WarzoneRAT
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 27/12/2021 18:21
- Modified
- 27/03/2026 01:07
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 79 attack patterns (mitre), 3 intrusion sets (apt), 6 sectors, 12 countries, 97 indicators, 3 vulnerabilities (cve)
Aliases
Warzone Ave Maria
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (79)
-
T1059.003 usesWindows Command Shell MITRE
-
T1189 usesDrive-by Compromise MITRE
-
T1218 usesSystem Binary Proxy Execution MITRE
-
T1014 usesRootkit MITRE
-
T1518.001 usesSecurity Software Discovery MITRE
-
T1055.002 usesPortable Executable Injection MITRE
-
T1564 usesHide Artifacts MITRE
-
T1070 usesIndicator Removal MITRE
-
T1137 usesOffice Application Startup MITRE
-
T1113 usesScreen Capture MITRE
-
Multi-Stage Channels usesT1104 MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
Intrusion sets (APT) (3)
-
YoroTrooper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TA2541 usesThe MITRE Corporation Confidence 100
[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (6)
-
Government targets
-
Pharmacy and drugs manufacturing targets
-
Education targets
-
Finance targets
-
Manufacturing targets
-
Energy targets
Countries (12)
-
Bangladesh targets
-
Belarus targets
-
United States of America targets
-
Tajikistan targets
-
Kazakhstan targets
-
Türkiye targets
-
Ukraine targets
-
Azerbaijan targets
-
Russian Federation targets
-
Kyrgyzstan targets
-
Afghanistan targets
-
Uzbekistan targets
Indicators (97)
-
stix 100/100 Revoked· Valid until 26/08/2024 · Source: AlienVault
-
mail.belaes.by.authentication.becloud.ccindicatesstix 100/100 Revoked· Valid until 26/06/2024 · Source: AlienVault -
stix 100/100 Revoked
Win64:Trojan-gen SHA256 of bc9314760071a4aef12e503104478059808e7047
· Valid until 27/07/2024 · Source: AlienVault -
stix 100/100 Revoked
stack_string
· Valid until 16/06/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 16/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 13/10/2025 · Source: AlienVault
-
rnail.iterrf.ru.inro.linkindicatesstix 100/100 Revoked· Valid until 26/06/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 13/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 21/12/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 27/07/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 31/08/2025 · Source: AlienVault
Vulnerabilities (CVE) (3)
Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over …
- Attack vector
- Network
- Published
- 17/04/2025
- Modified
- 27/05/2026
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
- Attack vector
- Network
- Published
- 11/03/2025
- Modified
- 27/05/2026
Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …
- Attack vector
- Network
- Published
- 20/10/2025
- Modified
- 27/05/2026