WarzoneRAT
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 27/12/2021 18:21
- Modified
- 27/03/2026 01:07
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 79 attack patterns (mitre), 3 intrusion sets (apt), 6 sectors, 12 countries, 97 indicators, 3 vulnerabilities (cve)
Aliases
Warzone Ave Maria
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (79)
Intrusion sets (APT) (3)
-
YoroTrooper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TA2541 usesThe MITRE Corporation Confidence 100
[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (6)
-
Government targets
-
Pharmacy and drugs manufacturing targets
-
Education targets
-
Finance targets
-
Manufacturing targets
-
Energy targets
Countries (12)
-
Bangladesh targets
-
Belarus targets
-
United States of America targets
-
Tajikistan targets
-
Kazakhstan targets
-
Türkiye targets
-
Ukraine targets
-
Azerbaijan targets
-
Russian Federation targets
-
Kyrgyzstan targets
-
Afghanistan targets
-
Uzbekistan targets
Indicators (97)
-
stix 100/100 Revoked· Valid until 27/07/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 26/08/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 26/08/2024 · Source: AlienVault
-
http://193.149.176.254/hstart.exeindicatesstix 100/100 Revoked· Valid until 30/04/2023 · Source: AlienVault -
stix 100/100 Revoked
SLF:Win32/LnkFileWithMshta.A
· Valid until 16/06/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 16/06/2024 · Source: AlienVault
-
http://94.103.86.38/ms1.htaindicatesstix 100/100 Revoked· Valid until 30/04/2023 · Source: AlienVault -
stix 100/100 Revoked· Valid until 26/08/2024 · Source: AlienVault
Vulnerabilities (CVE) (3)
Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over …
- Attack vector
- Network
- Published
- 17/04/2025
- Modified
- 27/05/2026
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
- Attack vector
- Network
- Published
- 11/03/2025
- Modified
- 27/05/2026
Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …
- Attack vector
- Network
- Published
- 20/10/2025
- Modified
- 27/05/2026