T1614: T1614

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 29/04/2026 12:44

Essential information

MITRE technique ID: T1614
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 29/04/2026 12:44
Author / Source: The MITRE Corporation

Aliases

System Location Discovery

Platforms

windows macos linux IaaS

Description

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as `GetLocaleInfoW` can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021) Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)

Kill chain phases

Kill chain	Phase
mitre-attack	discovery

Marking (TLP)

External references

AWS Instance Identity Documents
Sophos Geolocation 2016
mitre-attack (T1614)
Microsoft Azure Instance Metadata 2021
FBI Ragnar Locker 2020
Kaspersky Transparent Tribe August 2020
Bleepingcomputer RAT malware 2020

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (21)

BlackSuit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA551 uses GOLD CABINShathak

The MITRE Corporation Confidence 100

[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hannibal Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DarkGate uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Conti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DEV-0196, QuaDream uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tonto Team uses Earth AkhlutBRONZE HUNTLEY

The MITRE Corporation Confidence 100

[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HelloKitty uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 21

POISONPLUG.SHADOW uses

Family
PrivateLoader uses

Family
DANCEFLOOR uses

Family
MirrorStealer uses

Family
Bulbature uses

Family
XMRig uses

Family
CyberVolk uses

Family
VIPKeyLogger uses

Family
LODEINFO uses

Family
Space Pirates uses
DarkGate uses

Family
OCRFix uses

Family

← Previous

Page / 10

1–12 of 118

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Infostealer Campaign Using Trading App as Lure related

20 MITREs 2 Malwares 4 Observables 1 APT
ClickFix campaign uses fake macOS utilities lures to … related

AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 145 IOCs 145 Observables
Inside Vect Ransomware-as-a-Service related

19 MITREs 2 Malwares 2 Observables 1 APT
Kyber ransomware is not just post-quantum name-dropping related

AlienVault Confidence 100 15 MITREs 1 Malware 8 IOCs 8 Observables
How Lazarus's IT Workers Scheme Was Caught Live … related

7 MITREs 12 Observables 1 APT
Arkanix Stealer: Newly discovered short term profit malware related

25 MITREs 2 Observables
ShadowRay 2.0: Active Global Campaign Hijacks Ray AI … related

19 MITREs 2 Malwares 1 APT
RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration related

10 MITREs 2 Malwares 1 APT
A Hybrid Approach with Data Exfiltration and Encryption related

8 MITREs 2 Malwares 1 APT
New Steganographic Campaign Distributing Multiple Malware Variants related

1 CVE 8 MITREs 5 Malwares 13 Observables
Desert Dexter.Attacks on Middle Eastern Countries related

14 MITREs 2 Observables 1 APT

← Previous

Page / 2

1–12 of 20

Vulnerabilities (CVE) (13)

CVE-2023-4966 KEV targets

9.4 Critical

Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …

Attack vector: Network
Published: 18/10/2023
Modified: 21/12/2025

CVE-2017-0213 KEV targets

7.3 High

Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.

Attack vector: LOCAL
Complexity: LOW
Published: 12/05/2017
Modified: 22/04/2026

CVE-2017-5638 targets

CVE-2019-9082 KEV targets

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

CVE-2025-49596 targets

9.4 Critical

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to …

Published: 20/12/2025
Modified: 21/12/2025

Received

CVE-2019-13956 targets

CVE-2024-50050 targets

6.3 Medium

Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 used pickle as a serialization format for socket communication, potentially allowing for remote code execution. Socket …

Attack vector: NETWORK
Published: 23/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-21894 targets

4.4 Medium

Secure Boot Security Feature Bypass Vulnerability

Attack vector: LOCAL
Published: 11/01/2022
Modified: 20/12/2025

CVE-2021-42287 KEV targets

Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

Published: 11/04/2022
Modified: 20/12/2025

CVE-2023-48022 targets

9.8 Critical

Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position …

Attack vector: NETWORK
Published: 28/11/2023
Modified: 21/12/2025

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

← Previous

Page / 2

1–12 of 13

System Language Discovery subtechnique-of

MITRE

Tool (2)

Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…
QuasarRAT uses

The MITRE Corporation Confidence 100

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity…

Contact About Legal notice Privacy policy Terms of use

T1614: T1614

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (21)

Malware (118)

Reports (20)

Vulnerabilities (CVE) (13)

Attack patterns (MITRE) (1)

Tool (2)