T1583.003: T1583.003
Essential information
- MITRE technique ID
T1583.003- Confidence
- 100/100
- Revoked
- No
- Published
- 01/10/2020 02:44
- Modified
- 13/04/2026 17:48
- Author / Source
- The MITRE Corporation
Aliases
Virtual Private Server
Platforms
PRE
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | resource-development |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (46)
-
The MITRE Corporation Confidence 100
[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RedNovember usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BladedFeline usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TAG-112 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Danabot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TAG-100 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
rhysida usesRansomware.Live Confidence 100
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…
First seen 01/01/1970 · Last seen 16/11/5138 · -
APT42 usesThe MITRE Corporation Confidence 100
[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (60)
-
KEYPLUG usesFamily The MITRE Corporation Confidence 100
[KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)
First seen 01/01/1970 · Last seen 16/11/5138 · -
SocGholish usesThe MITRE Corporation Confidence 100
[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Shahmaran usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Pinar usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Korplug usesThe MITRE Corporation Confidence 100
[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TSPY_TRICKLOAD usesThe MITRE Corporation Confidence 100
[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
WhisperGate - S0689 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
InvisibleFerret usesThe MITRE Corporation Confidence 100
[InvisibleFerret](https://attack.mitre.org/software/S1245) is a modular python malware that is leveraged for data exfiltration and remote access capabilities.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November…
First seen 01/01/1970 · Last seen 16/11/5138 · -
QakBot - S0650 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Pantegana usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SolarMarker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Pikabot usesThe MITRE Corporation Confidence 100
[Pikabot](https://attack.mitre.org/software/S1145) is a backdoor used for initial access and follow-on tool deployment active since early 2023. [Pikabot](https://attack.mitre.org/software/S1145) is notable for extensive use of multiple encoding, encryption, and defense…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (29)
-
10 MITREs 1 Malware 13 Observables
-
8 MITREs 17 Observables 1 APT
-
17 MITREs 2 Malwares 13 Observables
-
16 MITREs 2 Malwares 45 Observables 1 APT
-
14 MITREs 10 Observables 1 APT
Vulnerabilities (CVE) (23)
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …
- Attack vector
- Network
- Published
- 02/06/2025
- Modified
- 21/12/2025
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 15/09/2017
- Modified
- 22/04/2026
Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …
- Published
- 03/11/2021
- Modified
- 29/05/2026
A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle …
- Attack vector
- Network
- Complexity
- High
- Published
- 08/06/2026
- Modified
- 10/06/2026
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass …
- Attack vector
- NETWORK
- Published
- 05/02/2025
- Modified
- 13/04/2026
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
- Attack vector
- Network
- Published
- 10/02/2023
- Modified
- 20/12/2025
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …
- Attack vector
- Network
- Published
- 07/11/2024
- Modified
- 21/12/2025
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …
- Attack vector
- Network
- Published
- 04/12/2024
- Modified
- 21/12/2025
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker …
- Attack vector
- NETWORK
- Complexity
- LOW
- EPSS
- 0.0001 (P1.2%)
- Published
- 08/06/2026
- Modified
- 10/06/2026
Campaign (4)
-
KV Botnet Activity uses
-
SPACEHOP Activity uses
-
ArcaneDoor uses
-
J-magic Campaign uses
Course Of Action (1)
-
Pre-compromise mitigates