akira
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 8 reports, 70 attack patterns (mitre), 5 malware, 16 sectors, 14 countries, 100 indicators, 16 vulnerabilities (cve), 60 organization, 5 tool
Aliases
GOLD SAHARA PUNK SPIDER akira Howling Scorpius
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
Labels
ransomware
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (8)
-
1 Malware 1 APT
-
16 MITREs 1 Malware 1 APT
-
12 MITREs 1 Malware 2 Observables 1 APT
-
1 MITRE 1 Malware 2 Observables 1 APT
-
14 MITREs 1 Malware 1 APT
-
17 MITREs 1 Malware 1 APT
-
8 CVEs 16 MITREs 2 Malwares 37 Observables 1 APT
-
4 CVEs 15 MITREs 1 Malware 3 Observables 1 APT
Attack patterns (MITRE) (70)
-
T1059.003 usesWindows Command Shell MITRE
-
T1567.002 usesExfiltration to Cloud Storage MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1059.001 usesPowerShell MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
T1046 usesNetwork Service Discovery MITRE
-
T1078.001 usesDefault Accounts MITRE
-
T1005 usesData from Local System MITRE
-
T1531 usesAccount Access Removal MITRE
-
T1547.006 usesKernel Modules and Extensions MITRE
-
T1078.003 usesLocal Accounts MITRE
-
T1573 usesEncrypted Channel MITRE
Malware (5)
-
Akira ransomware usesFamily
-
Megazord usesFamily
-
Akira usesFamily
-
Akira - S1129 usesFamily
-
Akira _v2 uses
Sectors (16)
-
Construction targets
-
Manufacturing targets
-
Technology targets
-
Education targets
-
Business Services targets
-
Finance targets
-
Transportation/Logistics targets
-
Consumer Services targets
-
Healthcare targets
-
Telecommunications targets
-
Pharmacy and drugs manufacturing targets
-
Consulting targets
Countries (14)
-
United Kingdom of Great Britain and Northern Ireland targets
-
Germany targets
-
Austria targets
-
Andorra targets
-
United States of America targets
-
Hong Kong Special Administrative Region targets
-
Mexico targets
-
Italy targets
-
France targets
-
Czechia targets
-
Ireland targets
-
Canada targets
Indicators (100)
-
b55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9related -
2084ab8f92a86a37a35879378610949e21ea7b5030313655bb82fe6c67772b0drelated -
67afa125bf8812cd943abed2ed56ed6e07853600ad609b40bdf9ad4141e612b4related -
988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42related -
8bfa4c2c1065b105ec80a86f460e0e0221b39610109cc6cd4b441dd86e6b4aefrelated -
7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760berelated -
67f82a54ea49c6f286681d179cc7afc8b41b6b34284cc17bdd52916cc3656160related -
88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2related -
95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5arelated -
58e9cd249d947f829a6021cf6ab16c2ca8e83317dbe07a294e2035bb904d0cf3related -
fdd00e1bf19fe207b1ca7dbee50816ff85e53eaad9deb5e5b8fef92210fb6bc0related -
b5e757f5e240af04057131ab6868a7716c46fa5abf697f2927199d1b84706c23related
Vulnerabilities (CVE) (16)
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an …
- Attack vector
- Network
- Published
- 30/07/2024
- Modified
- 27/05/2026
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to …
- Attack vector
- Network
- Published
- 29/09/2025
- Modified
- 29/05/2026
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
- Attack vector
- Network
- Published
- 17/10/2024
- Modified
- 21/12/2025
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on …
- Published
- 15/02/2024
- Modified
- 21/12/2025
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025
Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup …
- Published
- 25/06/2025
- Modified
- 21/12/2025
Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct …
- Attack vector
- Network
- Published
- 13/09/2023
- Modified
- 21/12/2025
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to redirect a …
- Attack vector
- NETWORK
- Published
- 06/09/2023
- Modified
- 21/12/2025
VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative …
- Attack vector
- Network
- Published
- 11/10/2022
- Modified
- 14/01/2026
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …
- Attack vector
- Network
- Published
- 23/09/2025
- Modified
- 12/03/2026
Organization (60)
-
Financial Brokerage targets
-
Triple Eight Transport targets
-
Gebrüder Bagusat GmbH & Co. KG targets
-
Morningstar Properties targets
-
Watertech of America, WorldPoint ECC, Mastermedia, Garrett Leather, Guttenberg Industries. targets
-
Murray's Cheese targets
-
Building Trades targets
-
Mh Soluciones targets
-
Porsche Zentrum Fulda targets
-
Progressive Laboratories targets
-
Steel Dynamics targets
-
J Grennan & Sons targets
Tool (5)
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
Rclone usesThe MITRE Corporation Confidence 100
[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…