T1132.002: T1132.002
Essential information
- MITRE technique ID
T1132.002- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 30/03/2026 12:12
- Author / Source
- The MITRE Corporation
Aliases
Non-Standard Encoding
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | command-and-control |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (12)
-
Winnti usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:07 · Modified 20/12/2025 22:07
-
The MITRE Corporation Confidence 100
[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
GhostSocks usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:01 · Modified 21/12/2025 18:01
-
The MITRE Corporation Confidence 100
[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 29/03/2026 07:37 -
TeamPCP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/03/2026 22:18 · Modified 20/03/2026 22:18
-
The MITRE Corporation Confidence 100
[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
Grandoreiro usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:03 · Modified 21/12/2025 03:03
-
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
Silent Werewolf usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:54 · Modified 21/12/2025 13:54
-
Banana Squad usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:19 · Modified 21/12/2025 14:19
-
RastaFarEye usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:13 · Modified 21/12/2025 05:13
-
OP-512 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 08/06/2026 10:23 · Modified 08/06/2026 10:23
Malware (48)
- Mélofée
-
BadPotato usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
-
SweetPotato usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
-
BadIIS usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
-
PlugX - S0013 usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
-
Neo-reGeorg usesFamilyPublished 12/05/2026 08:51 · Modified 12/05/2026 08:51
- Winnti
- AlienReverse
- ThiefQuest
- HelloBot
-
SANDWORM_MODE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 23/02/2026 11:19 · Modified 23/02/2026 11:19
- Lizar
-
RDAT usesFamily The MITRE Corporation Confidence 100
[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:36 · Modified 27/03/2026 01:03 -
SparkCat usesFamilyPublished 23/06/2025 09:21 · Modified 23/06/2025 09:21
-
NightClub usesFamily The MITRE Corporation Confidence 100
[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)
First seen 01/01/1970 · Last seen 16/11/5138 Published 27/09/2023 21:32 · Modified 27/03/2026 01:05 - YaRAT
-
Mekotio usesFamilyPublished 19/05/2026 22:26 · Modified 19/05/2026 22:26
- Bankshot
-
httpTroy usesFamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
- Small Sieve
-
Grandoreiro - S0531 usesFamilyPublished 19/05/2026 22:26 · Modified 19/05/2026 22:26
- FileCoder
- CHIMNEYSWEEP
-
GhostSocks usesFamilyPublished 08/06/2026 19:36 · Modified 08/06/2026 19:36
-
DarkGate usesFamilyPublished 21/08/2025 21:03 · Modified 21/08/2025 21:03
-
Korplug usesThe MITRE Corporation Confidence 100
[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: …
First seen 01/01/1970 · Last seen 16/11/5138 Published 31/05/2017 23:32 · Modified 08/06/2026 10:23 - InvisiMole
-
Meterpreter usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
- PowGoop
-
XDigo usesFamilyPublished 26/06/2025 21:26 · Modified 26/06/2025 21:26
-
ToneShell usesFamilyPublished 17/04/2026 18:56 · Modified 17/04/2026 18:56
-
Lumma Stealer usesFamilyPublished 08/06/2026 19:36 · Modified 08/06/2026 19:36
-
PureHVNC usesFamilyPublished 31/10/2025 09:32 · Modified 31/10/2025 09:32
- MacRansom
-
POISONPLUG.SHADOW usesFamilyPublished 30/04/2026 19:11 · Modified 30/04/2026 19:11
- Ninja
-
EfsPotato usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 08/06/2026 10:23 · Modified 08/06/2026 10:23
- Vadokrist
- KeRanger
-
Gamshen usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
- OceanSalt
- Cyclops Blink
- Uroburos
- BACKSPACE
-
Rungan usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
-
GhostKit usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
-
Pikabot usesFamilyPublished 21/10/2024 10:59 · Modified 21/10/2024 10:59
Reports (6)
-
AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APTPublished 05/06/2026 20:07 · Modified 08/06/2026 08:23 · threat-report
-
13 MITREs 3 Observables 1 APTPublished 28/03/2026 07:39 · Modified 30/03/2026 10:12
-
12 MITREs 1 Malware 2 ObservablesPublished 23/02/2026 10:04 · Modified 23/02/2026 10:19
-
14 MITREs 1 Malware 9 ObservablesPublished 06/02/2025 17:06 · Modified 06/02/2025 22:54
-
19 MITREs 5 Observables 1 APTPublished 27/09/2024 17:23 · Modified 27/09/2024 17:47
-
DarkGate again but... Improved? related37 MITREs 2 Malwares 200 Observables 1 APTPublished 06/06/2024 08:16 · Modified 06/06/2024 09:06
Attack patterns (MITRE) (1)
-
T1132 subtechnique-ofData Encoding
Course Of Action (1)
- Network Intrusion Prevention mitigates