T1608.001: T1608.001
Essential information
- MITRE technique ID
T1608.001- Confidence
- 100/100
- Revoked
- No
- Published
- 17/03/2021 21:09
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Upload Malware
Platforms
PRE
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | resource-development |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
The MITRE Corporation Confidence 100
[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNC5812 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MatanBuchus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BADBOX 2.0 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DPRK (North Korea) usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Wang Duo Yu usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TA2541 usesThe MITRE Corporation Confidence 100
[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (65)
-
CanisterWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BirdyClient usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Capra RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
YIPPHB usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Remcos RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Grooza usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Aranuk/Carbanak usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Keitaro usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HelloBot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AteraAgent usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Manuscrypt usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
AlienVault Confidence 100 4 CVEs 19 MITREs 5 Malwares 5 IOCs 5 Observables
-
20 MITREs 8 Observables
-
21 MITREs 2 Malwares 9 Observables 1 APT
-
AlienVault Confidence 100 18 MITREs 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 15 MITREs 9 IOCs 9 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 9 IOCs 9 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 4 IOCs 4 Observables
-
21 MITREs 3 Observables
-
17 MITREs 2 Malwares 13 Observables 1 APT
-
AlienVault Confidence 100 16 MITREs 4 IOCs 4 Observables 1 APT
-
20 MITREs 7 Malwares 5 Observables 1 APT
Vulnerabilities (CVE) (33)
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …
- Attack vector
- Network
- Published
- 02/06/2025
- Modified
- 21/12/2025
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load …
- Attack vector
- Local
- Published
- 03/09/2024
- Modified
- 21/12/2025
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 15/09/2017
- Modified
- 22/04/2026
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated …
- Attack vector
- NETWORK
- Published
- 23/12/2022
- Modified
- 19/01/2026
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
- Attack vector
- Network
- Published
- 07/03/2024
- Modified
- 21/12/2025
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially …
- Attack vector
- NETWORK
- Published
- 22/08/2025
- Modified
- 21/12/2025
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 23/12/2025
A maliciously crafted DWF file, when parsed in dwfcore.dll through Autodesk Autodesk Navisworks, may force an Out-of-Bounds Write vulnerability. A malicious actor …
- Attack vector
- LOCAL
- Published
- 30/09/2024
- Modified
- 21/12/2025
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads …
- Attack vector
- NETWORK
- Published
- 01/11/2025
- Modified
- 23/12/2025
Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate …
- Attack vector
- Local
- Published
- 14/10/2025
- Modified
- 23/12/2025
GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …
- Published
- 03/11/2021
- Modified
- 20/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
Campaign (4)
-
C0021 uses
-
C0010 uses
-
Operation Spalax uses
-
Night Dragon uses