T1583.003: T1583.003

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 02:44 · Modified 13/04/2026 17:48

Essential information

MITRE technique ID: T1583.003
Confidence: 100/100
Revoked: No
Published: 01/10/2020 02:44
Modified: 13/04/2026 17:48
Author / Source: The MITRE Corporation

Aliases

Virtual Private Server

Platforms

PRE

Description

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

Koczwara Beacon Hunting Sep 2021
mitre-attack (T1583.003)
Mandiant SCANdalous Jul 2020
ThreatConnect Infrastructure Dec 2020
TrendmicroHideoutsLease

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (46)

Moonstone Sleet uses Storm-1789

The MITRE Corporation Confidence 100

[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032),…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Intellexa alliance uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TAG-124 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Squeamish Libra uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedGolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview uses Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SolarMarker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Red Menshen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TGR-STA-1030 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-36 uses Blind Eagle

The MITRE Corporation Confidence 100

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SweetSpecter, CyberAv3ngers, Storm-0817 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 46

KEYPLUG uses
SocGholish uses

Family
Shahmaran uses

Family
Pinar uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TSPY_TRICKLOAD uses

Family
WhisperGate - S0689 uses

Family
InvisibleFerret uses

Family
QakBot - S0650 uses

Family
Pantegana uses

Family
SolarMarker uses

Family
Pikabot uses

Family

← Previous

Page / 5

1–12 of 60

Operation Endgame vs. SocGholish Fake Updates related

AlienVault Confidence 100 18 MITREs 17 Malwares 12 IOCs 12 Observables 1 APT
Active Exploitation of Check Point VPN Authentication Bypass … related

2 CVEs 11 MITREs 1 Malware 7 Observables 1 APT
PCPJack Hijacked 230 AWS, GCP, and Azure Servers … related

1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Cybercriminal VPN Dismantled in Crackdown related

10 MITREs
Inside the Bulletproof Hosting Network Behind 16,000+ Fake … related

AlienVault Confidence 100 15 MITREs 9 IOCs 9 Observables
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs … related

20 MITREs 2 Malwares 12 Observables 1 APT
ASO RAT: Arabic-Language Android Surveillance Platform Targeting Syria related

AlienVault Confidence 100 2 CVEs 8 MITREs 1 Malware 23 IOCs 23 Observables
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
Global Corporate Web related

5 MITREs 1 Malware 1 Observable 1 APT
The 'Bear' attacks: what we learned about the … related

18 MITREs 2 Malwares 38 Observables 1 APT

← Previous

Page / 3

1–12 of 29

Vulnerabilities (CVE) (23)

CVE-2024-27199 KEV targets

7.3 High

JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

Attack vector: NETWORK
Complexity: LOW
Published: 04/03/2024
Modified: 22/04/2026

CWE-23 CWE-22

CVE-2019-11580 KEV targets

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2023-44487 KEV targets

7.5 High

HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).

Attack vector: Network
Complexity: LOW
Published: 10/10/2023
Modified: 15/05/2026

CWE-400

CVE-2024-43451 KEV targets

6.5 Medium

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …

Attack vector: Network
Published: 12/11/2024
Modified: 27/05/2026

Analyzed

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2024-27198 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Attack vector: Network
Published: 07/03/2024
Modified: 21/12/2025

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2019-0859 KEV targets

Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2024-9047 targets

9.8 Critical

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …

Attack vector: NETWORK
Published: 12/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-22205 KEV targets

GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-20038 KEV targets

SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.

Published: 28/01/2022
Modified: 20/12/2025

← Previous

Page / 2

1–12 of 23

T1583 subtechnique-of

Acquire Infrastructure MITRE

Campaign (4)

KV Botnet Activity uses
SPACEHOP Activity uses
ArcaneDoor uses
J-magic Campaign uses

Course Of Action (1)

Pre-compromise mitigates

Contact About Legal notice Privacy policy Terms of use