T1583.004: T1583.004

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 11/05/2026 12:26

Essential information

MITRE technique ID: T1583.004
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 11/05/2026 12:26
Author / Source: The MITRE Corporation

Aliases

Server

Platforms

PRE

Description

Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked) Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

Koczwara Beacon Hunting Sep 2021
mitre-attack (T1583.004)
Free Trial PurpleUrchin
Mandiant SCANdalous Jul 2020
ThreatConnect Infrastructure Dec 2020
Freejacked
NYTStuxnet

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (27)

CURIUM uses Crimson SandstormTA456

The MITRE Corporation Confidence 100

[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
Intellexa alliance uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:53 · Modified 21/12/2025 06:53
Earth Lusca uses TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
Mustard Tempest uses DEV-0206GOLD PRELUDE

The MITRE Corporation Confidence 100

[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
TAG-124 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 10:25 · Modified 21/12/2025 10:25
Coquettte uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 12:41 · Modified 21/12/2025 12:41
FamousSparrow uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:05 · Modified 21/12/2025 13:05
ResumeLooters uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:11 · Modified 21/12/2025 03:11
GALLIUM uses Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
FishMonger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:00 · Modified 21/12/2025 13:00
Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13

← Previous

Page / 3

1–12 of 27

ShadowPad - S0596 uses

Family

Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
BeaverTail uses

Family

Published 21/04/2026 12:09 · Modified 21/04/2026 12:09
Rhysida uses

Family

Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
MintsLoader uses

Family

Published 21/08/2025 21:03 · Modified 21/08/2025 21:03
PyInstaller uses

Family

Published 31/01/2025 10:09 · Modified 31/01/2025 10:09
Rescoms uses

Family

Published 25/05/2025 17:47 · Modified 25/05/2025 17:47
Remcos - S0332 uses

Family

Published 31/01/2025 10:09 · Modified 31/01/2025 10:09
Neo-reGeorg - S1189 uses

Family

Published 05/02/2026 20:20 · Modified 05/02/2026 20:20
Behinder uses

Family

Published 14/05/2026 20:10 · Modified 14/05/2026 20:10
Karkadann
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
HemiGate uses

Family

Published 26/03/2025 20:15 · Modified 26/03/2025 20:15

← Previous

Page / 5

1–12 of 53

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns related

14 MITREs 1 Observable

Published 08/05/2026 16:10 · Modified 11/05/2026 10:26
Global Corporate Web related

5 MITREs 1 Malware 1 Observable 1 APT

Published 04/12/2025 08:11 · Modified 21/12/2025 18:23
Amateur Hacker Leverages Bulletproof Hosting Server to Spread … related

13 MITREs 6 Malwares 6 Observables 1 APT

Published 03/04/2025 17:18 · Modified 03/04/2025 18:31
You will always remember this as the day … related

21 MITREs 3 Malwares 12 Observables 1 APT

Published 26/03/2025 20:15 · Modified 26/03/2025 20:51
Operation FishMedley targeting governments, NGOs, and think tanks related

18 MITREs 8 Malwares 12 Observables 1 APT

Published 21/03/2025 10:33 · Modified 21/03/2025 14:46
Inside the Scam: North Korea's IT Worker Threat related

15 MITREs 3 Malwares 43 Observables 1 APT

Published 13/02/2025 09:34 · Modified 13/02/2025 09:45
TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base related

6 MITREs 4 Malwares 102 Observables 1 APT

Published 31/01/2025 10:09 · Modified 31/01/2025 10:39
One Step Ahead in Cyber Hide-and-Seek: Automating Malicious … related

10 MITREs 1 Malware 103 Observables 1 APT

Published 21/01/2025 18:17 · Modified 21/01/2025 18:48
Evasive Panda scouting cloud services related

18 MITREs 3 Malwares 17 Observables 1 APT

Published 28/10/2024 20:14 · Modified 29/10/2024 13:28
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis related

14 MITREs 4 Malwares 106 Observables 1 APT

Published 10/10/2024 08:17 · Modified 10/10/2024 08:43
Predator Spyware Infrastructure Returns Following Exposure and Sanctions related

4 MITREs 1 Malware 16 Observables 1 APT

Published 05/09/2024 16:38 · Modified 05/09/2024 16:47
Analysis of two arbitrary code execution vulnerabilities affecting … related

5 CVEs 6 MITREs 1 Malware 5 Observables 1 APT

Published 30/08/2024 17:48 · Modified 30/08/2024 18:08

← Previous

Page / 2

1–12 of 14

Vulnerabilities (CVE) (8)

CVE-2021-33742 KEV

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-7672

7.8 High

A maliciously crafted DWF file, when parsed in dwfcore.dll through Autodesk Autodesk Navisworks, may force an Out-of-Bounds Write vulnerability. A malicious actor …

Attack vector: LOCAL
Published: 30/09/2024
Modified: 21/12/2025

Analyzed

CVE-2021-21166 KEV

Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-7263

7.8 High

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to …

Attack vector: LOCAL
Published: 15/08/2024
Modified: 21/12/2025

Undergoing Analysis

CVE-2021-30551 KEV

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2019-11580 KEV

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2022-24934

9.8 Critical

wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.

Attack vector: NETWORK
Published: 23/03/2022
Modified: 21/12/2025

CVE-2024-7262 KEV

7.8 High

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load …

Attack vector: Local
Published: 03/09/2024
Modified: 21/12/2025

Undergoing Analysis

Attack patterns (MITRE) (1)

T1583 subtechnique-of

Acquire Infrastructure

Course Of Action (1)

Pre-compromise mitigates

Campaign (4)

Night Dragon uses
Operation Dream Job uses
Operation Honeybee uses
Operation Wocao uses

Contact About Legal notice Privacy policy Terms of use