T1588.002: T1588.002

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 04:08 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1588.002
Confidence: 100/100
Revoked: No
Published: 01/10/2020 04:08
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Tool

Platforms

PRE

Description

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing – for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025) Tool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

mitre-attack (T1588.002)
Forescout Conti Leaks 2022
Sentinel Labs Top Tier Target 2025
Analyzing CS Dec 2020
Recorded Future Beacon 2019

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (70)

Thrip uses DRAGONFISHSpring Dragon

The MITRE Corporation Confidence 100

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silent Librarian uses TA407COBALT DICKENS

The MITRE Corporation Confidence 100

[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CopyKittens uses

The MITRE Corporation Confidence 100

[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK (North Korea) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6032 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AISURU related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AMOS threat group related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT1 related Comment CrewComment Group

The MITRE Corporation Confidence 100

[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

25–36 of 70

Xeno RAT uses

Family
GOSHELL uses

Family
ShadowV2 uses

Family
MuddyViper uses

Family
NetSupport uses

Family
SYS01 uses

Family
Track2NFC uses

Family
AllaKore RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mélofée uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NGate uses

Family
PURESTEALER uses

Family
Neo-reGeorg - S1189 uses

Family

← Previous

Page / 5

1–12 of 57

Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Cybercriminal VPN Dismantled in Crackdown related

10 MITREs
Fresh mischief and digital shenanigans related

AlienVault Confidence 100 14 MITREs 2 Malwares 21 IOCs 21 Observables 1 APT
Lorem Ipsum Malware: Trojanized MS Teams Installers related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT … related

3 CVEs 22 MITREs 5 Malwares 16 Observables 1 APT
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
Mach-O Man Malware: What CISOs Need to Know related

20 MITREs 2 Malwares 15 Observables 1 APT
New Malware Targets Users of Cobra DocGuard Software related

20 MITREs 3 Malwares 7 Observables 1 APT
Contagious Trader campaign - Coordinated weaponisation of cryptocurrency … related

20 MITREs 7 Malwares 5 Observables 1 APT
RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities related

12 CVEs 16 MITREs 2 Malwares 29 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (81)

CVE-2025-52089 targets

8.8 High

A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute …

Attack vector: ADJACENT_NETWORK
Published: 11/07/2025
Modified: 16/03/2026

CVE-2025-4609 targets

9.6 Critical

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially …

Attack vector: NETWORK
Published: 22/08/2025
Modified: 21/12/2025

CVE-2023-33538 KEV targets

8.8 High

TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …

Attack vector: Network
Published: 16/06/2025
Modified: 21/12/2025

CVE-2020-25079 KEV targets

D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service …

Published: 05/08/2025
Modified: 27/05/2026

CVE-2025-20281 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2020-25078 KEV targets

D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be …

Published: 05/08/2025
Modified: 27/05/2026

CVE-2021-22005 KEV targets

VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-8963 KEV targets

9.4 Critical

Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …

Attack vector: Network
Published: 19/09/2024
Modified: 21/12/2025

Analyzed

CVE-2025-57819 KEV targets

9.8 Critical

Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary …

Attack vector: NETWORK
Complexity: Low
Published: 28/08/2025
Modified: 18/06/2026

CWE-89

CVE-2022-35733 targets

9.8 Critical

Missing authentication for critical function vulnerability in UNIMO Technology digital video recorders (UDR-JA1004/JA1008/JA1016 firmware versions v1.0.20.13 and earlier, and UDR-JA1016 firmware versions …

Attack vector: NETWORK
Published: 23/08/2022
Modified: 21/12/2025

CVE-2024-3721 targets

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

CVE-2022-44149 targets

8.8 High

The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 and 80.103.2.5045 devices allows remote OS command execution by placing &telnetd in the JSON …

Attack vector: NETWORK
Published: 06/01/2023
Modified: 21/12/2025

← Previous

Page / 7

37–48 of 81

T1588 subtechnique-of

Obtain Capabilities MITRE

Campaign (10)

Night Dragon uses
C0017 uses
ShadowRay uses
C0015 uses
Operation Spalax uses
C0010 uses
Operation Wocao uses
Cutting Edge uses
Operation CuckooBees uses
Triton Safety Instrumented System Attack uses

Contact About Legal notice Privacy policy Terms of use