T1590: T1590

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1590
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Gather Victim Network Information

Platforms

PRE

Description

Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

Kill chain phases

Kill chain	Phase
mitre-attack	reconnaissance

Marking (TLP)

External references

Circl Passive DNS
mitre-attack (T1590)
WHOIS
DNS Dumpster

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (39)

UNC6040, UNC6240 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 17:00 · Modified 21/12/2025 17:00
BreachForums uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 30/03/2026 12:12 · Modified 30/03/2026 12:12
Worok uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:03 · Modified 20/12/2025 22:03
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
SweetSpecter, CyberAv3ngers, Storm-0817 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:05 · Modified 21/12/2025 07:05
Silence group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:03 · Modified 20/12/2025 23:03
LuoYu uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:00 · Modified 20/12/2025 20:00
Cavalry Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:09 · Modified 21/12/2025 18:09
IMPERIAL KITTEN uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:51 · Modified 21/12/2025 01:51
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
darcula uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 10:12 · Modified 21/12/2025 10:12
HAFNIUM uses Operation Exchange MarauderSilk Typhoon

The MITRE Corporation Confidence 100

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
Void Dokkaebi uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:52 · Modified 21/12/2025 13:52
Indrik Spider uses Manatee TempestDEV-0243

The MITRE Corporation Confidence 100

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
Void Blizzard uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:54 · Modified 21/12/2025 13:54
Earth Lamia uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:26 · Modified 21/12/2025 14:26
LummaC2 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:49 · Modified 21/12/2025 14:49
Funnull uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:41 · Modified 03/03/2026 18:14
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active …

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:51 · Modified 04/05/2026 16:33
TA428 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 21:51 · Modified 20/12/2025 21:51
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
I-SOON uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:48 · Modified 21/12/2025 15:48
OilRig uses COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
VexTrio uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 02:40 · Modified 21/12/2025 02:54
Knownsec uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 12/01/2026 13:14 · Modified 12/01/2026 13:14
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
ShinyHunters uses

AlienVault Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 Published 02/02/2026 12:05 · Modified 20/03/2026 09:17
Diplomatic Orbiter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 02:13 · Modified 21/12/2025 02:13
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:28 · Modified 21/12/2025 12:28
China-nexus threat actors uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:55 · Modified 21/12/2025 14:55
Androxgh0st uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:24 · Modified 21/12/2025 08:21
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
Socks5Systemz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:18 · Modified 21/12/2025 08:18
Smishing Triad uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:45 · Modified 21/12/2025 04:45
Storm-1747 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:19 · Modified 21/12/2025 19:19
Multiple Iranian APT groups uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 04/03/2026 16:46 · Modified 04/03/2026 16:46
Linen Typhoon, Violet Typhoon, Storm-2603 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:56 · Modified 21/12/2025 15:56
Static Tundra related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:47 · Modified 21/12/2025 15:47

Malware (103)

Socks5Systemz uses

Family

Published 16/12/2024 23:06 · Modified 16/12/2024 23:06
mimikatz uses

Family

Published 11/05/2026 16:15 · Modified 11/05/2026 16:15
Androxgh0st uses

Family

Published 19/05/2026 17:52 · Modified 19/05/2026 17:52
nccTrojan uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:35 · Modified 20/12/2025 21:51
PULSEPACK uses

Family

Published 28/01/2026 13:31 · Modified 28/01/2026 13:31
Tycoon2FA uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
GhostFetch uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
StallionRAT uses

Family

Published 02/10/2025 09:42 · Modified 02/10/2025 09:42
IMAPLoader
DodgeBox uses

Family

Published 12/07/2024 16:11 · Modified 12/07/2024 16:11
Brute Ratel uses

Family

Published 27/05/2025 10:35 · Modified 27/05/2025 10:35
Warlock ransomware uses

Family

Published 02/08/2025 10:18 · Modified 02/08/2025 10:18
DollyWay uses

Family

Published 13/06/2025 07:59 · Modified 13/06/2025 07:59
IOCONTROL uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
SHAPESHIFT uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
GhostX uses

Family

Published 10/01/2026 13:29 · Modified 10/01/2026 13:29
Tonnerre uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
ZeroCleare uses

Family The MITRE Corporation Confidence 100

[ZeroCleare](https://attack.mitre.org/software/S1151) is a wiper malware that has been used in conjunction with the [RawDisk](https://attack.mitre.org/software/S0364) driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:37 · Modified 27/03/2026 01:05
Tycoon 2FA uses

Family

Published 14/05/2026 11:16 · Modified 14/05/2026 11:16
Truebot
MegaCortex - S0576 uses

Family

Published 12/09/2025 00:05 · Modified 12/09/2025 00:05
Ladon uses

Family

Published 24/06/2024 08:16 · Modified 24/06/2024 08:16
TraderTraitor uses

Family

Published 20/02/2025 20:48 · Modified 20/02/2025 20:48
CoGUI uses

Family

Published 06/05/2025 20:37 · Modified 06/05/2025 20:37
ShadowPad - S0596 uses

Family

Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
Tsundere uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
WhisperGate uses

Family

Published 09/09/2024 08:02 · Modified 09/09/2024 08:02
SmokeLoader uses

Family

Published 16/09/2025 08:02 · Modified 16/09/2025 08:02
Shamoon
Araneida Scanner uses

Family

Published 20/12/2024 08:49 · Modified 20/12/2024 08:49
Cotx
Tickler uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
LimeRAT uses

Family

Published 26/08/2025 15:21 · Modified 26/08/2025 15:21
WinDealer
Remcos uses

Family

Published 05/05/2026 18:45 · Modified 05/05/2026 18:45
PrivateLoader uses

Family

Published 14/01/2025 15:22 · Modified 14/01/2025 15:22
GraphicalProton
Foudre uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
LockerGoga - S0372 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:58 · Modified 21/12/2025 16:05
S.A.S
POISONPLUG.SHADOW uses

Family

Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
LockBit uses

Family

Published 06/05/2026 10:26 · Modified 06/05/2026 10:26
LummaC2 uses

Family

Published 16/01/2026 20:33 · Modified 16/01/2026 20:33
Balada uses

Family

Published 13/06/2025 07:59 · Modified 13/06/2025 07:59
FMAPP.exe uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
CotSam
GoldKefu uses

Family

Published 20/02/2025 20:48 · Modified 20/02/2025 20:48
MoonBounce
SugarGh0st RAT uses

Family

Published 14/10/2024 10:23 · Modified 14/10/2024 10:23
Shamoon - S0140 uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
AsyncRAT uses

Family

Published 11/06/2026 16:31 · Modified 11/06/2026 16:31
Grace
PortDoor
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
GoldDiggerPlus uses

Family

Published 20/02/2025 20:48 · Modified 20/02/2025 20:48
BiBi wiper uses

Family

Published 02/06/2026 14:38 · Modified 02/06/2026 14:38
BypassBoss uses

Family

Published 27/05/2025 10:35 · Modified 27/05/2025 10:35
Vidar uses

Family

Published 16/06/2026 09:50 · Modified 16/06/2026 09:50
TameCat uses

Family

Published 04/03/2026 19:42 · Modified 04/03/2026 19:42
XWorm uses

Family

Published 27/03/2026 08:45 · Modified 27/03/2026 08:45
Ransom:Win32/Snatch
Clop
Latrodectus uses

Family

Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
JSOutProx uses

Family

Published 20/02/2025 20:48 · Modified 20/02/2025 20:48
Cobalt Strike uses

Family

Published 16/12/2024 14:25 · Modified 16/12/2024 14:25
RedAlert uses

Family

Published 03/03/2026 15:42 · Modified 03/03/2026 15:42
RansomHub uses

Family

Published 07/08/2025 18:57 · Modified 07/08/2025 18:57
Filerase uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
SVR Cyber
Cactus uses

Family

Published 17/04/2026 08:36 · Modified 17/04/2026 08:36
EDRKillShifter uses

Family

Published 19/03/2026 15:28 · Modified 19/03/2026 15:28
Tykit
DcRAT uses

Family

Published 01/03/2026 05:26 · Modified 01/03/2026 05:26
LAGTOY uses

Family

Published 24/04/2025 23:27 · Modified 24/04/2025 23:27
RustBucket uses

Family

Published 20/02/2025 20:48 · Modified 20/02/2025 20:48
Raspberry Robin uses

Family

Published 08/08/2025 07:53 · Modified 08/08/2025 07:53
FoalShell uses

Family

Published 02/10/2025 09:42 · Modified 02/10/2025 09:42
Mozi uses

Family

Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
RustyWater uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
Sneaky 2FA uses

Family

Published 20/02/2025 20:48 · Modified 20/02/2025 20:48
Logtu
DNSep
DarkNimbus uses

Family

Published 05/02/2026 20:16 · Modified 05/02/2026 20:16
TheMoon uses

Family

Published 11/03/2026 10:02 · Modified 11/03/2026 10:02
VSHELL uses

Family

Published 05/05/2026 14:07 · Modified 05/05/2026 14:07
ZeroCleare - S1151 uses

Family

Published 04/03/2026 15:30 · Modified 04/03/2026 15:30
Lumma Stealer uses

Family

Published 08/06/2026 19:36 · Modified 08/06/2026 19:36
PS1Bot uses

Family

Published 05/09/2025 02:14 · Modified 05/09/2025 02:14
IceXLoader
Nefilim uses

Family

Published 12/09/2025 00:05 · Modified 12/09/2025 00:05
StandardKeyboard
GoldDigger uses

Family

Published 20/02/2025 20:48 · Modified 20/02/2025 20:48
Swiss Army Suite uses

Family

Published 02/10/2024 01:12 · Modified 02/10/2024 01:12
KadNap uses

Family

Published 11/03/2026 10:02 · Modified 11/03/2026 10:02
Un-Mail uses

Family

Published 10/01/2026 13:29 · Modified 10/01/2026 13:29
Sliver uses

Family

Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
DNSChanger uses

Family

Published 04/02/2026 15:26 · Modified 04/02/2026 15:26
MoonWalk uses

Family

Published 12/07/2024 16:11 · Modified 12/07/2024 16:11
Meterpreter uses

Family

Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
GoldPickaxe uses

Family

Published 20/02/2025 20:48 · Modified 20/02/2025 20:48
Sign1 uses

Family

Published 13/06/2025 07:59 · Modified 13/06/2025 07:59
Amadey - S1025 uses

Family

Published 29/09/2025 08:06 · Modified 29/09/2025 08:06
WizardNet uses

Family

Published 05/02/2026 20:16 · Modified 05/02/2026 20:16

Reports (38)

Invisible Sting: Over 4000 Outdated Routers Compromised by … related

AlienVault Confidence 100 3 CVEs 20 MITREs 1 Malware 23 IOCs 23 Observables

Published 18/06/2026 00:48 · threat-report
Affidavit in Support of Application for Criminal Complaint related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT

Published 11/06/2026 23:09 · Modified 15/06/2026 19:16 · threat-report
How Lookalike Domains Exploit Human Judgment related

AlienVault Confidence 100 20 MITREs 13 IOCs 13 Observables

Published 11/06/2026 18:31 · Modified 15/06/2026 19:16 · threat-report
Threat Actors Target FIFA World Cup 2026 related

20 MITREs 39 Observables

Published 11/06/2026 16:31 · Modified 15/06/2026 19:46
Iran Expands Handala Brand to Physical Threats related

20 MITREs 1 Malware 1 APT

Published 02/06/2026 14:38 · Modified 03/06/2026 09:34
Technical Advisory: Breach of Instructure Canvas LMS related

20 MITREs 2 Observables 1 APT

Published 09/05/2026 11:15 · Modified 11/05/2026 09:56
Hold the Phone! International Revenue Share Fraud Driven … related

AlienVault Confidence 100 20 MITREs 23 IOCs 23 Observables

Published 23/04/2026 21:25 · Modified 27/04/2026 14:39 · threat-report
AI-augmented threat actor accesses FortiGate devices at scale related

3 CVEs 20 MITREs 2 Malwares 2 Observables

Published 21/04/2026 16:20 · Modified 22/04/2026 08:59
BreachForums Data Leaks: Technical Analysis and Timeline Attribution … related

8 MITREs 3 Observables 1 APT

Published 28/03/2026 07:39 · Modified 30/03/2026 10:12
Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain … related

14 MITREs 1 APT

Published 19/03/2026 14:23 · Modified 20/03/2026 08:17
KadNap Malware Turning Asus Routers Into Botnets related

15 MITREs 2 Malwares 11 Observables

Published 11/03/2026 10:02 · Modified 11/03/2026 10:05
Inside Tycoon2FA: How a leading AiTM phishing kit … related

17 MITREs 1 Malware 9 Observables 1 APT

Published 04/03/2026 19:42 · Modified 05/03/2026 09:48
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters … related

19 MITREs 6 Malwares 5 Observables 1 APT

Published 04/03/2026 19:42 · Modified 05/03/2026 09:48
Breaking Down the Role of Cyber Operations Taken … related

1 CVE 20 MITREs 10 Malwares 1 Observable 1 APT

Published 04/03/2026 15:30 · Modified 04/03/2026 15:46
Threat Brief: March 2026 Escalation of Cyber Risk … related

15 MITREs 1 Malware 1 Observable

Published 03/03/2026 06:39 · Modified 03/03/2026 17:14
Compromised Routers, DNS, and a TDS Hidden in … related

9 MITREs 1 Malware 10 Observables

Published 04/02/2026 15:26 · Modified 04/02/2026 21:20
The Mystery OAST Host Behind a Regionally Focused … related

2 CVEs 8 MITREs 6 Observables

Published 28/11/2025 02:45 · Modified 21/12/2025 18:16
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide … related

6 CVEs 31 MITREs 92 Observables 1 APT

Published 28/08/2025 15:03 · Modified 28/08/2025 15:31
"Click to Allow" Robot Exposes Online Fraud Empire related

10 MITREs 28 Observables 1 APT

Published 12/08/2025 18:54 · Modified 12/08/2025 19:55
SharePoint Zero-Day Exploit (ToolShell) - Network Infrastructure Mapping related

16 MITREs 1 Malware 1 APT

Published 02/08/2025 10:18 · Modified 04/08/2025 09:19
Unmasking the Infrastructure of a Spear‑phishing Campaign related

5 MITREs 4 Malwares 54 Observables

Published 11/06/2025 09:40 · Modified 11/06/2025 10:15
Illuminating Transparent Tribe related

5 MITREs 3 Observables 1 APT

Published 03/06/2025 18:25 · Modified 03/06/2025 21:13
Unfiltered look into LockBit’s operations related

14 MITREs 1 Malware 3 Observables 1 APT

Published 15/05/2025 22:59 · Modified 21/05/2025 20:42
A Practical Guide to Uncovering Malicious Infrastructure With … related

5 MITREs 1 Malware

Published 25/03/2025 23:57 · Modified 26/03/2025 13:20
The Bleeding Edge of Phishing: darcula-suite 3.0 Enables … related

11 MITREs 1 APT

Published 20/02/2025 20:48 · Modified 21/02/2025 15:29
Finance Report: Who Targets Financial Institutions? related

20 MITREs 12 Malwares

Published 20/02/2025 20:48 · Modified 21/02/2025 15:30
Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting … related

10 MITREs 9 Observables 1 APT

Published 31/01/2025 13:44 · Modified 31/01/2025 14:07
The great Google Ads heist: criminals ransack advertiser … related

11 MITREs 29 Observables

Published 20/01/2025 11:08 · Modified 20/01/2025 11:13
Araneida Scanner: Cracked Acunetix Web App & API … related

10 MITREs 1 Malware 13 Observables

Published 20/12/2024 08:49 · Modified 20/12/2024 11:42
How Threat Actors Exploit Brand Collaborations to Target … related

16 MITREs 1 Malware 3 Observables

Published 17/12/2024 00:24 · Modified 17/12/2024 10:04
Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ … related

9 MITREs 4 Malwares 2 Observables 1 APT

Published 09/12/2024 13:12 · Modified 09/12/2024 18:02
Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest … related

13 CVEs 20 MITREs 2 Malwares 10 Observables 1 APT

Published 12/11/2024 08:47 · Modified 12/11/2024 09:28
Threat actors use ChatGPT to write malware related

19 MITREs 1 Malware 1 Observable 1 APT

Published 14/10/2024 10:23 · Modified 14/10/2024 10:47
Detecting Vulnerability Scanning Traffic From Underground Tools Using … related

10 MITREs 1 Malware 8 Observables

Published 02/10/2024 01:12 · Modified 02/10/2024 10:52
Russian Military Cyber Actors Target US and Global … related

10 CVEs 25 MITREs 1 Malware 50 Observables

Published 09/09/2024 08:02 · Modified 09/09/2024 08:30
Enrichment Data: Keeping it Fresh related

6 MITREs 5 Observables

Published 09/09/2024 07:38 · Modified 09/09/2024 07:50
LummaC2 Malware Abusing the Game Platform 'Steam' related

19 MITREs 2 Malwares 21 Observables

Published 26/07/2024 08:25 · Modified 26/07/2024 09:00
MoonWalk related

7 MITREs 2 Malwares 3 Observables 1 APT

Published 12/07/2024 16:11 · Modified 12/07/2024 16:20

Vulnerabilities (CVE) (52)

CVE-2021-41277 KEV

Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.

Published: 12/11/2024
Modified: 21/12/2025

CVE-2024-27199 KEV

7.3 High

JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

Attack vector: NETWORK
Complexity: LOW
Published: 04/03/2024
Modified: 22/04/2026

CWE-23 CWE-22

CVE-2021-22205 KEV

GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-24919 KEV

8.6 High

Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways …

Attack vector: Network
Published: 30/05/2024
Modified: 04/03/2026

Received

CVE-2025-53771

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2024-51567 KEV

10.0 Critical

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …

Attack vector: Network
Published: 07/11/2024
Modified: 21/12/2025

Analyzed

CVE-2020-1472 KEV

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2025-4428 KEV

7.2 High

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

CVE-2025-53770 KEV

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-49704 KEV

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2017-9805 KEV

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2025-2611

9.3 Critical

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie …

Published: 20/12/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-26134 KEV

Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …

Published: 02/06/2022
Modified: 27/05/2026

CVE-2021-41773 KEV

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2025-31324 KEV

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2023-1389 KEV

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2024-21887 KEV

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-42793 KEV

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

CVE-2025-4427 KEV

5.3 Medium

Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

CVE-2024-36401 KEV

9.8 Critical

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …

Attack vector: Network
Published: 15/07/2024
Modified: 21/12/2025

CVE-2022-31199 KEV

9.8 Critical

Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code …

Attack vector: Network
Published: 11/07/2023
Modified: 20/12/2025

CVE-2024-9047

9.8 Critical

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …

Attack vector: NETWORK
Published: 12/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-33044

CVE-2021-26086 KEV

Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the …

Published: 12/11/2024
Modified: 21/12/2025

CVE-2021-33045

CVE-2014-2120 KEV

6.1 Medium

Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to …

Attack vector: NETWORK
Complexity: LOW
Published: 19/03/2014
Modified: 22/04/2026

CWE-79

CVE-2023-27532 KEV

7.5 High

Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …

Attack vector: Network
Published: 22/08/2023
Modified: 27/05/2026

CVE-2023-20198 KEV

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2022-3236 KEV

9.8 Critical

A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Attack vector: Network
Published: 23/09/2022
Modified: 27/05/2026

CVE-2022-26138

CVE-2021-26084 KEV

Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-51378 KEV

10.0 Critical

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …

Attack vector: Network
Published: 04/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-4034 KEV

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2018-15133 KEV

Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a …

Published: 16/01/2024
Modified: 21/12/2025

CVE-2024-4577 KEV

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2023-46805 KEV

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2018-0171 KEV

9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector: NETWORK
Published: 03/11/2021
Modified: 14/01/2026

CVE-2024-40711 KEV

9.8 Critical

Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.

Attack vector: Network
Published: 17/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-21587 KEV

9.8 Critical

Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications …

Attack vector: Network
Published: 02/02/2023
Modified: 21/12/2025

CVE-2023-26360 KEV

8.6 High

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 15/03/2023
Modified: 21/12/2025

CVE-2022-1040 KEV

An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Published: 31/03/2022
Modified: 21/12/2025

CVE-2024-56145 KEV

9.8 Critical

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …

Attack vector: Network
Published: 02/06/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2019-7192

CVE-2022-27666

CVE-2025-49706 KEV

6.5 Medium

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2018-10562 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.

Published: 31/03/2022
Modified: 20/12/2025

CVE-2018-10561 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.

Published: 31/03/2022
Modified: 20/12/2025

CVE-2024-27198 KEV

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Attack vector: Network
Published: 07/03/2024
Modified: 21/12/2025

CVE-2021-3156

CVE-2017-9841 KEV

9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector: NETWORK
Complexity: LOW
Published: 27/06/2017
Modified: 22/04/2026

CWE-94

CVE-2023-20273 KEV

7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector: Network
Published: 23/10/2023
Modified: 21/12/2025

CVE-2024-3400 KEV

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

Attack patterns (MITRE) (6)

Network Topology subtechnique-of

T1590.004
T1590.005 subtechnique-of

IP Addresses
Network Trust Dependencies subtechnique-of
DNS subtechnique-of

T1590.002
Network Security Appliances subtechnique-of

T1590.006
T1590.001 subtechnique-of

Domain Properties

Course Of Action (1)

Pre-compromise mitigates

Contact About Legal notice Privacy policy Terms of use