T1539: T1539
Essential information
- MITRE technique ID
T1539- Confidence
- 100/100
- Revoked
- No
- Published
- 08/10/2019 22:04
- Modified
- 27/03/2026 01:08
- Author / Source
- The MITRE Corporation
Aliases
Steal Web Session Cookie
Platforms
windows macos linux Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (52)
-
The MITRE Corporation Confidence 100
[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RastaFarEye usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MioLab usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Evilnum usesThe MITRE Corporation Confidence 100
[Evilnum](https://attack.mitre.org/groups/G0120) is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)
First seen 01/01/1970 · Last seen 16/11/5138 · -
MRxC0DER usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Y2K Operators usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Russia usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ToddyCat usesThe MITRE Corporation Confidence 100
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TA4903 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ANTONIO EDUARDO FREDERICO relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (86)
-
LummaC2 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AMOS usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Dolphin usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DUCKTAIL usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Atomic Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FileEase usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Grandoreiro usesFamily The MITRE Corporation Confidence 100
[Grandoreiro](https://attack.mitre.org/software/S0531) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://attack.mitre.org/software/S0531) has confirmed victims in Brazil, Mexico,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PteroGram usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ClickFix usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GlassWorm usesAlienVault Confidence 100
[GlassWorm](https://attack.mitre.org/software/S9010) is a worm that propagated through supply chain attacks by compromising repository credentials from victim environments and having malicious payloads added to those compromised accounts for distribution…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TRANSLATEXT usesFamily The MITRE Corporation Confidence 100
[TRANSLATEXT](https://attack.mitre.org/software/S1201) is malware that is believed to be used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Zscaler Kimsuky TRANSLATEXT) [TRANSLATEXT](https://attack.mitre.org/software/S1201) masqueraded as a Google Translate extension for Google Chrome, but is actually a…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Amadey - S1025 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
15 MITREs 1 Malware 4 Observables
-
16 MITREs
-
AlienVault Confidence 100 20 MITREs 1 IOC 1 Observable
-
AlienVault Confidence 100 28 MITREs 5 IOCs 5 Observables
-
20 MITREs 39 Observables
-
20 MITREs 1 Malware
-
20 MITREs 19 Observables
-
20 MITREs 5 Malwares 9 Observables 1 APT
-
AlienVault Confidence 100 3 CVEs 16 MITREs 2 Malwares 53 IOCs 53 Observables 1 APT
-
20 MITREs 4 Malwares 18 Observables 1 APT
-
20 MITREs 3 Observables
-
AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
Vulnerabilities (CVE) (39)
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 27/10/2017
- Modified
- 22/04/2026
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …
- Attack vector
- LOCAL
- Complexity
- LOW
- EPSS
- 0.0001 (P0.6%)
- Published
- 22/04/2026
- Modified
- 23/05/2026
Google Chromium V8 Engine contains a memory corruption vulnerability that allows a remote attacker to execute code via a crafted HTML page. …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 25/04/2017
- Modified
- 22/04/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 04/04/2026
- Modified
- 09/04/2026
RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.
- Published
- 09/12/2025
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative …
- Attack vector
- NETWORK
- Published
- 07/03/2025
- Modified
- 10/04/2026
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …
- Attack vector
- NETWORK
- Published
- 19/12/2025
- Modified
- 26/01/2026
Google Chromium V8 Engine contains an out-of-bounds memory access vulnerability that allows a remote attacker to perform read/write operations, leading to code …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 19/01/2017
- Modified
- 22/04/2026
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
Course Of Action (2)
-
Audit mitigates
-
User Training mitigates
Campaign (1)
-
SolarWinds Compromise uses