T1583.003: T1583.003

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 02:44 · Modified 13/04/2026 17:48

Essential information

MITRE technique ID: T1583.003
Confidence: 100/100
Revoked: No
Published: 01/10/2020 02:44
Modified: 13/04/2026 17:48
Author / Source: The MITRE Corporation

Aliases

Virtual Private Server

Platforms

PRE

Description

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

Koczwara Beacon Hunting Sep 2021
mitre-attack (T1583.003)
Mandiant SCANdalous Jul 2020
ThreatConnect Infrastructure Dec 2020
TrendmicroHideoutsLease

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (46)

Moonstone Sleet uses Storm-1789

The MITRE Corporation Confidence 100

[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032),…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Intellexa alliance uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TAG-124 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Squeamish Libra uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedGolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview uses Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SolarMarker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Red Menshen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TGR-STA-1030 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-36 uses Blind Eagle

The MITRE Corporation Confidence 100

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SweetSpecter, CyberAv3ngers, Storm-0817 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 46

KEYPLUG uses
SocGholish uses

The MITRE Corporation Confidence 100

[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Shahmaran uses

Family
Pinar uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TSPY_TRICKLOAD uses

The MITRE Corporation Confidence 100

[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by…

First seen 01/01/1970 · Last seen 16/11/5138 ·
WhisperGate - S0689 uses

Family
InvisibleFerret uses

Family
QakBot - S0650 uses

Family
Pantegana uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SolarMarker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Pikabot uses

Family

← Previous

Page / 5

1–12 of 60

Targeting of freelance developers related

20 MITREs 2 Malwares 1 APT
TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base related

6 MITREs 4 Malwares 102 Observables 1 APT
Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links related

6 MITREs 2 Malwares 84 Observables 1 APT
One Step Ahead in Cyber Hide-and-Seek: Automating Malicious … related

10 MITREs 1 Malware 103 Observables 1 APT
RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and … related

16 MITREs 1 Malware 200 Observables 1 APT
Analyzing threat actor Kimsuky email phishing campaign related

12 MITREs 24 Observables 1 APT
China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt … related

11 MITREs 1 Malware 19 Observables 1 APT
Threat actors use ChatGPT to write malware related

19 MITREs 1 Malware 1 Observable 1 APT
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis related

14 MITREs 4 Malwares 106 Observables 1 APT
Predator Spyware Infrastructure Returns Following Exposure and Sanctions related

4 MITREs 1 Malware 16 Observables 1 APT
Mid-year Doppelganger information operations in Europe and the … related

19 MITREs 200 Observables 1 APT
Suspected Cyber Espionage Campaign Targeting Global Organizations related

1 CVE 6 MITREs 2 Malwares 25 Observables 1 APT

← Previous

Page / 3

13–24 of 29

Vulnerabilities (CVE) (23)

CVE-2024-56145 KEV targets

9.8 Critical

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …

Attack vector: Network
Published: 02/06/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2019-0797 KEV targets

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2026-50752 targets

7.4 High

A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle …

Attack vector: Network
Complexity: High
Published: 08/06/2026
Modified: 10/06/2026

CWE-295 Awaiting Analysis

CVE-2025-23419 targets

4.3 Medium

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass …

Attack vector: NETWORK
Published: 05/02/2025
Modified: 13/04/2026

Awaiting Analysis

CVE-2022-24990 KEV targets

7.5 High

TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.

Attack vector: Network
Published: 10/02/2023
Modified: 20/12/2025

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2024-51567 KEV targets

10.0 Critical

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …

Attack vector: Network
Published: 07/11/2024
Modified: 21/12/2025

Analyzed

CVE-2024-51378 KEV targets

10.0 Critical

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …

Attack vector: Network
Published: 04/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2026-50751 KEV targets

9.3 Critical

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker …

Attack vector: NETWORK
Complexity: LOW
EPSS: 0.0001 (P1.2%)
Published: 08/06/2026
Modified: 10/06/2026

CWE-287 Analyzed

← Previous

Page / 2

13–23 of 23

T1583 subtechnique-of

Acquire Infrastructure MITRE

Campaign (4)

KV Botnet Activity uses
SPACEHOP Activity uses
ArcaneDoor uses
J-magic Campaign uses

Course Of Action (1)

Pre-compromise mitigates

Contact About Legal notice Privacy policy Terms of use