T1583.003: T1583.003

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 02:44 · Modified 13/04/2026 17:48

Essential information

MITRE technique ID: T1583.003
Confidence: 100/100
Revoked: No
Published: 01/10/2020 02:44
Modified: 13/04/2026 17:48
Author / Source: The MITRE Corporation

Aliases

Virtual Private Server

Platforms

PRE

Description

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

Koczwara Beacon Hunting Sep 2021
mitre-attack (T1583.003)
Mandiant SCANdalous Jul 2020
ThreatConnect Infrastructure Dec 2020
TrendmicroHideoutsLease

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (46)

Earth Lamia related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group related IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HAFNIUM related Operation Exchange MarauderSilk Typhoon

The MITRE Corporation Confidence 100

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Intellexa related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Muddling Meerkat related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NetMedved related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Qilin related

Ransomware.Live Confidence 100

Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Saint Bear related UNC2589Bleeding Bear

The MITRE Corporation Confidence 100

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore related COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Winter Vivern related UAC-0114TA473

The MITRE Corporation Confidence 100

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

37–46 of 46

KEYPLUG uses
SocGholish uses

The MITRE Corporation Confidence 100

[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Shahmaran uses

Family
Pinar uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TSPY_TRICKLOAD uses

The MITRE Corporation Confidence 100

[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by…

First seen 01/01/1970 · Last seen 16/11/5138 ·
WhisperGate - S0689 uses

Family
InvisibleFerret uses

Family
QakBot - S0650 uses

Family
Pantegana uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SolarMarker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Pikabot uses

Family

← Previous

Page / 5

1–12 of 60

Operation Endgame vs. SocGholish Fake Updates related

AlienVault Confidence 100 18 MITREs 17 Malwares 12 IOCs 12 Observables 1 APT
Active Exploitation of Check Point VPN Authentication Bypass … related

2 CVEs 11 MITREs 1 Malware 7 Observables 1 APT
PCPJack Hijacked 230 AWS, GCP, and Azure Servers … related

1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Cybercriminal VPN Dismantled in Crackdown related

10 MITREs
Inside the Bulletproof Hosting Network Behind 16,000+ Fake … related

AlienVault Confidence 100 15 MITREs 9 IOCs 9 Observables
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs … related

20 MITREs 2 Malwares 12 Observables 1 APT
ASO RAT: Arabic-Language Android Surveillance Platform Targeting Syria related

AlienVault Confidence 100 2 CVEs 8 MITREs 1 Malware 23 IOCs 23 Observables
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
Global Corporate Web related

5 MITREs 1 Malware 1 Observable 1 APT
The 'Bear' attacks: what we learned about the … related

18 MITREs 2 Malwares 38 Observables 1 APT

← Previous

Page / 3

1–12 of 29

Vulnerabilities (CVE) (23)

CVE-2024-27199 KEV targets

7.3 High

JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

Attack vector: NETWORK
Complexity: LOW
Published: 04/03/2024
Modified: 22/04/2026

CWE-23 CWE-22

CVE-2019-11580 KEV targets

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2023-44487 KEV targets

7.5 High

HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).

Attack vector: Network
Complexity: LOW
Published: 10/10/2023
Modified: 15/05/2026

CWE-400

CVE-2024-43451 KEV targets

6.5 Medium

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …

Attack vector: Network
Published: 12/11/2024
Modified: 27/05/2026

Analyzed

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2024-27198 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Attack vector: Network
Published: 07/03/2024
Modified: 21/12/2025

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2019-0859 KEV targets

Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2024-9047 targets

9.8 Critical

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …

Attack vector: NETWORK
Published: 12/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-22205 KEV targets

GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-20038 KEV targets

SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.

Published: 28/01/2022
Modified: 20/12/2025

← Previous

Page / 2

1–12 of 23

T1583 subtechnique-of

Acquire Infrastructure MITRE

Campaign (4)

KV Botnet Activity uses
SPACEHOP Activity uses
ArcaneDoor uses
J-magic Campaign uses

Course Of Action (1)

Pre-compromise mitigates

Contact About Legal notice Privacy policy Terms of use