T1543.001: T1543.001
View on MITRE ATT&CK
The MITRE Corporation
· Published 16/12/2025 19:38 · Modified 07/04/2026 13:26
Essential information
- MITRE technique ID
T1543.001- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 07/04/2026 13:26
- Author / Source
- The MITRE Corporation
Aliases
Launch Agent
Platforms
macos
Description
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in `/System/Library/LaunchAgents`, `/Library/LaunchAgents`, and `~/Library/LaunchAgents`.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the `Label`, `ProgramArguments `, and `RunAtLoad` keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the `RunAtLoad` or `KeepAlive` keys set to `true`.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (13)
-
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 21:17 · Modified 29/05/2026 12:20
-
TeamPCP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/03/2026 22:18 · Modified 20/03/2026 22:18
-
The MITRE Corporation Confidence 100
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
DPRK usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:19 · Modified 20/12/2025 23:19
-
alh1mik usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 15/04/2026 17:58 · Modified 15/04/2026 17:58
-
Storm-2603 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:15 · Modified 21/12/2025 15:15
-
ShadowSindicate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:23 · Modified 21/12/2025 03:23
-
Banshee usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:49 · Modified 21/12/2025 09:49
-
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
Winnti usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:07 · Modified 20/12/2025 22:07
-
The MITRE Corporation Confidence 100
[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:59 -
CL-CRI-1089 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 03/06/2026 11:34 · Modified 03/06/2026 11:34
Malware (75)
-
Mach-O Man usesFamilyPublished 22/04/2026 01:40 · Modified 22/04/2026 01:40
- ThiefQuest
- Bundlore
-
FruitFly usesFamily The MITRE Corporation Confidence 100
FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017).
First seen 01/01/1970 · Last seen 16/11/5138 Published 17/10/2018 02:14 · Modified 27/03/2026 01:03 -
FamilyPublished 04/02/2025 08:35 · Modified 04/02/2025 08:35
-
kagent usesFamilyPublished 16/04/2026 08:36 · Modified 16/04/2026 08:36
-
PhantomPulse usesFamilyPublished 06/05/2026 19:35 · Modified 06/05/2026 19:35
- Green Lambert
-
Gafgyt usesFamilyPublished 03/06/2026 22:14 · Modified 03/06/2026 22:14
- GateDoor
-
SHub Reaper usesFamilyPublished 18/05/2026 17:52 · Modified 18/05/2026 17:52
- NETWIRE
-
plain-crypto-js usesFamilyPublished 07/04/2026 11:10 · Modified 07/04/2026 11:10
-
PondRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:46 · Modified 29/05/2026 12:20
-
PXA Stealer usesFamilyPublished 02/02/2026 22:44 · Modified 02/02/2026 22:44
-
NimDoor usesFamilyPublished 04/07/2025 09:39 · Modified 04/07/2025 09:39
- CoinTicker
-
CivetQ usesFamilyPublished 09/09/2024 07:53 · Modified 09/09/2024 07:53
-
Calendaromatic usesFamilyPublished 02/06/2026 14:33 · Modified 02/06/2026 14:33
-
RecipeLister usesFamilyPublished 02/06/2026 14:33 · Modified 02/06/2026 14:33
-
Macsync usesFamilyPublished 06/05/2026 19:35 · Modified 06/05/2026 19:35
-
FROSTYFERRET_UI usesFamilyPublished 04/02/2025 08:35 · Modified 04/02/2025 08:35
-
InvisibleFerret usesFamilyPublished 21/04/2026 12:09 · Modified 21/04/2026 12:09
-
XMRig usesFamilyPublished 28/05/2026 10:56 · Modified 28/05/2026 10:56
-
Poseidon Stealer usesFamilyPublished 15/04/2026 14:59 · Modified 15/04/2026 14:59
-
ChromElevator usesFamilyPublished 12/05/2026 13:58 · Modified 12/05/2026 13:58
-
BeaverTail usesFamilyPublished 21/04/2026 12:09 · Modified 21/04/2026 12:09
-
Eternidade Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:09 · Modified 22/12/2025 00:08
- Komplex
-
Cuckoo Stealer usesFamilyPublished 19/02/2026 15:26 · Modified 19/02/2026 15:26
- MacMa
-
BYOB usesFamilyPublished 29/01/2026 12:49 · Modified 29/01/2026 12:49
-
DigitStealer usesFamilyPublished 02/02/2026 22:44 · Modified 02/02/2026 22:44
-
Banshee usesFamilyPublished 15/04/2026 14:59 · Modified 15/04/2026 14:59
-
wt.exe usesFamilyPublished 07/04/2026 11:10 · Modified 07/04/2026 11:10
-
LockBit Black usesFamilyPublished 21/05/2026 23:03 · Modified 21/05/2026 23:03
-
ChromeUpdate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:42 · Modified 21/12/2025 09:42
- CrossRAT
-
amdc6766 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:44 · Modified 21/12/2025 04:28
-
RustDoor usesFamilyPublished 21/01/2025 22:17 · Modified 21/01/2025 22:17
-
Atomic macOS Stealer usesFamilyPublished 18/05/2026 17:52 · Modified 18/05/2026 17:52
-
Warlock usesFamilyPublished 10/02/2026 16:59 · Modified 10/02/2026 16:59
-
RansomHub usesFamilyPublished 07/08/2025 18:57 · Modified 07/08/2025 18:57
-
NKAbuse usesFamilyPublished 16/04/2026 08:36 · Modified 16/04/2026 08:36
- Dacls
-
JSCoreRunner usesFamilyPublished 02/06/2026 14:33 · Modified 02/06/2026 14:33
-
AppleJeus - S0584 usesFamilyPublished 04/05/2026 06:08 · Modified 04/05/2026 06:08
- FileCoder
- Keydnap
-
FlexibleFerret usesFamilyPublished 08/06/2026 10:05 · Modified 08/06/2026 10:05
-
GlassWorm usesFamilyPublished 26/03/2026 20:45 · Modified 26/03/2026 20:45
- CookieMiner
- Dok
-
Lumma Stealer usesFamilyPublished 08/06/2026 19:36 · Modified 08/06/2026 19:36
-
FRIENDLYFERRET_SECD usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:50 · Modified 21/12/2025 09:42
-
POOLRAT usesFamilyPublished 25/05/2026 13:00 · Modified 25/05/2026 13:00
-
easy-day-js usesFamilyPublished 17/06/2026 13:38 · Modified 17/06/2026 13:38
- MacSpy
-
com.apple.act.mond usesFamilyPublished 07/04/2026 11:10 · Modified 07/04/2026 11:10
-
SHub Stealer usesFamilyPublished 18/05/2026 17:52 · Modified 18/05/2026 17:52
-
Cthulhu usesFamilyPublished 15/04/2026 14:59 · Modified 15/04/2026 14:59
- Calisto
- macOS.OSAMiner
-
EDRKillShifter usesFamilyPublished 19/03/2026 15:28 · Modified 19/03/2026 15:28
-
ld.py usesFamilyPublished 07/04/2026 11:10 · Modified 07/04/2026 11:10
-
FlutterShell usesFamilyPublished 02/06/2026 14:33 · Modified 02/06/2026 14:33
-
FamilyPublished 29/05/2024 10:38 · Modified 29/05/2024 10:38
-
PyLangGhostRAT usesFamilyPublished 22/04/2026 01:40 · Modified 22/04/2026 01:40
- MacRansom
- Proton
- OSX_OCEANLOTUS.D
-
AMOS usesFamilyPublished 18/05/2026 17:52 · Modified 18/05/2026 17:52
-
notnullOSX usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 15/04/2026 17:58 · Modified 15/04/2026 17:58
- KeRanger
-
Banshee Stealer usesFamilyPublished 09/01/2025 15:08 · Modified 09/01/2025 15:08
Reports (18)
-
AlienVault Confidence 100 12 MITREs 1 Malware 30 IOCs 21 ObservablesPublished 19/06/2026 02:03 · threat-report
-
AlienVault Confidence 100 21 MITREs 1 Malware 6 IOCs 1 ObservablePublished 18/06/2026 07:41 · threat-report
-
AlienVault Confidence 100 20 MITREs 1 Malware 9 IOCs 9 ObservablesPublished 17/06/2026 15:38 · Modified 17/06/2026 20:24 · threat-report
-
20 MITREs 4 Malwares 9 Observables 1 APTPublished 02/06/2026 14:33 · Modified 03/06/2026 09:35
-
17 MITREs 1 Observable 1 APTPublished 19/05/2026 12:45 · Modified 21/05/2026 17:12
-
AlienVault Confidence 100 19 MITREs 4 Malwares 8 IOCs 8 ObservablesPublished 18/05/2026 19:52 · Modified 18/05/2026 18:26 · threat-report
-
AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APTPublished 12/05/2026 15:58 · Modified 12/05/2026 16:59 · threat-report
-
AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 145 IOCs 145 ObservablesPublished 06/05/2026 21:35 · Modified 08/05/2026 09:19 · threat-report
-
3 CVEs 22 MITREs 5 Malwares 16 Observables 1 APTPublished 04/05/2026 06:08 · Modified 04/05/2026 14:59
-
20 MITREs 2 Malwares 15 Observables 1 APTPublished 22/04/2026 01:40 · Modified 22/04/2026 08:59
-
2 CVEs 21 MITREs 2 Malwares 12 ObservablesPublished 16/04/2026 08:36 · Modified 16/04/2026 11:03
-
AlienVault Confidence 100 20 MITREs 5 Malwares 15 IOCs 15 Observables 1 APTPublished 15/04/2026 16:59 · Modified 15/04/2026 15:58 · threat-report
-
18 MITREs 4 Malwares 9 ObservablesPublished 07/04/2026 11:10 · Modified 07/04/2026 11:26
-
11 MITREs 5 Malwares 2 Observables 1 APTPublished 04/02/2025 08:35 · Modified 04/02/2025 09:44
-
22 MITREs 2 Malwares 25 Observables 1 APTPublished 09/01/2025 15:08 · Modified 09/01/2025 15:41
-
20 MITREs 2 Malwares 85 Observables 1 APTPublished 09/09/2024 07:53 · Modified 09/09/2024 08:25
-
8 MITREs 2 Malwares 2 ObservablesPublished 16/08/2024 14:58 · Modified 16/08/2024 15:50
-
10 MITREs 3 Malwares 4 Observables 1 APTPublished 29/05/2024 10:38 · Modified 29/05/2024 11:30
Vulnerabilities (CVE) (10)
6.5
Medium
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …
- Attack vector
- NETWORK
- Published
- 21/07/2025
- Modified
- 21/12/2025
CVE-2026-39987
KEV
9.3
Critical
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication …
- Attack vector
- Network
- Complexity
- Low
- Published
- 09/04/2026
- Modified
- 29/04/2026
8.8
High
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without …
- Published
- 01/02/2026
- Modified
- 02/02/2026
10.0
Critical
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …
- Attack vector
- NETWORK
- Published
- 29/03/2024
- Modified
- 21/12/2025
CVE-2026-31431
KEV
7.8
High
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …
- Attack vector
- LOCAL
- Complexity
- LOW
- EPSS
- 0.0001 (P0.6%)
- Published
- 22/04/2026
- Modified
- 23/05/2026
CVE-2025-49704
KEV
8.8
High
Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
CVE-2025-49706
KEV
6.5
Medium
Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
CVE-2025-53770
KEV
9.8
Critical
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …
- Attack vector
- Network
- Published
- 20/07/2025
- Modified
- 21/12/2025
CVE-2024-3400
KEV
10.0
Critical
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
Attack patterns (MITRE) (1)
-
T1543 subtechnique-ofCreate or Modify System Process
Course Of Action (1)
- Restrict File and Directory Permissions mitigates