play
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 5 reports, 67 attack patterns (mitre), 5 malware, 9 sectors, 5 countries, 20 indicators, 6 vulnerabilities (cve), 23 organization, 7 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
Labels
ransomware
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (5)
-
5 CVEs 3 MITREs 3 Malwares 8 Observables 1 APT
-
15 MITREs 2 Malwares 4 Observables 1 APT
-
6 MITREs 2 Malwares 1 Observable 1 APT
-
7 MITREs 2 Malwares 4 Observables 1 APT
-
11 MITREs 1 Malware 2 Observables 1 APT
Attack patterns (MITRE) (67)
-
Command Obfuscation uses
-
T1204.002 usesMalicious File MITRE
-
T1484 usesDomain or Tenant Policy Modification MITRE
-
T1049 usesSystem Network Connections Discovery MITRE
-
T1021.002 usesSMB/Windows Admin Shares MITRE
-
T1027.002 usesSoftware Packing MITRE
-
T1531 usesAccount Access Removal MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1021 usesRemote Services MITRE
-
T1009 uses
-
T1505 usesServer Software Component MITRE
-
T1568.002 usesDomain Generation Algorithms MITRE
Malware (5)
-
COROXY usesFamily
-
Grixba usesFamily
-
SystemBC usesFamily
-
Cobalt Strike usesFamily
-
PlayCrypt usesFamily
Sectors (9)
-
Transportation/Logistics targets
-
Technology targets
-
Consulting targets
-
Chemical targets
-
Business Services targets
-
Agriculture Food Production targets
-
Finance targets
-
Manufacturing targets
-
Construction targets
Countries (5)
-
United States of America targets
-
Italy targets
-
Canada targets
-
Australia targets
-
Germany targets
Indicators (20)
-
3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545indicates -
b4505ab44108e27d8a5311fe5ba32e2db88e70f0084b5c0b0b903e5b98f904b7indicates -
5922b1a7172bd60b1353f2a3c4de2a03efba8d57d0f696d00868d4ef6fcbc218indicates -
e652051fe47d784f6f85dc00adca1c15a8c7a40f1e5772e6a95281d8bf3d5c74indicates -
75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212indicates -
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1cindicates -
75b525b220169f07aecfb3b1991702fbd9a1e170caf0040d1fcb07c3e819f54aindicates -
3621468d188d4c3e2c6dfe3e9ddcfe3894701666bad918bc195aba0c44e46e94indicates -
7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8indicates -
47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57indicates -
c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193cindicates -
7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8indicates
Vulnerabilities (CVE) (6)
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 15/03/2023
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …
- Attack vector
- Network
- Published
- 13/02/2025
- Modified
- 21/12/2025
Organization (23)
-
Wardell Builders targets
-
Pewarchuk CPA targets
-
Autohaus Pichel GmbH targets
-
MP Filtri targets
-
Security ONE Alarm Systems targets
-
Stoughton Steel targets
-
Executive Aviation targets
-
Lakeside Title Company targets
-
Gsolutionz targets
-
Knight's Site Services targets
-
Due Doyle Fanning targets
-
Genoa Lakes targets
Tool (7)
-
Nltest usesThe MITRE Corporation Confidence 100
[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…