T1204.001: T1204.001

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/03/2020 15:43 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1204.001
Confidence: 100/100
Revoked: No
Published: 11/03/2020 15:43
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Malicious Link

Platforms

windows macos linux

Description

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

mitre-attack (T1204.001)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (62)

Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GreenSpot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LazyScripter uses

The MITRE Corporation Confidence 100

[LazyScripter](https://attack.mitre.org/groups/G0140) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackBasta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sidewinder uses T-APT-04Rattlesnake

The MITRE Corporation Confidence 100

[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SideCopy uses

The MITRE Corporation Confidence 100

[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke uses IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FAMOUS CHOLLIMA uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-1575 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FakeBat uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN8 uses Syssphinx

The MITRE Corporation Confidence 100

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 uses ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

13–24 of 62

PeckBirdy uses

Family
TSCookie uses
PowerNet uses

Family
Dridex - S0384 uses

Family
Tropidoor uses

Family
GammaSteal uses

Family
DISGOMOJI uses

Family
Pony uses

Family The MITRE Corporation Confidence 100

[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HTTPSnoop uses

Family
Reverse RAT uses

Family
Atlas RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ObliqueRAT uses

← Previous

Page / 7

25–36 of 74

"Ghost" Code Phishing Analysis related

AlienVault Confidence 100 20 MITREs 1 Malware
PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Okendo Reviews Supply Chain Attack related

AlienVault Confidence 100 18 MITREs 5 Malwares 3 IOCs 3 Observables 1 APT
Twitter Feed - nextronresearch - 17-06-2026 related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 1 APT
World Cup 2026 Mobile Targeted Phishing: The Global … related

AlienVault Confidence 100 28 MITREs 5 IOCs 5 Observables
How Lookalike Domains Exploit Human Judgment related

AlienVault Confidence 100 20 MITREs 13 IOCs 13 Observables
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
From Fake Amazon Security Alert to HarborWatch Agent: … related

20 MITREs 1 Malware 6 Observables
AI brands as bait: How threat actors are … related

20 MITREs 5 Malwares 9 Observables 1 APT
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets … related

20 MITREs 4 Malwares 18 Observables 1 APT
ClickFix Is Now Hiring: From Job Platform Impersonation … related

AlienVault Confidence 100 18 MITREs 1 Malware 58 IOCs 58 Observables
TA4922: The Suspected Chinese Crime Group is Going … related

AlienVault Confidence 100 23 MITREs 8 Malwares 23 IOCs 23 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (44)

CVE-2025-43520 targets

7.1 High

A memory corruption issue was addressed with improved memory handling. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, …

Published: 12/12/2025
Modified: 16/12/2025

Analyzed

CVE-2026-25253 targets

8.8 High

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without …

Published: 01/02/2026
Modified: 02/02/2026

Received

CVE-2025-43529 targets

8.8 High

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS …

Published: 17/12/2025
Modified: 18/12/2025

Analyzed

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-4947 KEV targets

9.6 Critical

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via …

Attack vector: Network
Published: 20/05/2024
Modified: 29/05/2026

Received

CVE-2025-24054 KEV targets

6.5 Medium

Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over …

Attack vector: Network
Published: 17/04/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2024-43451 KEV targets

6.5 Medium

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …

Attack vector: Network
Published: 12/11/2024
Modified: 27/05/2026

Analyzed

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-14174 targets

8.8 High

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out …

Published: 12/12/2025
Modified: 15/12/2025

Analyzed

CVE-2024-3721 targets

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

CVE-2020-16040 targets

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

← Previous

Page / 4

1–12 of 44

T1204 subtechnique-of

User Execution MITRE

Campaign (1)

Water Curupira Pikabot Distribution uses

Course Of Action (1)

Network Intrusion Prevention mitigates

Contact About Legal notice Privacy policy Terms of use