216.73.217.22

T1533: Data from Local System

View on MITRE ATT&CK The MITRE Corporation · Published 17/12/2025 22:48 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1533
Confidence
100/100
Revoked
No
Published
17/12/2025 22:48
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Aliases

T1533

Platforms

android iOS

Description

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. Access to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions.

Kill chain phases

Kill chainPhase
mitre-mobile-attack collection

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (7)

  • Windshift uses Bahamut
    The MITRE Corporation Confidence 100

    [Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Kamran uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:34 · Modified 21/12/2025 01:34
  • Bitter uses T-APT-17
    The MITRE Corporation Confidence 100

    [BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 09/04/2026 20:05
  • Patchwork uses Hangover GroupChinastrats
    The MITRE Corporation Confidence 100

    [Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Sandworm uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:15 · Modified 20/12/2025 23:15
  • Virtual Invaders uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:41 · Modified 21/12/2025 03:41
  • Ke3chang uses APT15Mirage
    The MITRE Corporation Confidence 100

    [Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13

Malware (25 / 70)

  • Escobar
  • Uyghur Telegram uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:20 · Modified 21/12/2025 01:20
  • Anubis uses
    Family
    Published 27/01/2025 14:18 · Modified 27/01/2025 14:18
  • Tangelo
  • VajraSpy
  • TangleBot uses
    Family
    Published 26/06/2024 08:23 · Modified 26/06/2024 08:23
  • AbstractEmu
  • GREF
  • Bahamut
  • HenBox
  • SpyNote RAT
  • FrozenCell
  • SpyC23
  • Via Phishing
  • Tiktok Pro
  • INSOMNIA
  • RCSAndroid
  • ViperRAT
  • GolfSpy
  • WolfRAT
  • BOULDSPY
  • Bahamut Android
  • AhRat
  • SpaceCobra
  • Monokle uses
    Family
    Published 05/12/2024 17:33 · Modified 05/12/2024 17:33

Reports (1)

Campaign (2)

  • Operation Dust Storm uses
  • Operation Triangulation uses

Tool (1)

  • FlexiSpy uses
    The MITRE Corporation Confidence 100

    [FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control …

    Published 04/09/2019 17:38 · Modified 27/03/2026 01:41