T1588.002: T1588.002

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 04:08 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1588.002
Confidence: 100/100
Revoked: No
Published: 01/10/2020 04:08
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Tool

Platforms

PRE

Description

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing – for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025) Tool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

mitre-attack (T1588.002)
Forescout Conti Leaks 2022
Sentinel Labs Top Tier Target 2025
Analyzing CS Dec 2020
Recorded Future Beacon 2019

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (70)

TA2541 uses

The MITRE Corporation Confidence 100

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trigona uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mirai uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
WIRTE uses

The MITRE Corporation Confidence 100

[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bitter uses T-APT-17

The MITRE Corporation Confidence 100

[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Telekopye uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT33 uses HOLMIUMElfin

The MITRE Corporation Confidence 100

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
LAPSUS$ uses DEV-0537Strawberry Tempest

The MITRE Corporation Confidence 100

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mallox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cobalt Group uses GOLD KINGSWOODCobalt Gang

The MITRE Corporation Confidence 100

[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 70

Xeno RAT uses

Family
GOSHELL uses

Family
ShadowV2 uses

Family
MuddyViper uses

Family
NetSupport uses

Family
SYS01 uses

Family
Track2NFC uses

Family
AllaKore RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mélofée uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NGate uses

Family
PURESTEALER uses

Family
Neo-reGeorg - S1189 uses

Family

← Previous

Page / 5

1–12 of 57

MuddyWater: Snakes by the riverbank related

7 MITREs 6 Malwares 9 Observables 1 APT
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
GachiLoader: Defeating Node.js Malware with API Tracing related

10 MITREs 10 Observables
NuGet malware targets crypto wallets, OAuth tokens related

9 MITREs
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited related

6 CVEs 11 MITREs 1 Malware
Sneeit WordPress RCE Exploited in the Wild While … related

4 CVEs 9 MITREs 2 Malwares 6 Observables
Critical React2Shell Vulnerability Under Active Exploitation by Chinese … related

1 CVE 6 MITREs 1 Malware 2 Observables 1 APT
Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems related

20 MITREs 1 Malware 6 Observables 1 APT
Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest … related

17 MITREs 1 Malware 4 Observables
Build script exposes PyPI to domain takeover attacks related

1 CVE 9 MITREs
Remote access, real cargo: cybercriminals targeting trucking and … related

10 MITREs 10 Malwares 39 Observables
Suspected Nation-State Threat Actor Uses New Airstalk Malware … related

13 MITREs 1 Malware 6 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (81)

CVE-2025-24893 KEV targets

9.8 Critical

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary …

Attack vector: Network
Published: 30/10/2025
Modified: 28/01/2026

Awaiting Analysis

CVE-2024-1709 KEV targets

10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector: Network
Published: 22/02/2024
Modified: 28/02/2026

CVE-2019-9082 KEV targets

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-2611 targets

9.3 Critical

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie …

Published: 20/12/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-50358 targets

CVE-2025-62593 targets

9.4 Critical

Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via …

Published: 16/03/2026
Modified: 16/03/2026

Awaiting Analysis

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2017-5638 KEV targets

9.8 Critical

Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 11/03/2017
Modified: 22/04/2026

CWE-755

CVE-2025-43300 KEV targets

10.0 Critical

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS …

Attack vector: Network
Complexity: Low
Published: 21/08/2025
Modified: 27/05/2026

CWE-787 Received

CVE-2024-26009 targets

8.1 High

An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS 6.4.0 through 6.4.15, FortiOS 6.2.0 through 6.2.16, FortiOS …

Attack vector: Network
Complexity: High
Published: 12/08/2025
Modified: 27/05/2026

CWE-288 Received

CVE-2019-13956 targets

Published: 20/12/2025
Modified: 21/12/2025

CVE-2025-2783 KEV targets

8.3 High

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …

Attack vector: Network
Published: 27/03/2025
Modified: 21/12/2025

Analyzed

← Previous

Page / 7

49–60 of 81

T1588 subtechnique-of

Obtain Capabilities MITRE

Campaign (10)

Night Dragon uses
C0017 uses
ShadowRay uses
C0015 uses
Operation Spalax uses
C0010 uses
Operation Wocao uses
Cutting Edge uses
Operation CuckooBees uses
Triton Safety Instrumented System Attack uses

Contact About Legal notice Privacy policy Terms of use