T1608.001: T1608.001
Essential information
- MITRE technique ID
T1608.001- Confidence
- 100/100
- Revoked
- No
- Published
- 17/03/2021 21:09
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Upload Malware
Platforms
PRE
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | resource-development |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
Winnti usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
EXOTIC LILY usesThe MITRE Corporation Confidence 100
[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Agent Serpens usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TeamPCP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-1747 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
REF4526 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-53 (Gamaredon) usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (65)
-
Oyster usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lumma usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Reverse RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HemiGate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Margulas RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hijack Loader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
VSHELL usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Contagious Trader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Onedrivetools usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CurlBack RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Action RAT - S1028 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Poseidon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
AlienVault Confidence 100 4 CVEs 19 MITREs 5 Malwares 5 IOCs 5 Observables
-
20 MITREs 8 Observables
-
21 MITREs 2 Malwares 9 Observables 1 APT
-
AlienVault Confidence 100 18 MITREs 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 15 MITREs 9 IOCs 9 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 9 IOCs 9 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 4 IOCs 4 Observables
-
21 MITREs 3 Observables
-
17 MITREs 2 Malwares 13 Observables 1 APT
-
AlienVault Confidence 100 16 MITREs 4 IOCs 4 Observables 1 APT
-
20 MITREs 7 Malwares 5 Observables 1 APT
Vulnerabilities (CVE) (33)
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …
- Attack vector
- Network
- Published
- 02/06/2025
- Modified
- 21/12/2025
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load …
- Attack vector
- Local
- Published
- 03/09/2024
- Modified
- 21/12/2025
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 15/09/2017
- Modified
- 22/04/2026
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated …
- Attack vector
- NETWORK
- Published
- 23/12/2022
- Modified
- 19/01/2026
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
- Attack vector
- Network
- Published
- 07/03/2024
- Modified
- 21/12/2025
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially …
- Attack vector
- NETWORK
- Published
- 22/08/2025
- Modified
- 21/12/2025
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 23/12/2025
A maliciously crafted DWF file, when parsed in dwfcore.dll through Autodesk Autodesk Navisworks, may force an Out-of-Bounds Write vulnerability. A malicious actor …
- Attack vector
- LOCAL
- Published
- 30/09/2024
- Modified
- 21/12/2025
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads …
- Attack vector
- NETWORK
- Published
- 01/11/2025
- Modified
- 23/12/2025
Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate …
- Attack vector
- Local
- Published
- 14/10/2025
- Modified
- 23/12/2025
GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …
- Published
- 03/11/2021
- Modified
- 20/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
Campaign (4)
-
C0021 uses
-
C0010 uses
-
Operation Spalax uses
-
Night Dragon uses