T1102.002: T1102.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/03/2020 23:34 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1102.002
Confidence: 100/100
Revoked: No
Published: 14/03/2020 23:34
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Bidirectional Communication

Platforms

windows macos linux ESXi

Description

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1102.002)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

CozyDuke related IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CyberAv3ngers related Soldiers of Soloman

The MITRE Corporation Confidence 100

The [CyberAv3ngers](https://attack.mitre.org/groups/G1027) are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The [CyberAv3ngers](https://attack.mitre.org/groups/G1027) have been known to be active since at least 2020, with disputed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK (North Korea) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK-aligned related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Desert Dexter related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Baxia related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Estries related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FAMOUS CHOLLIMA related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 related GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FreeDrain related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Funnull related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

37–48 of 59

Nymeria uses

Family
Bluetrait uses

Family
BAT.DownLoader.1138 uses

Family
Quasar uses

Family
NetSupport RAT uses

Family
BADNEWS uses
softwareupdate.app uses

Family
BoxCaon uses
EfsPotato uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DOGCALL uses

Family The MITRE Corporation Confidence 100

[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MoonPeak uses

Family
GhostLoader uses

Family

← Previous

Page / 7

1–12 of 81

KimJongRAT Continues to Evolve by Leveraging LOTS related

AlienVault Confidence 100 20 MITREs 2 Malwares 11 IOCs 7 Observables 1 APT
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
Agentic AI Uncovers New China-Linked Cluster OP-512 related

AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
From Token Bingo to MAX Takeover: Kali365 Operator … related

AlienVault Confidence 100 20 MITREs 1 Malware 7 IOCs 7 Observables
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps … related

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
The Worm That Keeps on Digging: Latest Wave related

17 MITREs 1 Observable 1 APT
OceanLotus suspected of distributing ZiChatBot malware via wheel … related

AlienVault Confidence 100 16 MITREs 1 Malware 10 IOCs 10 Observables 1 APT
Harvester: APT Group Expands Toolset With New GoGra … related

AlienVault Confidence 100 15 MITREs 2 Malwares 5 IOCs 5 Observables 1 APT
Hold the Phone! International Revenue Share Fraud Driven … related

AlienVault Confidence 100 20 MITREs 23 IOCs 23 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (44)

CVE-2025-20337 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-27920 KEV targets

7.2 High

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-67779 targets

7.5 High

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service …

Attack vector: NETWORK
Published: 12/12/2025
Modified: 21/12/2025

Modified

CVE-2021-41773 KEV targets

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-34960 targets

9.8 Critical

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a …

Attack vector: NETWORK
Published: 01/08/2023
Modified: 21/12/2025

CVE-2024-42009 KEV targets

9.3 Critical

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …

Attack vector: Network
Published: 09/06/2025
Modified: 21/12/2025

Received

CVE-2023-20118 KEV targets

6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector: Network
Published: 03/03/2025
Modified: 21/12/2025

CVE-2015-1548 targets

5.0 Medium

mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol …

Published: 10/02/2015
Modified: 07/05/2026

CWE-119

CVE-2025-55183 targets

5.3 Medium

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …

Attack vector: NETWORK
Published: 11/12/2025
Modified: 21/12/2025

Analyzed

← Previous

Page / 4

1–12 of 44

T1102 subtechnique-of

Web Service MITRE

Contact About Legal notice Privacy policy Terms of use