T1584.004: T1584.004

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 02:56 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1584.004
Confidence: 100/100
Revoked: No
Published: 01/10/2020 02:56
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Server

Platforms

PRE

Description

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

TrendMicro EarthLusca 2022
Koczwara Beacon Hunting Sep 2021
Mandiant SCANdalous Jul 2020
ThreatConnect Infrastructure Dec 2020
mitre-attack (T1584.004)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (24)

Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Candiru uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Indrik Spider uses Manatee TempestDEV-0243

The MITRE Corporation Confidence 100

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Danabot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Muddling Meerkat uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedGolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Qilin uses

Ransomware.Live Confidence 100

Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sharp Dragon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

13–24 of 24

DynoWiper uses

Family
Sting wiper uses

Family
DNSChanger uses

Family
CaddyWiper - S0693 uses

Family
Behinder uses

Family
Qilin uses

Family
SOLOSHRED uses

Family
SwiftSlicer uses

Family
SharpNikoWiper uses

Family
Bulbature uses

Family
RansomBoggs uses

Family
Rust backdoor uses

Family

← Previous

Page / 5

1–12 of 57

The Devil, Eight Million Emails, and a Whole … related

AlienVault Confidence 100 16 MITREs 14 IOCs 14 Observables
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
Active Exploitation of Check Point VPN Authentication Bypass … related

2 CVEs 11 MITREs 1 Malware 7 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
A rigged game: compromises gaming platform in a … related

21 MITREs 2 Malwares 9 Observables 1 APT
Inside the Bulletproof Hosting Network Behind 16,000+ Fake … related

AlienVault Confidence 100 15 MITREs 9 IOCs 9 Observables
How to uncover a Horabot campaign and detect … related

19 MITREs 5 Malwares 22 Observables 1 APT
Iran conflict drives heightened espionage activity against Middle … related

26 MITREs 2 Malwares 19 Observables
Compromised Routers, DNS, and a TDS Hidden in … related

9 MITREs 1 Malware 10 Observables
DynoWiper update: Technical analysis related

8 MITREs 21 Malwares 7 Observables 1 APT
Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links related

6 MITREs 2 Malwares 84 Observables 1 APT
One Step Ahead in Cyber Hide-and-Seek: Automating Malicious … related

10 MITREs 1 Malware 103 Observables 1 APT

← Previous

Page / 2

1–12 of 18

Vulnerabilities (CVE) (10)

CVE-2019-9082 KEV targets

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-21166 KEV targets

Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2019-11580 KEV targets

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2017-5638 targets

CVE-2026-50752 targets

7.4 High

A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle …

Attack vector: Network
Complexity: High
Published: 08/06/2026
Modified: 10/06/2026

CWE-295 Awaiting Analysis

CVE-2023-0669 KEV targets

7.2 High

Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled …

Attack vector: Network
Published: 10/02/2023
Modified: 21/12/2025

CVE-2021-30551 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-33742 KEV targets

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2026-50751 KEV targets

9.3 Critical

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker …

Attack vector: NETWORK
Complexity: LOW
EPSS: 0.0001 (P1.2%)
Published: 08/06/2026
Modified: 10/06/2026

CWE-287 Analyzed

CVE-2019-13956 targets

Attack patterns (MITRE) (1)

T1584 subtechnique-of

Compromise Infrastructure MITRE

Campaign (6)

Operation Sharpshooter uses
Outer Space uses
Operation Dream Job uses
Night Dragon uses
Anthropic AI-orchestrated Campaign uses
Juicy Mix uses

Course Of Action (1)

Pre-compromise mitigates

Contact About Legal notice Privacy policy Terms of use