216.73.217.22

T1568.002: T1568.002

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 27/04/2026 16:36

Essential information

MITRE technique ID
T1568.002
Confidence
100/100
Revoked
No
Published
16/12/2025 19:37
Modified
27/04/2026 16:36
Author / Source
The MITRE Corporation

Aliases

Domain Generation Algorithms

Platforms

windows macos linux ESXi

Description

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019) DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation) Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

Kill chain phases

Kill chainPhase
mitre-attack command-and-control

Marking (TLP)

TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (11)

  • Storm-0249 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:18 · Modified 21/12/2025 13:18
  • play uses
    The MITRE Corporation Confidence 100

    Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Grandoreiro uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:03 · Modified 21/12/2025 03:03
  • OP-512 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 08/06/2026 10:23 · Modified 08/06/2026 10:23
  • MirrorFace uses
    AlienVault Confidence 100

    [MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:36 · Modified 04/05/2026 16:33
  • medusa uses
    Ransomware.Live Confidence 100

    No description available

    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 08:55 · Modified 21/12/2025 07:18
  • TA551 uses GOLD CABINShathak
    The MITRE Corporation Confidence 100

    [TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Danabot uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:14 · Modified 21/12/2025 14:25
  • ITG05 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:42 · Modified 21/12/2025 03:43
  • APT28 uses IRON TWILIGHTSNAKEMACKEREL
    The MITRE Corporation Confidence 100

    [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 08/04/2026 13:02
  • APT41 uses Wicked PandaBrass Typhoon
    The MITRE Corporation Confidence 100

    [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14

Malware (62)

  • BadIIS uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Grandoreiro - S0531 uses
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • DarkWatchman
  • POSHSPY
  • Grandoreiro
  • PhantomCore uses
    Family
    Published 23/01/2026 10:12 · Modified 23/01/2026 10:12
  • Mekotio uses
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • RMMProject uses
    Family
    Published 16/06/2026 14:27 · Modified 16/06/2026 14:27
  • perfcc uses
    Family
    Published 17/09/2024 11:14 · Modified 17/09/2024 11:14
  • PLUSINJECT uses
    Family
    Published 10/06/2025 10:52 · Modified 10/06/2025 10:52
  • Ebury uses
    Family
    Published 15/05/2024 16:00 · Modified 15/05/2024 16:00
  • GhostKit uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Aria-body
  • ToughProgress uses
    Family
    Published 10/06/2025 10:52 · Modified 10/06/2025 10:52
  • BadPotato uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Conficker
  • PlugX - S0013 uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • DanaBot uses
    Family
    Published 03/11/2025 14:28 · Modified 03/11/2025 14:28
  • CHOPSTICK
  • SilentCryptoMiner uses
    Family
    Published 28/05/2026 10:56 · Modified 28/05/2026 10:56
  • MiniDuke
  • gsocket uses
    Family
    Published 14/05/2026 20:10 · Modified 14/05/2026 20:10
  • Brute Ratel uses
    Family
    Published 27/05/2025 10:35 · Modified 27/05/2025 10:35
  • Potemkin uses
    Family
    Published 16/06/2026 14:27 · Modified 16/06/2026 14:27
  • Rungan uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • OCEANMAP
  • Meterpreter uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Milan
  • hero.dll uses
    Family
    Published 12/02/2026 09:29 · Modified 12/02/2026 09:29
  • Shark
  • Korplug uses
    The MITRE Corporation Confidence 100

    [PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 31/05/2017 23:32 · Modified 08/06/2026 10:23
  • MASEPIE
  • hero.exe uses
    Family
    Published 12/02/2026 09:29 · Modified 12/02/2026 09:29
  • Bazar
  • BONDUPDATER
  • NOOPDOOR uses
    Family
    Published 27/11/2024 18:31 · Modified 27/11/2024 18:31
  • COROXY uses
    Family
    Published 01/11/2025 10:24 · Modified 01/11/2025 10:24
  • STEELHOOK
  • EfsPotato uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 08/06/2026 10:23 · Modified 08/06/2026 10:23
  • Gamshen uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Bedep uses
    Family
    Published 22/04/2026 22:57 · Modified 22/04/2026 22:57
  • Havoc uses
    Family
    Published 08/06/2026 10:30 · Modified 08/06/2026 10:30
  • Angler uses
    Family
    Published 22/04/2026 22:57 · Modified 22/04/2026 22:57
  • SweetPotato uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Cobalt Strike - S0154 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
  • PE_URSNIF uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • HiddenFace uses
    Family
    Published 18/03/2025 20:59 · Modified 18/03/2025 20:59
  • LODEINFO uses
    Family
    Published 19/11/2024 09:19 · Modified 19/11/2024 09:19
  • Medusa uses
    Family
    Published 06/04/2026 20:26 · Modified 06/04/2026 20:26
  • Guildma uses
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • SombRAT
  • Chisel uses
    Family
    Published 16/06/2026 14:27 · Modified 16/06/2026 14:27
  • QakBot uses
    Family
    Published 30/05/2024 14:20 · Modified 30/05/2024 14:20
  • CCBkdr
  • Doki
  • TangleBot uses
    Family
    Published 26/06/2024 08:23 · Modified 26/06/2024 08:23
  • Uphero.exe uses
    Family
    Published 12/02/2026 09:29 · Modified 12/02/2026 09:29
  • Vadokrist
  • EtherRAT uses
    Family
    Published 16/06/2026 14:27 · Modified 16/06/2026 14:27
  • POISONPLUG.SHADOW uses
    Family
    Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
  • PLUSDROP uses
    Family
    Published 10/06/2025 10:52 · Modified 10/06/2025 10:52
  • XMRig uses
    Family
    Published 28/05/2026 10:56 · Modified 28/05/2026 10:56

Reports (13)

Vulnerabilities (CVE) (8)

CVE-2023-35636
6.5 Medium

Microsoft Outlook Information Disclosure Vulnerability

Attack vector
NETWORK
Published
12/12/2023
Modified
21/12/2025
CVE-2022-1388 KEV

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published
10/05/2022
Modified
20/12/2025
CVE-2023-23397 KEV
9.8 Critical

Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the …

Attack vector
Network
Published
14/03/2023
Modified
21/12/2025
CVE-2023-20078
9.8 Critical

Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector
NETWORK
Published
03/03/2023
Modified
21/12/2025
CVE-2024-21413 KEV
9.8 Critical

Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an …

Attack vector
Network
Published
06/02/2025
Modified
21/12/2025
CVE-2024-21410 KEV
9.8 Critical

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Attack vector
Network
Published
15/02/2024
Modified
21/12/2025

Attack patterns (MITRE) (1)

  • T1568 subtechnique-of
    Dynamic Resolution

Tool (2)

  • ngrok uses
    The MITRE Corporation Confidence 100

    [ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public …

    Published 14/09/2023 20:56 · Modified 27/03/2026 01:07
  • AsyncRAT uses
    The MITRE Corporation Confidence 100

    [AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover …

    Published 16/12/2025 19:37 · Modified 27/03/2026 01:07

Course Of Action (2)

  • Network Intrusion Prevention mitigates
  • Restrict Web-Based Content mitigates