T1588.002: T1588.002

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1588.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Tool

Platforms

PRE

Description

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing – for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025) Tool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

mitre-attack (T1588.002)
Forescout Conti Leaks 2022
Sentinel Labs Top Tier Target 2025
Analyzing CS Dec 2020
Recorded Future Beacon 2019

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (75)

TA2541 uses

The MITRE Corporation Confidence 100

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trigona uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mirai uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
WIRTE uses

The MITRE Corporation Confidence 100

[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bitter uses T-APT-17

The MITRE Corporation Confidence 100

[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Telekopye uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT33 uses HOLMIUMElfin

The MITRE Corporation Confidence 100

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
LAPSUS$ uses DEV-0537Strawberry Tempest

The MITRE Corporation Confidence 100

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mallox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cobalt Group uses GOLD KINGSWOODCobalt Gang

The MITRE Corporation Confidence 100

[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 75

Xeno RAT uses

Family
GOSHELL uses

Family
ShadowV2 uses

Family
MuddyViper uses

Family
NetSupport uses

Family
SYS01 uses

Family
Track2NFC uses

Family
AllaKore RAT uses

Family
Mélofée uses
NGate uses

Family
PURESTEALER uses

Family
Neo-reGeorg - S1189 uses

Family

← Previous

Page / 6

1–12 of 66

Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Cybercriminal VPN Dismantled in Crackdown related

10 MITREs
Fresh mischief and digital shenanigans related

AlienVault Confidence 100 14 MITREs 2 Malwares 21 IOCs 21 Observables 1 APT
Lorem Ipsum Malware: Trojanized MS Teams Installers related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT … related

3 CVEs 22 MITREs 5 Malwares 16 Observables 1 APT
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
Mach-O Man Malware: What CISOs Need to Know related

20 MITREs 2 Malwares 15 Observables 1 APT
New Malware Targets Users of Cobra DocGuard Software related

20 MITREs 3 Malwares 7 Observables 1 APT
Contagious Trader campaign - Coordinated weaponisation of cryptocurrency … related

20 MITREs 7 Malwares 5 Observables 1 APT
RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities related

12 CVEs 16 MITREs 2 Malwares 29 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (81)

CVE-2025-27920 KEV targets

7.2 High

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-6473 targets

7.8 High

Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.

Attack vector: LOCAL
Published: 03/09/2024
Modified: 21/12/2025

Analyzed

CVE-2023-50381 targets

7.2 High

Three os command injection vulnerabilities exist in the boa formWsc functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of …

Attack vector: NETWORK
Published: 08/07/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-54948 KEV targets

9.4 Critical

Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload …

Attack vector: Network
Published: 18/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2013-3307 targets

8.3 High

Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in …

Attack vector: NETWORK
Published: 11/07/2025
Modified: 21/12/2025

CVE-2025-47812 KEV targets

10.0 Critical

Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code …

Attack vector: Network
Published: 14/07/2025
Modified: 16/03/2026

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2013-1599 targets

9.8 Critical

A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, …

Attack vector: NETWORK
Published: 28/01/2020
Modified: 21/12/2025

CVE-2024-0012 KEV targets

9.8 Critical

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to …

Attack vector: Network
Published: 18/11/2024
Modified: 21/12/2025

Undergoing Analysis

CVE-2007-0671 KEV targets

8.8 High

Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This …

Attack vector: Network
Complexity: Low
Published: 03/02/2007
Modified: 27/05/2026

CVE-2024-3094 targets

10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector: NETWORK
Published: 29/03/2024
Modified: 21/12/2025

CVE-2024-8069 KEV targets

8.0 High

Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account …

Attack vector: Adjacent
Published: 25/08/2025
Modified: 27/05/2026

Awaiting Analysis

← Previous

Page / 7

1–12 of 81

T1588 subtechnique-of

Obtain Capabilities MITRE

Campaign (11)

Night Dragon uses
C0017 uses
ShadowRay uses
C0015 uses
Operation Spalax uses
C0010 uses
Operation Wocao uses
Cutting Edge uses
Operation CuckooBees uses
Triton Safety Instrumented System Attack uses
HomeLand Justice uses

Contact About Legal notice Privacy policy Terms of use