T1583.004: T1583.004

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 02:48 · Modified 11/05/2026 12:26

Essential information

MITRE technique ID: T1583.004
Confidence: 100/100
Revoked: No
Published: 01/10/2020 02:48
Modified: 11/05/2026 12:26
Author / Source: The MITRE Corporation

Aliases

Server

Platforms

PRE

Description

Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked) Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

Koczwara Beacon Hunting Sep 2021
mitre-attack (T1583.004)
Free Trial PurpleUrchin
Mandiant SCANdalous Jul 2020
ThreatConnect Infrastructure Dec 2020
Freejacked
NYTStuxnet

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (27)

CURIUM uses Crimson SandstormTA456

The MITRE Corporation Confidence 100

[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Intellexa alliance uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lusca uses TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mustard Tempest uses DEV-0206GOLD PRELUDE

The MITRE Corporation Confidence 100

[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TAG-124 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Coquettte uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FamousSparrow uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ResumeLooters uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GALLIUM uses Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FishMonger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 27

Lumma Stealer uses

Family
MgBot uses

Family
Mario uses
SodaMaster - S0627 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
POISONPLUG.SHADOW uses

Family
CleanUpLoader uses

Family
DanaBot uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Spyder uses

Family
SodaMaster uses
MoqHao uses
Raccoon Stealer V2 uses

Family

← Previous

Page / 5

13–24 of 55

Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns related

14 MITREs 1 Observable
Global Corporate Web related

5 MITREs 1 Malware 1 Observable 1 APT
Amateur Hacker Leverages Bulletproof Hosting Server to Spread … related

13 MITREs 6 Malwares 6 Observables 1 APT
You will always remember this as the day … related

21 MITREs 3 Malwares 12 Observables 1 APT
Operation FishMedley targeting governments, NGOs, and think tanks related

18 MITREs 8 Malwares 12 Observables 1 APT
Inside the Scam: North Korea's IT Worker Threat related

15 MITREs 3 Malwares 43 Observables 1 APT
TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base related

6 MITREs 4 Malwares 102 Observables 1 APT
One Step Ahead in Cyber Hide-and-Seek: Automating Malicious … related

10 MITREs 1 Malware 103 Observables 1 APT
Evasive Panda scouting cloud services related

18 MITREs 3 Malwares 17 Observables 1 APT
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis related

14 MITREs 4 Malwares 106 Observables 1 APT
Predator Spyware Infrastructure Returns Following Exposure and Sanctions related

4 MITREs 1 Malware 16 Observables 1 APT
Analysis of two arbitrary code execution vulnerabilities affecting … related

5 CVEs 6 MITREs 1 Malware 5 Observables 1 APT

← Previous

Page / 2

1–12 of 14

Vulnerabilities (CVE) (8)

CVE-2021-33742 KEV targets

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-7672 targets

7.8 High

A maliciously crafted DWF file, when parsed in dwfcore.dll through Autodesk Autodesk Navisworks, may force an Out-of-Bounds Write vulnerability. A malicious actor …

Attack vector: LOCAL
Published: 30/09/2024
Modified: 21/12/2025

Analyzed

CVE-2021-21166 KEV targets

Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-7263 targets

7.8 High

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to …

Attack vector: LOCAL
Published: 15/08/2024
Modified: 21/12/2025

Undergoing Analysis

CVE-2021-30551 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2019-11580 KEV targets

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2022-24934 targets

9.8 Critical

wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.

Attack vector: NETWORK
Published: 23/03/2022
Modified: 21/12/2025

CVE-2024-7262 KEV targets

7.8 High

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load …

Attack vector: Local
Published: 03/09/2024
Modified: 21/12/2025

Undergoing Analysis

Attack patterns (MITRE) (1)

T1583 subtechnique-of

Acquire Infrastructure MITRE

Course Of Action (1)

Pre-compromise mitigates

Campaign (4)

Night Dragon uses
Operation Dream Job uses
Operation Honeybee uses
Operation Wocao uses

Contact About Legal notice Privacy policy Terms of use