T1608.001: T1608.001
Essential information
- MITRE technique ID
T1608.001- Confidence
- 100/100
- Revoked
- No
- Published
- 17/03/2021 21:09
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Upload Malware
Platforms
PRE
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | resource-development |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
TeamTNT usesThe MITRE Corporation Confidence 100
[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GlassWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-3075 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SnakeKeylogger usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
APT-C-60 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT36, SideCopy relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT42 relatedThe MITRE Corporation Confidence 100
[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BADBOX relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Banana Squad relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan,…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (65)
-
Oyster usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lumma usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Reverse RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HemiGate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Margulas RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hijack Loader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
VSHELL usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Contagious Trader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Onedrivetools usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CurlBack RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Action RAT - S1028 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Poseidon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
21 MITREs 27 Observables
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
AlienVault Confidence 100 4 CVEs 19 MITREs 5 Malwares 5 IOCs 5 Observables
-
20 MITREs 8 Observables
-
21 MITREs 2 Malwares 9 Observables 1 APT
-
AlienVault Confidence 100 18 MITREs 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 15 MITREs 9 IOCs 9 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 9 IOCs 9 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 4 IOCs 4 Observables
-
21 MITREs 3 Observables
-
17 MITREs 2 Malwares 13 Observables 1 APT
-
AlienVault Confidence 100 16 MITREs 4 IOCs 4 Observables 1 APT
Vulnerabilities (CVE) (33)
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …
- Attack vector
- Network
- Published
- 02/06/2025
- Modified
- 21/12/2025
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load …
- Attack vector
- Local
- Published
- 03/09/2024
- Modified
- 21/12/2025
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 15/09/2017
- Modified
- 22/04/2026
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated …
- Attack vector
- NETWORK
- Published
- 23/12/2022
- Modified
- 19/01/2026
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
- Attack vector
- Network
- Published
- 07/03/2024
- Modified
- 21/12/2025
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially …
- Attack vector
- NETWORK
- Published
- 22/08/2025
- Modified
- 21/12/2025
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 23/12/2025
A maliciously crafted DWF file, when parsed in dwfcore.dll through Autodesk Autodesk Navisworks, may force an Out-of-Bounds Write vulnerability. A malicious actor …
- Attack vector
- LOCAL
- Published
- 30/09/2024
- Modified
- 21/12/2025
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads …
- Attack vector
- NETWORK
- Published
- 01/11/2025
- Modified
- 23/12/2025
Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate …
- Attack vector
- Local
- Published
- 14/10/2025
- Modified
- 23/12/2025
GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …
- Published
- 03/11/2021
- Modified
- 20/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
Campaign (4)
-
C0021 uses
-
C0010 uses
-
Operation Spalax uses
-
Night Dragon uses