T1539: T1539
Essential information
- MITRE technique ID
T1539- Confidence
- 100/100
- Revoked
- No
- Published
- 08/10/2019 22:04
- Modified
- 27/03/2026 01:08
- Author / Source
- The MITRE Corporation
Aliases
Steal Web Session Cookie
Platforms
windows macos linux Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (52)
-
The MITRE Corporation Confidence 100
[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
DarkGate relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Minotaur relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GHOST STADIUM relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Gamaredon relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GlassWorm relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GoldenJackal relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ice Breaker relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LofyGang relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LuminousMoth relatedThe MITRE Corporation Confidence 100
[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Lumma Stealer relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (86)
-
FormBook usesThe MITRE Corporation Confidence 100
[XLoader](https://attack.mitre.org/software/S1207) is an infostealer malware in use since at least 2016. Previously known and sometimes still referred to as Formbook, [XLoader](https://attack.mitre.org/software/S1207) is a Malware as a Service (MaaS)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Tycoon 2FA usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ACRStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LofyStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AuraStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PteroTemplate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SparkKitty usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RenEngine usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PteroBleed usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Raccoon Stealer usesFamily The MITRE Corporation Confidence 100
[Raccoon Stealer](https://attack.mitre.org/software/S1148) is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. [Raccoon Stealer](https://attack.mitre.org/software/S1148) has experienced two periods of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
softwareupdate.app usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DarkCloud usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 20 MITREs 3 Malwares 17 IOCs 14 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 14 IOCs 14 Observables
-
AlienVault Confidence 100 20 MITREs 2 Malwares 9 IOCs 2 Observables
-
AlienVault Confidence 100 18 MITREs 1 Malware 4 IOCs 4 Observables
-
AlienVault Confidence 100 20 MITREs 5 Malwares 27 IOCs 27 Observables
-
AlienVault Confidence 100 3 CVEs 20 MITREs 2 Malwares 2 IOCs 2 Observables
-
AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT
-
AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 140 IOCs 127 Observables
-
AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
-
AlienVault Confidence 100 16 MITREs 108 IOCs 108 Observables
-
AlienVault Confidence 100 20 MITREs 49 IOCs 49 Observables
-
AlienVault Confidence 100 21 MITREs 5 Malwares 60 IOCs 21 Observables 1 APT
Vulnerabilities (CVE) (39)
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 27/10/2017
- Modified
- 22/04/2026
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …
- Attack vector
- LOCAL
- Complexity
- LOW
- EPSS
- 0.0001 (P0.6%)
- Published
- 22/04/2026
- Modified
- 23/05/2026
Google Chromium V8 Engine contains a memory corruption vulnerability that allows a remote attacker to execute code via a crafted HTML page. …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 25/04/2017
- Modified
- 22/04/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 04/04/2026
- Modified
- 09/04/2026
RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.
- Published
- 09/12/2025
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative …
- Attack vector
- NETWORK
- Published
- 07/03/2025
- Modified
- 10/04/2026
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …
- Attack vector
- NETWORK
- Published
- 19/12/2025
- Modified
- 26/01/2026
Google Chromium V8 Engine contains an out-of-bounds memory access vulnerability that allows a remote attacker to perform read/write operations, leading to code …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 19/01/2017
- Modified
- 22/04/2026
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
Course Of Action (2)
-
Audit mitigates
-
User Training mitigates
Campaign (1)
-
SolarWinds Compromise uses