONIUM

The MITRE Corporation Confidence 100

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 related InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 related ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 59

Nymeria uses

Family
Bluetrait uses

Family
BAT.DownLoader.1138 uses

Family
Quasar uses

Family
NetSupport RAT uses

Family
BADNEWS uses
softwareupdate.app uses

Family
BoxCaon uses
EfsPotato uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DOGCALL uses
MoonPeak uses

Family
GhostLoader uses

Family

← Previous

Page / 7

1–12 of 81

KimJongRAT Continues to Evolve by Leveraging LOTS related

AlienVault Confidence 100 20 MITREs 2 Malwares 11 IOCs 7 Observables 1 APT
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
Agentic AI Uncovers New China-Linked Cluster OP-512 related

AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
From Token Bingo to MAX Takeover: Kali365 Operator … related

AlienVault Confidence 100 20 MITREs 1 Malware 7 IOCs 7 Observables
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps … related

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
The Worm That Keeps on Digging: Latest Wave related

17 MITREs 1 Observable 1 APT
OceanLotus suspected of distributing ZiChatBot malware via wheel … related

AlienVault Confidence 100 16 MITREs 1 Malware 10 IOCs 10 Observables 1 APT
Harvester: APT Group Expands Toolset With New GoGra … related

AlienVault Confidence 100 15 MITREs 2 Malwares 5 IOCs 5 Observables 1 APT
Hold the Phone! International Revenue Share Fraud Driven … related

AlienVault Confidence 100 20 MITREs 23 IOCs 23 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (44)

CVE-2025-20337 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-27920 KEV targets

7.2 High

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-67779 targets

7.5 High

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service …

Published: 12/12/2025
Modified: 12/12/2025

Modified

CVE-2021-41773 KEV targets

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-34960 targets

9.8 Critical

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a …

Attack vector: NETWORK
Published: 01/08/2023
Modified: 21/12/2025

CVE-2024-42009 KEV targets

9.3 Critical

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …

Attack vector: Network
Published: 09/06/2025
Modified: 21/12/2025

Received

CVE-2023-20118 KEV targets

6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector: Network
Published: 03/03/2025
Modified: 21/12/2025

CVE-2015-1548 targets

5.0 Medium

mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol …

Published: 10/02/2015
Modified: 07/05/2026

CWE-119

CVE-2025-55183 targets

5.3 Medium

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …

Attack vector: NETWORK
Published: 11/12/2025
Modified: 21/12/2025

Analyzed

← Previous

Page / 4

1–12 of 44

T1102 subtechnique-of

Web Service MITRE

Contact About Legal notice Privacy policy Terms of use