WarzoneRAT
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 27/12/2021 18:21
- Modified
- 27/03/2026 01:07
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 79 attack patterns (mitre), 3 intrusion sets (apt), 6 sectors, 12 countries, 97 indicators, 3 vulnerabilities (cve)
Aliases
Warzone Ave Maria
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (79)
-
T1552.001 usesCredentials In Files MITRE
-
-
T1090 usesProxy MITRE
-
T1071 usesApplication Layer Protocol MITRE
-
T1036.004 usesMasquerade Task or Service MITRE
-
T1573 usesEncrypted Channel MITRE
-
T1574.002 uses
-
T1112 usesModify Registry MITRE
-
T1557 usesAdversary-in-the-Middle MITRE
-
T1562.001 usesDisable or Modify Tools MITRE
-
T1219 usesRemote Access Tools MITRE
-
T1027 usesObfuscated Files or Information MITRE
Intrusion sets (APT) (3)
-
YoroTrooper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TA2541 usesThe MITRE Corporation Confidence 100
[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (6)
-
Government targets
-
Pharmacy and drugs manufacturing targets
-
Education targets
-
Finance targets
-
Manufacturing targets
-
Energy targets
Countries (12)
-
Bangladesh targets
-
Belarus targets
-
United States of America targets
-
Tajikistan targets
-
Kazakhstan targets
-
Türkiye targets
-
Ukraine targets
-
Azerbaijan targets
-
Russian Federation targets
-
Kyrgyzstan targets
-
Afghanistan targets
-
Uzbekistan targets
Indicators (97)
-
stix 100/100 Revoked· Valid until 27/07/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 26/08/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 26/08/2024 · Source: AlienVault
-
http://193.149.176.254/hstart.exeindicatesstix 100/100 Revoked· Valid until 30/04/2023 · Source: AlienVault -
stix 100/100 Revoked
SLF:Win32/LnkFileWithMshta.A
· Valid until 16/06/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 16/06/2024 · Source: AlienVault
-
http://94.103.86.38/ms1.htaindicatesstix 100/100 Revoked· Valid until 30/04/2023 · Source: AlienVault -
stix 100/100 Revoked· Valid until 26/08/2024 · Source: AlienVault
Vulnerabilities (CVE) (3)
Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over …
- Attack vector
- Network
- Published
- 17/04/2025
- Modified
- 27/05/2026
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
- Attack vector
- Network
- Published
- 11/03/2025
- Modified
- 27/05/2026
Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …
- Attack vector
- Network
- Published
- 20/10/2025
- Modified
- 27/05/2026