T1608.001: T1608.001
Essential information
- MITRE technique ID
T1608.001- Confidence
- 100/100
- Revoked
- No
- Published
- 17/03/2021 21:09
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Upload Malware
Platforms
PRE
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | resource-development |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
LazyScripter relatedThe MITRE Corporation Confidence 100
[LazyScripter](https://attack.mitre.org/groups/G0140) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
LuminousMoth relatedThe MITRE Corporation Confidence 100
[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032),…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access…
First seen 01/01/1970 · Last seen 16/11/5138 · -
NetMedved relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SideCopy relatedThe MITRE Corporation Confidence 100
[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Squeamish Libra relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (65)
-
Earth Preta usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MoonTag usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ares RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Geta RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ShadowPad - S0596 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Headlace usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
OtterCookie usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Stealc usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SandStrike usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mélofée usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GolangGhost usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PUBLOAD usesThe MITRE Corporation Confidence 100
[PUBLOAD](https://attack.mitre.org/software/S1228) is a stager malware that has been observed installing itself in existing directories such as `C:\Users\Public` or creating new directories to stage the malware and its components.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
20 MITREs 7 Malwares 5 Observables 1 APT
-
8 MITREs
-
10 CVEs 2 MITREs 1 Malware 5 Observables
-
19 MITREs 2 Malwares 24 Observables 1 APT
-
7 MITREs
-
10 MITREs 2 Malwares 1 APT
-
10 MITREs 71 Observables
-
18 MITREs 2 Malwares 38 Observables 1 APT
-
7 MITREs 200 Observables
-
SecuritySnack: 18+E-Crime related5 MITREs 140 Observables
-
6 MITREs 1 APT
-
8 MITREs 2 Observables 1 APT
Vulnerabilities (CVE) (33)
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 04/03/2024
- Modified
- 22/04/2026
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …
- Attack vector
- Network
- Published
- 04/12/2024
- Modified
- 21/12/2025
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …
- Attack vector
- Network
- Published
- 07/11/2024
- Modified
- 21/12/2025
wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.
- Attack vector
- NETWORK
- Published
- 23/03/2022
- Modified
- 21/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …
- Attack vector
- Network
- Published
- 31/01/2024
- Modified
- 27/05/2026
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …
- Attack vector
- NETWORK
- Published
- 12/10/2024
- Modified
- 21/12/2025
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 27/06/2017
- Modified
- 22/04/2026
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to …
- Attack vector
- LOCAL
- Published
- 15/08/2024
- Modified
- 21/12/2025
A security vulnerability has been detected in Tenda AC23 16.03.07.52. Affected is the function saveParentControlInfo of the file /goform/saveParentControlInfo. Such manipulation of …
- Attack vector
- NETWORK
- Published
- 02/11/2025
- Modified
- 23/12/2025
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …
- Attack vector
- Network
- Published
- 03/11/2021
- Modified
- 18/02/2026
Campaign (4)
-
C0021 uses
-
C0010 uses
-
Operation Spalax uses
-
Night Dragon uses