T1588.002: T1588.002

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 04:08 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1588.002
Confidence: 100/100
Revoked: No
Published: 01/10/2020 04:08
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Tool

Platforms

PRE

Description

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing – for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025) Tool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

mitre-attack (T1588.002)
Forescout Conti Leaks 2022
Sentinel Labs Top Tier Target 2025
Analyzing CS Dec 2020
Recorded Future Beacon 2019

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (70)

DarkVishnya uses

The MITRE Corporation Confidence 100

[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN13 uses Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-0237 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ke3chang uses APT15Mirage

The MITRE Corporation Confidence 100

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Threat Group-3390 uses Earth SmilodonTG-3390

The MITRE Corporation Confidence 100

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-36 uses Blind Eagle

The MITRE Corporation Confidence 100

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cleaver uses Threat Group 2889TG-2889

The MITRE Corporation Confidence 100

[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests…

First seen 01/01/1970 · Last seen 16/11/5138 ·
menuPass uses CicadaPOTASSIUM

The MITRE Corporation Confidence 100

[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Leafminer uses Raspite

The MITRE Corporation Confidence 100

[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)

First seen 01/01/1970 · Last seen 16/11/5138 ·
Medusa Group uses

The MITRE Corporation Confidence 100

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA829 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

13–24 of 70

Aisuru uses

Family
ScreenConnect uses

Family
Agent Tesla - S0331 uses

Family
CE-Notes uses

Family
BADCALL - S0245 uses

Family
Penguish uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CrowDoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Shai-Hulud uses

AlienVault Confidence 100

[Shai-Hulud](https://attack.mitre.org/software/S9008) is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate…

First seen 01/01/1970 · Last seen 16/11/5138 ·
N-able uses

Family
FraudGPT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rescoms uses

Family
CraxsRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

37–48 of 57

Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Cybercriminal VPN Dismantled in Crackdown related

10 MITREs
Fresh mischief and digital shenanigans related

AlienVault Confidence 100 14 MITREs 2 Malwares 21 IOCs 21 Observables 1 APT
Lorem Ipsum Malware: Trojanized MS Teams Installers related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT … related

3 CVEs 22 MITREs 5 Malwares 16 Observables 1 APT
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
Mach-O Man Malware: What CISOs Need to Know related

20 MITREs 2 Malwares 15 Observables 1 APT
New Malware Targets Users of Cobra DocGuard Software related

20 MITREs 3 Malwares 7 Observables 1 APT
Contagious Trader campaign - Coordinated weaponisation of cryptocurrency … related

20 MITREs 7 Malwares 5 Observables 1 APT
RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities related

12 CVEs 16 MITREs 2 Malwares 29 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (81)

CVE-2025-27920 KEV targets

7.2 High

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-6473 targets

7.8 High

Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.

Attack vector: LOCAL
Published: 03/09/2024
Modified: 21/12/2025

Analyzed

CVE-2023-50381 targets

7.2 High

Three os command injection vulnerabilities exist in the boa formWsc functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of …

Attack vector: NETWORK
Published: 08/07/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-54948 KEV targets

9.4 Critical

Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload …

Attack vector: Network
Published: 18/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2013-3307 targets

8.3 High

Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in …

Attack vector: NETWORK
Published: 11/07/2025
Modified: 21/12/2025

CVE-2025-47812 KEV targets

10.0 Critical

Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code …

Attack vector: Network
Published: 14/07/2025
Modified: 16/03/2026

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2013-1599 targets

9.8 Critical

A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, …

Attack vector: NETWORK
Published: 28/01/2020
Modified: 21/12/2025

CVE-2024-0012 KEV targets

9.8 Critical

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to …

Attack vector: Network
Published: 18/11/2024
Modified: 21/12/2025

Undergoing Analysis

CVE-2007-0671 KEV targets

8.8 High

Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This …

Attack vector: Network
Complexity: Low
Published: 03/02/2007
Modified: 27/05/2026

CVE-2024-3094 targets

10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector: NETWORK
Published: 29/03/2024
Modified: 21/12/2025

CVE-2024-8069 KEV targets

8.0 High

Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account …

Attack vector: Adjacent
Published: 25/08/2025
Modified: 27/05/2026

Awaiting Analysis

← Previous

Page / 7

1–12 of 81

T1588 subtechnique-of

Obtain Capabilities MITRE

Campaign (10)

Night Dragon uses
C0017 uses
ShadowRay uses
C0015 uses
Operation Spalax uses
C0010 uses
Operation Wocao uses
Cutting Edge uses
Operation CuckooBees uses
Triton Safety Instrumented System Attack uses

Contact About Legal notice Privacy policy Terms of use