T1584.004: T1584.004

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 02:56 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1584.004
Confidence: 100/100
Revoked: No
Published: 01/10/2020 02:56
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Server

Platforms

PRE

Description

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

TrendMicro EarthLusca 2022
Koczwara Beacon Hunting Sep 2021
Mandiant SCANdalous Jul 2020
ThreatConnect Infrastructure Dec 2020
mitre-attack (T1584.004)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (24)

TGR-STA-1030 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dragonfly uses TEMP.IsotopeDYMALLOY

The MITRE Corporation Confidence 100

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Horabot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Leviathan uses MUDCARPKryptonite Panda

The MITRE Corporation Confidence 100

[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lusca uses TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Squeamish Libra uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Secshow uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SolarMarker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT16 uses

The MITRE Corporation Confidence 100

[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 24

DynoWiper uses

Family
Sting wiper uses

Family
DNSChanger uses

Family
CaddyWiper - S0693 uses

Family
Behinder uses

Family
Qilin uses

Family
SOLOSHRED uses

Family
SwiftSlicer uses

Family
SharpNikoWiper uses

Family
Bulbature uses

Family
RansomBoggs uses

Family
Rust backdoor uses

Family

← Previous

Page / 5

1–12 of 57

The Devil, Eight Million Emails, and a Whole … related

AlienVault Confidence 100 16 MITREs 14 IOCs 14 Observables
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
Active Exploitation of Check Point VPN Authentication Bypass … related

2 CVEs 11 MITREs 1 Malware 7 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
A rigged game: compromises gaming platform in a … related

21 MITREs 2 Malwares 9 Observables 1 APT
Inside the Bulletproof Hosting Network Behind 16,000+ Fake … related

AlienVault Confidence 100 15 MITREs 9 IOCs 9 Observables
How to uncover a Horabot campaign and detect … related

19 MITREs 5 Malwares 22 Observables 1 APT
Iran conflict drives heightened espionage activity against Middle … related

26 MITREs 2 Malwares 19 Observables
Compromised Routers, DNS, and a TDS Hidden in … related

9 MITREs 1 Malware 10 Observables
DynoWiper update: Technical analysis related

8 MITREs 21 Malwares 7 Observables 1 APT
Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links related

6 MITREs 2 Malwares 84 Observables 1 APT
One Step Ahead in Cyber Hide-and-Seek: Automating Malicious … related

10 MITREs 1 Malware 103 Observables 1 APT

← Previous

Page / 2

1–12 of 18

Vulnerabilities (CVE) (10)

CVE-2019-9082 KEV targets

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-21166 KEV targets

Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2019-11580 KEV targets

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2017-5638 targets

CVE-2026-50752 targets

7.4 High

A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle …

Attack vector: Network
Complexity: High
Published: 08/06/2026
Modified: 10/06/2026

CWE-295 Awaiting Analysis

CVE-2023-0669 KEV targets

7.2 High

Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled …

Attack vector: Network
Published: 10/02/2023
Modified: 21/12/2025

CVE-2021-30551 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-33742 KEV targets

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2026-50751 KEV targets

9.3 Critical

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker …

Attack vector: NETWORK
Complexity: LOW
EPSS: 0.0001 (P1.2%)
Published: 08/06/2026
Modified: 10/06/2026

CWE-287 Analyzed

CVE-2019-13956 targets

Attack patterns (MITRE) (1)

T1584 subtechnique-of

Compromise Infrastructure MITRE

Campaign (6)

Operation Sharpshooter uses
Outer Space uses
Operation Dream Job uses
Night Dragon uses
Anthropic AI-orchestrated Campaign uses
Juicy Mix uses

Course Of Action (1)

Pre-compromise mitigates

Contact About Legal notice Privacy policy Terms of use