T1102.003: T1102.003

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1102.003
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

One-Way Communication

Platforms

windows macos linux ESXi

Description

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1102.003)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (28)

Storm-1747 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:19 · Modified 21/12/2025 19:19
FreeDrain uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:25 · Modified 21/12/2025 13:25
Storm-1575 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:11 · Modified 21/12/2025 08:11
TeamPCP uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/03/2026 22:18 · Modified 20/03/2026 22:18
Smilodon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:46 · Modified 21/12/2025 07:46
APT33 uses HOLMIUMElfin

The MITRE Corporation Confidence 100

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
Magecart uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:17 · Modified 21/12/2025 00:17
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
Chinese-Speaking Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 12:22 · Modified 21/12/2025 12:22
UNC5342 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 17:35 · Modified 21/12/2025 17:35
GlassWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:54 · Modified 21/12/2025 18:54
BADBOX uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:16 · Modified 21/12/2025 09:16
UAC-0057 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:45 · Modified 21/12/2025 15:45
CL-UNK-1037 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 17:43 · Modified 21/12/2025 17:43
GLOBAL GROUP uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:37 · Modified 21/12/2025 15:37
SHADOW-VOID-044 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 27/01/2026 08:33 · Modified 27/01/2026 08:33
Ghostwriter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:32 · Modified 21/12/2025 09:32
TA2723 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 20:39 · Modified 21/12/2025 20:39
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
IPIDEA uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 29/01/2026 08:34 · Modified 29/01/2026 08:34
BlueDelta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:08 · Modified 21/12/2025 05:08
koneko uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:54 · Modified 21/12/2025 18:54
Coquettte uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 12:41 · Modified 21/12/2025 12:41
Leviathan uses MUDCARPKryptonite Panda

The MITRE Corporation Confidence 100

[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
MimiStick uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:27 · Modified 21/12/2025 07:27
Wang Duo Yu uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:28 · Modified 21/12/2025 13:28
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
Astaroth uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 02:52 · Modified 21/12/2025 02:52

Malware (77)

Dadsec uses

Family

Published 29/05/2025 16:10 · Modified 29/05/2025 16:10
Vidar uses

Family

Published 16/06/2026 09:50 · Modified 16/06/2026 09:50
ClickFix uses

Family

Published 14/05/2026 11:16 · Modified 14/05/2026 11:16
Salty2FA uses

Family

Published 02/12/2025 21:13 · Modified 02/12/2025 21:13
BadIIS uses

Family

Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
AsyncRAT uses

Family

Published 11/06/2026 16:31 · Modified 11/06/2026 16:31
HeadLace uses

Family

Published 05/08/2024 08:30 · Modified 05/08/2024 08:30
BADBOX uses

Family

Published 17/02/2026 12:39 · Modified 17/02/2026 12:39
MetaStealer uses

Family

Published 30/08/2025 09:10 · Modified 30/08/2025 09:10
CryptBot uses

Family

Published 04/04/2025 07:07 · Modified 04/04/2025 07:07
Rust backdoor uses

Family

Published 11/03/2026 15:24 · Modified 11/03/2026 15:24
NetBird uses

Family

Published 21/08/2025 07:35 · Modified 21/08/2025 07:35
ThunderShell uses

Family

Published 03/04/2025 17:18 · Modified 03/04/2025 17:18
BeaverTail uses

Family

Published 21/04/2026 12:09 · Modified 21/04/2026 12:09
JADESNOW uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:00 · Modified 21/12/2025 17:35
DarkNimbus uses

Family

Published 05/02/2026 20:16 · Modified 05/02/2026 20:16
Nymeria uses

Family

Published 05/02/2025 20:51 · Modified 05/02/2025 20:51
Amadey - S1025 uses

Family

Published 29/09/2025 08:06 · Modified 29/09/2025 08:06
r.blob skimmer uses

Family

Published 07/11/2024 22:48 · Modified 07/11/2024 22:48
AteraAgent uses

Family

Published 21/08/2025 07:35 · Modified 21/08/2025 07:35
Kimwolf uses

Family

Published 29/01/2026 03:42 · Modified 29/01/2026 03:42
EVILNUM
Tycoon2FA uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
Rescoms uses

Family

Published 25/05/2025 17:47 · Modified 25/05/2025 17:47
GlassWorm uses

Family

Published 26/03/2026 20:45 · Modified 26/03/2026 20:45
Rhadamanthys uses

Family

Published 29/04/2026 02:24 · Modified 29/04/2026 02:24
BIOPASS RAT uses

Family

Published 26/01/2026 20:30 · Modified 26/01/2026 20:30
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
Sagerunex uses

Family

Published 04/04/2025 19:54 · Modified 04/04/2025 19:54
NetSupport RAT uses

Family

Published 22/05/2026 13:08 · Modified 22/05/2026 13:08
VenomRAT uses

Family

Published 03/06/2026 13:18 · Modified 03/06/2026 13:18
jquery hex skimmer uses

Family

Published 07/11/2024 22:48 · Modified 07/11/2024 22:48
Casbaneiro uses

Family

Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
zgRAT uses

Family

Published 21/08/2025 00:37 · Modified 21/08/2025 00:37
XWorm uses

Family

Published 27/03/2026 08:45 · Modified 27/03/2026 08:45
InvisibleFerret uses

Family

Published 21/04/2026 12:09 · Modified 21/04/2026 12:09
Tsundere uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
IcedID - S0483 uses

Family

Published 25/09/2025 09:21 · Modified 25/09/2025 09:21
Coruna iOS iPhone Web Malware uses

Family

Published 16/03/2026 23:26 · Modified 16/03/2026 23:26
Tickler uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
Aisuru uses

Family

Published 29/01/2026 03:42 · Modified 29/01/2026 03:42
OnionDuke
TrustConnect RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 19/02/2026 13:44 · Modified 19/02/2026 13:44
ToughProgress uses

Family

Published 10/06/2025 10:52 · Modified 10/06/2025 10:52
colortoolsv2 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:59 · Modified 21/12/2025 15:59
Quasar RAT uses

Family

Published 15/05/2026 15:23 · Modified 15/05/2026 15:23
DOGE Binary Loader uses

Family

Published 22/04/2025 16:40 · Modified 22/04/2025 16:40
HOLODONUT uses

Family

Published 26/01/2026 20:30 · Modified 26/01/2026 20:30
123 Stealer uses

Family

Published 21/01/2026 12:36 · Modified 21/01/2026 12:36
Tsundere Bot uses

Family

Published 28/01/2026 18:26 · Modified 28/01/2026 18:26
XFiles Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 30/01/2026 09:49 · Modified 30/01/2026 09:49
Lumma Stealer uses

Family

Published 08/06/2026 19:36 · Modified 08/06/2026 19:36
Rugmi uses

Family

Published 04/04/2025 19:54 · Modified 04/04/2025 19:54
TameCat uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
HAMMERTOSS
Foudre uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
UPSTYLE
DocConnect uses

Family

Published 19/02/2026 11:10 · Modified 19/02/2026 11:10
LUMASTEALER
GRAYRABBIT uses

Family

Published 26/01/2026 20:30 · Modified 26/01/2026 20:30
WizardNet uses

Family

Published 05/02/2026 20:16 · Modified 05/02/2026 20:16
RecordBreaker uses

Family

Published 25/05/2025 17:47 · Modified 25/05/2025 17:47
Emmenhtal Loader uses

Family

Published 30/01/2026 08:20 · Modified 30/01/2026 08:20
Guildma uses

Family

Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
mimelib2 uses

Family

Published 04/09/2025 00:59 · Modified 04/09/2025 00:59
MKDOOR uses

Family

Published 26/01/2026 20:30 · Modified 26/01/2026 20:30
MageCart uses

Family

Published 13/02/2025 01:13 · Modified 13/02/2025 01:13
PLUSINJECT uses

Family

Published 10/06/2025 10:52 · Modified 10/06/2025 10:52
PLUSDROP uses

Family

Published 10/06/2025 10:52 · Modified 10/06/2025 10:52
Tonnerre uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
Sliver uses

Family

Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
Penguish uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:17 · Modified 21/12/2025 13:21
FMAPP.exe uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
BadBox2.0 uses

Family

Published 29/01/2026 03:42 · Modified 29/01/2026 03:42
WebSocket skimmer uses

Family

Published 07/11/2024 22:48 · Modified 07/11/2024 22:48
PeckBirdy uses

Family

Published 26/01/2026 20:30 · Modified 26/01/2026 20:30
Astaroth - S0373 uses

Family

Published 19/05/2026 22:26 · Modified 19/05/2026 22:26

Reports (32)

The Worm That Keeps on Digging: Latest Wave related

17 MITREs 1 Observable 1 APT

Published 19/05/2026 12:45 · Modified 21/05/2026 17:12
GlassWorm attack installs fake browser extension for surveillance related

18 MITREs 1 Malware 1 Observable 1 APT

Published 26/03/2026 20:45 · Modified 27/03/2026 00:11
IoCs (Indicators of Compromise) for the Coruna iOS … related

7 MITREs 1 Malware 160 Observables

Published 16/03/2026 23:26 · Modified 17/03/2026 01:44
Iran conflict drives heightened espionage activity against Middle … related

26 MITREs 2 Malwares 19 Observables

Published 11/03/2026 15:24 · Modified 16/03/2026 09:51
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters … related

19 MITREs 6 Malwares 5 Observables 1 APT

Published 04/03/2026 19:42 · Modified 05/03/2026 09:48
A Versatile Script Framework for LOLBins Exploitation Used … related

1 CVE 19 MITREs 7 Malwares 21 Observables 1 APT

Published 26/01/2026 20:30 · Modified 27/01/2026 07:34
New Magecart Network Uncovered: Disrupting Online Shoppers Worldwide related

10 MITREs 2 Observables 1 APT

Published 13/01/2026 19:36 · Modified 14/01/2026 11:12
Access granted: phishing with device code authorization for … related

11 MITREs 8 Observables 1 APT

Published 18/12/2025 13:28 · Modified 21/12/2025 19:39
Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 … related

12 MITREs 1 Observable

Published 10/12/2025 18:35 · Modified 21/12/2025 18:57
Salty2FA & Tycoon2FA: Hybrid Phishing Threat related

10 MITREs 2 Malwares 1 APT

Published 02/12/2025 21:13 · Modified 21/12/2025 18:19
The Tsundere botnet uses the Ethereum blockchain to … related

20 MITREs 2 Malwares 21 Observables 1 APT

Published 20/11/2025 22:12 · Modified 21/11/2025 09:36
Pressure on Ukraine and Poland Continues related

14 MITREs 1 Malware 1 APT

Published 20/08/2025 17:38 · Modified 20/08/2025 21:20
Brand impersonation, online ads, and malicious merchants help … related

8 MITREs 71 Observables

Published 20/05/2025 21:16 · Modified 21/05/2025 22:05
Unmasking the FreeDrain Network related

14 MITREs 1 APT

Published 08/05/2025 21:45 · Modified 09/05/2025 17:25
Where to Find Aspiring Hackers related

11 MITREs 7 Malwares 1 APT

Published 04/04/2025 19:54 · Modified 07/04/2025 08:04
Proactive ClickFix Threat Hunting with Hunt.io related

19 MITREs 2 Malwares

Published 04/04/2025 07:07 · Modified 04/04/2025 17:02
Thunderstruck! Malicious ads for RVTools lead to ThunderShell … related

10 MITREs 2 Malwares

Published 03/04/2025 17:18 · Modified 03/04/2025 19:04
Snow White — Beware the Bad Apple in … related

8 MITREs

Published 27/03/2025 11:03 · Modified 27/03/2025 14:21
Highway Robbery 2.0: How Attackers Are Exploiting Toll … related

9 MITREs

Published 10/03/2025 13:04 · Modified 12/03/2025 07:54
Phishing Campaigns Targeting Higher Education Institutions related

20 MITREs 4 Observables

Published 24/02/2025 15:43 · Modified 24/02/2025 16:52
Chinese-Speaking Group Manipulates SEO with BadIIS related

9 MITREs 1 Malware 137 Observables 1 APT

Published 17/02/2025 11:17 · Modified 17/02/2025 11:29
Magento Credit Card Stealer Disguised in an <img> … related

10 MITREs 1 Malware

Published 13/02/2025 01:13 · Modified 13/02/2025 10:12
Scalable Vector Graphics files pose a novel phishing … related

13 MITREs 1 Malware

Published 05/02/2025 20:51 · Modified 06/02/2025 01:29
Unpacking the BADBOX Botnet related

8 MITREs 1 Malware 19 Observables 1 APT

Published 05/02/2025 00:14 · Modified 05/02/2025 11:17
Security Brief: Threat Actors Take Taxes Into Account related

12 MITREs 6 Malwares

Published 28/01/2025 17:19 · Modified 29/01/2025 17:32
Tracking Adversaries: Ghostwriter APT Infrastructure related

1 CVE 7 MITREs 1 Malware 25 Observables 1 APT

Published 24/01/2025 13:30 · Modified 24/01/2025 14:24
Malware Steals Account Credentials related

6 MITREs

Published 09/11/2024 01:13 · Modified 11/11/2024 09:55
2024 Credit Card Theft Season Arrives related

10 MITREs 4 Malwares 1 APT

Published 07/11/2024 22:48 · Modified 08/11/2024 10:22
Triad Nexus: FUNNULL CDN hosting DGA domains for … related

9 MITREs 70 Observables

Published 23/10/2024 13:19 · Modified 23/10/2024 13:51
MimiStick — imitators of Sticky Werewolf related

10 MITREs 2 Malwares 14 Observables 1 APT

Published 27/09/2024 17:05 · Modified 27/09/2024 17:12
Peach Sandstorm deploys new custom Tickler malware in … related

11 MITREs 1 Malware 9 Observables 1 APT

Published 30/08/2024 17:46 · Modified 30/08/2024 18:08
GRU’s BlueDelta Targets Key Networks in Europe with … related

18 MITREs 1 Malware 30 Observables 1 APT

Published 31/05/2024 14:17 · Modified 31/05/2024 14:34

Vulnerabilities (CVE) (7)

CVE-2025-8088 KEV

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2024-42009 KEV

9.3 Critical

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …

Attack vector: Network
Published: 09/06/2025
Modified: 21/12/2025

Received

CVE-2020-16040

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

CVE-2024-4577 KEV

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2023-40680

targets

CVE-2025-55182 KEV

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2022-30190 KEV

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

Attack patterns (MITRE) (1)

T1102 subtechnique-of

Web Service

Campaign (1)

ArcaneDoor uses

Course Of Action (2)

Restrict Web-Based Content mitigates
Network Intrusion Prevention mitigates

Contact About Legal notice Privacy policy Terms of use