T1204.001: T1204.001
Essential information
- MITRE technique ID
T1204.001- Confidence
- 100/100
- Revoked
- No
- Published
- 11/03/2020 15:43
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Malicious Link
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (62)
-
The MITRE Corporation Confidence 100
[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GoPix relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
Gophish usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NotDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AppleJeus usesFamily The MITRE Corporation Confidence 100
[AppleJeus](https://attack.mitre.org/software/S0584) is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. [AppleJeus](https://attack.mitre.org/software/S0584) has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032), targeting companies in the energy, finance,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
DESFY usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HarborWatch Agent usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Twizt usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SUBTLE-PAWS usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlotchyQuasar usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hancitor usesFamily The MITRE Corporation Confidence 100
[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Emotet usesFamily The MITRE Corporation Confidence 100
[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Saint Bot usesFamily The MITRE Corporation Confidence 100
[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Saint Bear](https://attack.mitre.org/groups/G1031) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ShadowPad - S0596 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
3 MITREs 24 Observables
-
20 MITREs 4 Malwares 7 Observables 1 APT
-
19 MITREs 2 Malwares
-
1 MITRE 2 Malwares 6 Observables
-
20 MITREs 2 Malwares 12 Observables 1 APT
-
AlienVault Confidence 100 8 MITREs 3 IOCs 3 Observables
-
15 MITREs 6 Malwares 84 Observables 1 APT
-
19 MITREs 18 Observables
-
14 MITREs 2 Malwares 12 Observables
-
6 CVEs 19 MITREs 3 Malwares 4 Observables
-
12 MITREs 1 Malware 28 Observables 1 APT
-
7 MITREs 1 Malware 160 Observables
Vulnerabilities (CVE) (44)
A memory corruption issue was addressed with improved memory handling. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/12/2025
- Modified
- 04/04/2026
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without …
- Attack vector
- Network
- Published
- 02/02/2026
- Modified
- 19/02/2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 15/12/2025
- Modified
- 04/04/2026
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via …
- Attack vector
- Network
- Published
- 20/05/2024
- Modified
- 29/05/2026
Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over …
- Attack vector
- Network
- Published
- 17/04/2025
- Modified
- 27/05/2026
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
- Attack vector
- Local
- Complexity
- Low
- Published
- 15/11/2017
- Modified
- 29/05/2026
Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …
- Attack vector
- Network
- Published
- 12/11/2024
- Modified
- 27/05/2026
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 12/08/2025
- Modified
- 27/05/2026
Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of …
- Attack vector
- Network
- Published
- 12/12/2025
- Modified
- 18/03/2026
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …
- Attack vector
- NETWORK
- Published
- 13/04/2024
- Modified
- 21/12/2025
Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …
- Attack vector
- NETWORK
- Published
- 08/01/2021
- Modified
- 27/01/2026
Campaign (1)
-
Water Curupira Pikabot Distribution uses
Course Of Action (1)
-
Network Intrusion Prevention mitigates