play
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 5 reports, 67 attack patterns (mitre), 5 malware, 9 sectors, 5 countries, 20 indicators, 6 vulnerabilities (cve), 23 organization, 7 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
Labels
ransomware
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (5)
-
5 CVEs 3 MITREs 3 Malwares 8 Observables 1 APT
-
15 MITREs 2 Malwares 4 Observables 1 APT
-
6 MITREs 2 Malwares 1 Observable 1 APT
-
7 MITREs 2 Malwares 4 Observables 1 APT
-
11 MITREs 1 Malware 2 Observables 1 APT
Attack patterns (MITRE) (67)
-
T1078.003 usesLocal Accounts MITRE
-
T1087.001 usesLocal Account MITRE
-
-
T1021.004 usesSSH MITRE
-
T1033 usesSystem Owner/User Discovery MITRE
-
T1562 usesImpair Defenses MITRE
-
T1105 usesIngress Tool Transfer MITRE
-
T1190 usesExploit Public-Facing Application MITRE
-
T1082 usesSystem Information Discovery MITRE
-
T1133 usesExternal Remote Services MITRE
-
T1070.004 usesFile Deletion MITRE
-
T1573 usesEncrypted Channel MITRE
Malware (5)
-
Coroxy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Grixba usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SystemBC usesAlienVault Confidence 100
[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Playcrypt usesFamily The MITRE Corporation Confidence 100
[Playcrypt](https://attack.mitre.org/software/S1162) is a ransomware that has been used by [Play](https://attack.mitre.org/groups/G1040) since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (9)
-
Transportation/Logistics targets
-
Technology targets
-
Consulting targets
-
Chemical targets
-
Business Services targets
-
Agriculture Food Production targets
-
Finance targets
-
Manufacturing targets
-
Construction targets
Countries (5)
-
United States of America targets
-
Italy targets
-
Canada targets
-
Australia targets
-
Germany targets
Indicators (20)
-
stix 100/100 Revoked· Valid until 12/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 13/01/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 13/01/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 23/03/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 01/06/2026 · Source: AlienVault
-
stix 100/100 Revoked
ConventionEngine_Anomaly_MultiPDB_Double
· Valid until 26/11/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 01/06/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 13/01/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 23/03/2025 · Source: AlienVault
-
stix 100/100 Revoked
Win32:RansomX-gen\ [Ransom]
· Valid until 23/03/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 01/06/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 12/11/2025 · Source: AlienVault
Vulnerabilities (CVE) (6)
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 15/03/2023
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …
- Attack vector
- Network
- Published
- 13/02/2025
- Modified
- 21/12/2025
Organization (23)
-
Wardell Builders targets
-
Pewarchuk CPA targets
-
Autohaus Pichel GmbH targets
-
MP Filtri targets
-
Security ONE Alarm Systems targets
-
Stoughton Steel targets
-
Executive Aviation targets
-
Lakeside Title Company targets
-
Gsolutionz targets
-
Knight's Site Services targets
-
Due Doyle Fanning targets
-
Genoa Lakes targets
Tool (7)
-
Nltest usesThe MITRE Corporation Confidence 100
[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…