216.73.217.22

T1554: T1554

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/04/2026 16:32

Essential information

MITRE technique ID
T1554
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/04/2026 16:32
Author / Source
The MITRE Corporation

Aliases

Compromise Host Software Binary

Platforms

windows macos linux ESXi

Description

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications. Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024) An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021) After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)

Kill chain phases

Kill chainPhase
mitre-attack persistence

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (9)

  • APT41 uses Wicked PandaBrass Typhoon
    The MITRE Corporation Confidence 100

    [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Curly COMrades uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 16:03 · Modified 21/12/2025 16:03
  • TeamPCP uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/03/2026 22:18 · Modified 20/03/2026 22:18
  • GlassWorm uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:54 · Modified 21/12/2025 18:54
  • UNC6508 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/06/2026 13:48 · Modified 16/06/2026 13:48
  • Sukob uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/05/2026 18:46 · Modified 21/05/2026 18:46
  • Matrix uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:35 · Modified 21/12/2025 08:35
  • APT5 uses Mulberry TyphoonMANGANESE
    The MITRE Corporation Confidence 100

    [APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • UNC3886 uses
    The MITRE Corporation Confidence 100

    [UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13

Malware (39)

  • Mirai uses
    Family
    Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
  • MacRansom
  • crypto-javascri uses
    Family
    Published 20/05/2026 11:12 · Modified 20/05/2026 11:12
  • Shai-Hulud uses
    Family
    Published 01/06/2026 19:31 · Modified 01/06/2026 19:31
  • WARPWIRE
  • XCSSET uses
    Family
    Published 11/03/2025 17:34 · Modified 11/03/2025 17:34
  • INFINITERED uses
    Family
    Published 15/06/2026 19:33 · Modified 15/06/2026 19:33
  • Kessel
  • SLOWPULSE
  • Xorddos uses
    Family
    Published 14/04/2026 08:54 · Modified 14/04/2026 08:54
  • Bonadan
  • BOLDMOVE
  • MucorAgent uses
    Family
    Published 12/08/2025 14:57 · Modified 12/08/2025 14:57
  • Resocks uses
    Family
    Published 12/08/2025 14:57 · Modified 12/08/2025 14:57
  • WIREFIRE
  • POISONPLUG.SHADOW uses
    Family
    Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
  • PHASEJAM uses
    Family
    Published 09/01/2025 08:56 · Modified 09/01/2025 08:56
  • Kobalos
  • DanaBot uses
    Family
    Published 03/11/2025 14:28 · Modified 03/11/2025 14:28
  • ScatterBrain uses
    Family
    Published 29/01/2025 01:42 · Modified 29/01/2025 01:42
  • Ailurophile Stealer uses
    Family
    Published 09/09/2024 09:26 · Modified 09/09/2024 09:26
  • mcpAddon.js uses
    Family
    Published 22/04/2026 22:57 · Modified 22/04/2026 22:57
  • ThiefQuest
  • PYbot uses
    Family
    Published 27/11/2024 18:19 · Modified 27/11/2024 18:19
  • DiscordGo uses
    Family
    Published 27/11/2024 18:19 · Modified 27/11/2024 18:19
  • GlassWorm uses
    Family
    Published 26/03/2026 20:45 · Modified 26/03/2026 20:45
  • Arti uses
    Family
    Published 20/05/2026 11:12 · Modified 20/05/2026 11:12
  • BFG Agonizer
  • Industroyer
  • LITTLELAMB.WOOLTEA
  • BUSHWALK
  • KeRanger
  • Ebury uses
    Family
    Published 15/05/2024 16:00 · Modified 15/05/2024 16:00
  • SbaProxy
  • LIGHTWIRE
  • FileCoder
  • Canister Worm uses
    Family
    Published 22/04/2026 22:57 · Modified 22/04/2026 22:57
  • StealC uses
    Family
    Published 27/03/2026 08:46 · Modified 27/03/2026 08:46
  • FRAMESTING

Reports (13)

Vulnerabilities (CVE) (12)

CVE-2021-20090 KEV

Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This …

Published
03/11/2021
Modified
21/12/2025
CVE-2025-27915
5.4 Medium

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the …

Published
12/03/2025
Modified
12/03/2025
Awaiting Analysis
CVE-2018-10562 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.

Published
31/03/2022
Modified
20/12/2025
CVE-2022-30075
8.8 High

In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code …

Attack vector
NETWORK
Published
09/06/2022
Modified
21/12/2025
CVE-2022-30525 KEV

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and …

Published
16/05/2022
Modified
20/12/2025
CVE-2024-27348 KEV
9.8 Critical

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended …

Attack vector
Network
Published
18/09/2024
Modified
21/12/2025
Awaiting Analysis
CVE-2017-17106
10.0 Critical

Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This …

Published
19/12/2017
Modified
13/05/2026
CVE-2018-10561 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.

Published
31/03/2022
Modified
20/12/2025
CVE-2017-18368 KEV

Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user …

Published
07/08/2023
Modified
20/12/2025
CVE-2014-8361 KEV
9.8 Critical

Realtek SDK contains an improper input validation vulnerability in the miniigd SOAP service that allows remote attackers to execute malicious code via …

Attack vector
NETWORK
Complexity
LOW
Published
01/05/2015
Modified
22/04/2026

Campaign (3)

  • Cutting Edge uses
  • RedPenguin uses
  • 2016 Ukraine Electric Power Attack uses

Course Of Action (1)

  • Code Signing mitigates