T1608.001: T1608.001
Essential information
- MITRE technique ID
T1608.001- Confidence
- 100/100
- Revoked
- No
- Published
- 17/03/2021 21:09
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Upload Malware
Platforms
PRE
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | resource-development |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
Winnti usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
EXOTIC LILY usesThe MITRE Corporation Confidence 100
[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Agent Serpens usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TeamPCP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-1747 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
REF4526 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-53 (Gamaredon) usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (65)
-
Oyster usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lumma usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Reverse RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HemiGate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Margulas RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hijack Loader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
VSHELL usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Contagious Trader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Onedrivetools usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CurlBack RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Action RAT - S1028 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Poseidon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 20 MITREs 55 IOCs 55 Observables
-
AlienVault Confidence 100 20 MITREs 14 IOCs 14 Observables
-
AlienVault Confidence 100 16 MITREs 11 IOCs 11 Observables
-
AlienVault Confidence 100 16 MITREs 108 IOCs 108 Observables
-
AlienVault Confidence 100 20 MITREs 49 IOCs 49 Observables
-
AlienVault Confidence 100 24 MITREs 4 Malwares 9 IOCs 9 Observables
-
AlienVault Confidence 100 21 MITREs 8 IOCs 8 Observables
-
AlienVault Confidence 100 28 MITREs 5 IOCs 5 Observables
-
20 MITREs 1 Malware
-
20 MITREs 19 Observables
-
20 MITREs 5 Malwares 9 Observables 1 APT
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Vulnerabilities (CVE) (33)
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 04/03/2024
- Modified
- 22/04/2026
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …
- Attack vector
- Network
- Published
- 04/12/2024
- Modified
- 21/12/2025
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …
- Attack vector
- Network
- Published
- 07/11/2024
- Modified
- 21/12/2025
wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.
- Attack vector
- NETWORK
- Published
- 23/03/2022
- Modified
- 21/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …
- Attack vector
- Network
- Published
- 31/01/2024
- Modified
- 27/05/2026
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …
- Attack vector
- NETWORK
- Published
- 12/10/2024
- Modified
- 21/12/2025
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 27/06/2017
- Modified
- 22/04/2026
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to …
- Attack vector
- LOCAL
- Published
- 15/08/2024
- Modified
- 21/12/2025
A security vulnerability has been detected in Tenda AC23 16.03.07.52. Affected is the function saveParentControlInfo of the file /goform/saveParentControlInfo. Such manipulation of …
- Attack vector
- NETWORK
- Published
- 02/11/2025
- Modified
- 23/12/2025
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …
- Attack vector
- Network
- Published
- 03/11/2021
- Modified
- 18/02/2026
Campaign (4)
-
C0021 uses
-
C0010 uses
-
Operation Spalax uses
-
Night Dragon uses