T1588.002: T1588.002

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 04:08 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1588.002
Confidence: 100/100
Revoked: No
Published: 01/10/2020 04:08
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Tool

Platforms

PRE

Description

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing – for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025) Tool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

mitre-attack (T1588.002)
Forescout Conti Leaks 2022
Sentinel Labs Top Tier Target 2025
Analyzing CS Dec 2020
Recorded Future Beacon 2019

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (70)

Thrip uses DRAGONFISHSpring Dragon

The MITRE Corporation Confidence 100

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silent Librarian uses TA407COBALT DICKENS

The MITRE Corporation Confidence 100

[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CopyKittens uses

The MITRE Corporation Confidence 100

[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK (North Korea) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6032 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AISURU related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AMOS threat group related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT1 related Comment CrewComment Group

The MITRE Corporation Confidence 100

[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

25–36 of 70

Xeno RAT uses

Family
GOSHELL uses

Family
ShadowV2 uses

Family
MuddyViper uses

Family
NetSupport uses

Family
SYS01 uses

Family
Track2NFC uses

Family
AllaKore RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mélofée uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NGate uses

Family
PURESTEALER uses

Family
Neo-reGeorg - S1189 uses

Family

← Previous

Page / 5

1–12 of 57

Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Cybercriminal VPN Dismantled in Crackdown related

10 MITREs
Fresh mischief and digital shenanigans related

AlienVault Confidence 100 14 MITREs 2 Malwares 21 IOCs 21 Observables 1 APT
Lorem Ipsum Malware: Trojanized MS Teams Installers related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT … related

3 CVEs 22 MITREs 5 Malwares 16 Observables 1 APT
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
Mach-O Man Malware: What CISOs Need to Know related

20 MITREs 2 Malwares 15 Observables 1 APT
New Malware Targets Users of Cobra DocGuard Software related

20 MITREs 3 Malwares 7 Observables 1 APT
Contagious Trader campaign - Coordinated weaponisation of cryptocurrency … related

20 MITREs 7 Malwares 5 Observables 1 APT
RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities related

12 CVEs 16 MITREs 2 Malwares 29 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (81)

CVE-2025-24893 KEV targets

9.8 Critical

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary …

Attack vector: Network
Published: 30/10/2025
Modified: 28/01/2026

Awaiting Analysis

CVE-2024-1709 KEV targets

10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector: Network
Published: 22/02/2024
Modified: 28/02/2026

CVE-2019-9082 KEV targets

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-2611 targets

9.3 Critical

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie …

Published: 20/12/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-50358 targets

CVE-2025-62593 targets

9.4 Critical

Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via …

Published: 16/03/2026
Modified: 16/03/2026

Awaiting Analysis

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2017-5638 KEV targets

9.8 Critical

Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 11/03/2017
Modified: 22/04/2026

CWE-755

CVE-2025-43300 KEV targets

10.0 Critical

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS …

Attack vector: Network
Complexity: Low
Published: 21/08/2025
Modified: 27/05/2026

CWE-787 Received

CVE-2024-26009 targets

8.1 High

An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS …

Attack vector: Network
Complexity: High
Published: 12/08/2025
Modified: 27/05/2026

CWE-288 Received

CVE-2019-13956 targets

Published: 20/12/2025
Modified: 21/12/2025

CVE-2025-2783 KEV targets

8.3 High

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …

Attack vector: Network
Published: 27/03/2025
Modified: 21/12/2025

Analyzed

← Previous

Page / 7

49–60 of 81

T1588 subtechnique-of

Obtain Capabilities MITRE

Campaign (10)

Night Dragon uses
C0017 uses
ShadowRay uses
C0015 uses
Operation Spalax uses
C0010 uses
Operation Wocao uses
Cutting Edge uses
Operation CuckooBees uses
Triton Safety Instrumented System Attack uses

Contact About Legal notice Privacy policy Terms of use