T1566.003: T1566.003
Essential information
- MITRE technique ID
T1566.003- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Spearphishing via Service
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | initial-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (25)
-
DragonForce usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 08:53 · Modified 16/06/2026 19:48 -
SmartApeSG usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:49 · Modified 21/12/2025 19:49
-
EXOTIC LILY usesThe MITRE Corporation Confidence 100
[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
Dark Caracal usesThe MITRE Corporation Confidence 100
[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
IMP-1G usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:49 · Modified 21/12/2025 07:49
-
The MITRE Corporation Confidence 100
[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
The MITRE Corporation Confidence 100
[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
The MITRE Corporation Confidence 100
[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
The MITRE Corporation Confidence 100
[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
Storm-1811 usesThe MITRE Corporation Confidence 100
[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
Core Werewolf usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:42 · Modified 21/12/2025 00:42
-
Storm-3075 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 09/06/2026 10:57 · Modified 09/06/2026 10:57
-
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
ToddyCat usesThe MITRE Corporation Confidence 100
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
BlackBasta usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:14 · Modified 21/12/2025 03:14
-
TA4903 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:09 · Modified 21/12/2025 03:09
-
The MITRE Corporation Confidence 100
[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032), …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
TA4922 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 04/06/2026 10:38 · Modified 04/06/2026 10:38
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:30 · Modified 21/12/2025 04:30
-
Bifrost usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:31 · Modified 21/12/2025 03:31
-
The MITRE Corporation Confidence 100
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
The MITRE Corporation Confidence 100
[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
UNC4034 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:19 · Modified 20/12/2025 22:19
Malware (43)
-
Devman usesFamilyPublished 30/04/2026 23:40 · Modified 30/04/2026 23:40
-
GhostSocks usesFamilyPublished 08/06/2026 19:36 · Modified 08/06/2026 19:36
-
InvisibleFerret usesFamilyPublished 21/04/2026 12:09 · Modified 21/04/2026 12:09
-
Winos4.0 usesFamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
-
FamilyPublished 19/12/2024 23:43 · Modified 19/12/2024 23:43
-
Tycoon 2FA usesFamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
SyncFuture usesFamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
-
Vynlence usesFamilyPublished 15/01/2026 15:25 · Modified 15/01/2026 15:25
-
Hijack Loader usesFamilyPublished 08/06/2026 19:36 · Modified 08/06/2026 19:36
-
ValleyRAT usesFamilyPublished 08/06/2026 10:30 · Modified 08/06/2026 10:30
-
Global usesFamilyPublished 05/11/2025 09:36 · Modified 05/11/2025 09:36
-
AnyDesk usesFamilyPublished 10/06/2026 11:58 · Modified 10/06/2026 11:58
-
NetSupport RAT usesFamilyPublished 22/05/2026 13:08 · Modified 22/05/2026 13:08
-
ARTokens usesFamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
Conti - S0575 usesFamilyPublished 05/11/2025 09:36 · Modified 05/11/2025 09:36
-
FamilyPublished 19/12/2024 23:43 · Modified 19/12/2024 23:43
-
TinyZBot - S0004 usesFamilyPublished 09/12/2024 22:32 · Modified 09/12/2024 22:32
-
RomulusLoader usesFamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
-
ODx usesFamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
OtterCookie usesFamilyPublished 08/06/2026 10:05 · Modified 08/06/2026 10:05
- Ninja
-
Tsunami usesFamilyPublished 14/04/2026 08:54 · Modified 14/04/2026 08:54
-
EKZ Infostealer usesFamilyPublished 02/06/2026 19:07 · Modified 02/06/2026 19:07
-
Vidar usesFamilyPublished 16/06/2026 09:50 · Modified 16/06/2026 09:50
-
ClickFix usesFamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
Black Basta - S1070 usesFamilyPublished 05/02/2026 20:21 · Modified 05/02/2026 20:21
-
DragonForce usesFamilyPublished 16/06/2026 14:44 · Modified 16/06/2026 14:44
-
HoldingHands usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:01 · Modified 21/12/2025 18:48
-
Oyster usesFamilyPublished 08/06/2026 19:36 · Modified 08/06/2026 19:36
-
Atlas RAT usesFamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
-
jRAT - S0283 usesFamilyPublished 15/04/2026 15:04 · Modified 15/04/2026 15:04
-
Lumma Stealer usesFamilyPublished 08/06/2026 19:36 · Modified 08/06/2026 19:36
-
FamilyPublished 19/12/2024 23:43 · Modified 19/12/2024 23:43
-
FamilyPublished 28/03/2025 00:35 · Modified 28/03/2025 00:35
-
EvilTokens usesFamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
Kali365 usesFamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
BeaverTail usesFamilyPublished 21/04/2026 12:09 · Modified 21/04/2026 12:09
-
Mamona usesFamilyPublished 05/11/2025 09:36 · Modified 05/11/2025 09:36
-
jFrutas usesFamilyPublished 15/04/2026 15:04 · Modified 15/04/2026 15:04
-
BADBOX usesFamilyPublished 17/02/2026 12:39 · Modified 17/02/2026 12:39
-
DarkGate - S1111 usesFamilyPublished 09/12/2024 22:32 · Modified 09/12/2024 22:32
-
W32.File.MalParent usesFamilyPublished 28/03/2025 00:35 · Modified 28/03/2025 00:35
-
SilentRunLoader usesFamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
Reports (23)
-
AlienVault Confidence 100 28 MITREs 5 IOCs 5 ObservablesPublished 11/06/2026 23:09 · Modified 15/06/2026 19:16 · threat-report
-
20 MITREs 5 Malwares 9 Observables 1 APTPublished 08/06/2026 19:36 · Modified 09/06/2026 08:57
-
AlienVault Confidence 100 23 MITREs 8 Malwares 23 IOCs 23 Observables 1 APTPublished 03/06/2026 14:55 · Modified 04/06/2026 08:40 · threat-report
-
AlienVault Confidence 100 20 MITREs 1 Malware 7 IOCs 7 ObservablesPublished 02/06/2026 21:07 · Modified 03/06/2026 09:34 · threat-report
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTsPublished 27/05/2026 15:46 · threat-report
-
AlienVault Confidence 100 19 MITREs 6 Malwares 35 IOCs 35 Observables 1 APTPublished 14/05/2026 13:16 · Modified 14/05/2026 18:11 · threat-report
-
AlienVault Confidence 100 15 MITREs 9 IOCs 9 ObservablesPublished 27/04/2026 18:16 · Modified 27/04/2026 16:31 · threat-report
-
7 MITREs 1 Malware 3 Observables 1 APTPublished 08/12/2025 17:41 · Modified 21/12/2025 18:49
-
10 MITREs 71 ObservablesPublished 27/11/2025 19:04 · Modified 21/12/2025 18:17
-
15 MITREs 5 Malwares 1 APTPublished 05/11/2025 09:36 · Modified 07/11/2025 10:20
-
8 MITREs 77 ObservablesPublished 16/05/2025 16:33 · Modified 21/05/2025 20:56
-
9 MITREs 36 ObservablesPublished 13/03/2025 14:58 · Modified 13/03/2025 19:00
-
20 MITREs 4 ObservablesPublished 24/02/2025 15:43 · Modified 24/02/2025 16:52
-
20 MITREs 2 Malwares 1 APTPublished 21/02/2025 05:58 · Modified 21/02/2025 15:29
-
15 MITREs 3 Malwares 43 Observables 1 APTPublished 13/02/2025 09:34 · Modified 13/02/2025 09:45
-
Welcome to the party, pal! related14 MITREs 6 Malwares 5 ObservablesPublished 19/12/2024 23:43 · Modified 20/12/2024 11:43
-
16 MITREs 1 MalwarePublished 18/12/2024 18:13 · Modified 18/12/2024 19:37
-
14 MITREs 3 Malwares 72 Observables 1 APTPublished 09/12/2024 22:32 · Modified 11/12/2024 17:09
-
12 MITREs 2 Malwares 56 Observables 1 APTPublished 06/11/2024 11:06 · Modified 06/11/2024 11:34
-
9 MITREs 84 Observables 1 APTPublished 11/10/2024 07:58 · Modified 11/10/2024 08:13
-
20 MITREs 25 Observables 1 APTPublished 11/10/2024 06:02 · Modified 11/10/2024 08:10
-
8 MITREs 6 ObservablesPublished 20/09/2024 11:42 · Modified 20/09/2024 12:18
-
Romance Scams Urging Investment related9 MITREs 3 ObservablesPublished 13/05/2024 09:38 · Modified 13/05/2024 10:00
Attack patterns (MITRE) (1)
-
T1566 subtechnique-ofPhishing
Course Of Action (5)
- Antivirus/Antimalware mitigates
- User Account Management mitigates
- Audit mitigates
- User Training mitigates
- Restrict Web-Based Content mitigates
Campaign (1)
- Operation Dream Job uses