T1204.001: T1204.001

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1204.001
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Malicious Link

Platforms

windows macos linux

Description

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

mitre-attack (T1204.001)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (72)

Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0408 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA4903 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cobalt Group uses GOLD KINGSWOODCobalt Gang

The MITRE Corporation Confidence 100

[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-61 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Darkhotel uses DUBNIUMZigzag Hail

The MITRE Corporation Confidence 100

[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FlyingYeti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA2541 uses

The MITRE Corporation Confidence 100

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA577 uses

The MITRE Corporation Confidence 100

[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed groups distributing [Latrodectus](https://attack.mitre.org/software/S1160) in 2023.(Citation: Latrodectus APR 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-3075 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FreeDrain uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 72

Gophish uses

Family
NotDoor uses

Family
AppleJeus uses
DESFY uses

Family
HarborWatch Agent uses

Family
Twizt uses

Family
SUBTLE-PAWS uses
BlotchyQuasar uses

Family
Hancitor uses
Emotet uses
Saint Bot uses
ShadowPad - S0596 uses

Family

← Previous

Page / 10

1–12 of 112

PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Okendo Reviews Supply Chain Attack related

AlienVault Confidence 100 18 MITREs 5 Malwares 3 IOCs 3 Observables 1 APT
Twitter Feed - nextronresearch - 17-06-2026 related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 1 APT
World Cup 2026 Mobile Targeted Phishing: The Global … related

AlienVault Confidence 100 28 MITREs 5 IOCs 5 Observables
How Lookalike Domains Exploit Human Judgment related

AlienVault Confidence 100 20 MITREs 13 IOCs 13 Observables
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
From Fake Amazon Security Alert to HarborWatch Agent: … related

20 MITREs 1 Malware 6 Observables
AI brands as bait: How threat actors are … related

20 MITREs 5 Malwares 9 Observables 1 APT
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets … related

20 MITREs 4 Malwares 18 Observables 1 APT
ClickFix Is Now Hiring: From Job Platform Impersonation … related

AlienVault Confidence 100 18 MITREs 1 Malware 58 IOCs 58 Observables
TA4922: The Suspected Chinese Crime Group is Going … related

AlienVault Confidence 100 23 MITREs 8 Malwares 23 IOCs 23 Observables 1 APT
From Token Bingo to MAX Takeover: Kali365 Operator … related

AlienVault Confidence 100 20 MITREs 1 Malware 7 IOCs 7 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (44)

CVE-2025-43520 targets

7.1 High

A memory corruption issue was addressed with improved memory handling. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, …

Published: 12/12/2025
Modified: 16/12/2025

Analyzed

CVE-2026-25253 targets

8.8 High

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without …

Published: 01/02/2026
Modified: 02/02/2026

Received

CVE-2025-43529 targets

8.8 High

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS …

Published: 17/12/2025
Modified: 18/12/2025

Analyzed

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-4947 KEV targets

9.6 Critical

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via …

Attack vector: Network
Published: 20/05/2024
Modified: 29/05/2026

Received

CVE-2025-24054 KEV targets

6.5 Medium

Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over …

Attack vector: Network
Published: 17/04/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2024-43451 KEV targets

6.5 Medium

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …

Attack vector: Network
Published: 12/11/2024
Modified: 27/05/2026

Analyzed

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-14174 targets

8.8 High

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out …

Published: 12/12/2025
Modified: 15/12/2025

Analyzed

CVE-2024-3721 targets

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

CVE-2020-16040 targets

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

← Previous

Page / 4

1–12 of 44

T1204 subtechnique-of

User Execution MITRE

Campaign (2)

Water Curupira Pikabot Distribution uses
Operation Dream Job uses

Course Of Action (1)

Network Intrusion Prevention mitigates

Contact About Legal notice Privacy policy Terms of use