ATT&CK coverage matrix
Every technique this pipeline has evidence for, on the full MITRE ATT&CK Enterprise matrix. Mappings are derived from published entries only — an entity or CVE maps a technique exactly when a published entry ties them together. Pick entities below to compare their TTP overlap the way an ATT&CK Navigator layer would show it.
Pinned dataset: MITRE ATT&CK Enterprise v19.1
(upstream 2026-05-12)
· 237 of 697 active techniques covered
(119 of 222 parent · 118 sub)
· 337 entities with mappings
· updated via tools/attack_data.py
· definitions © The MITRE Corporation
Cell shading = published-entry coverage of the technique or its sub-techniques (1 · 2–3 · 4–7 · 8+). ▸ marks covered/total sub-techniques. Click a cell for definition and evidence.
Covered techniques — definitions & evidence
Reconnaissance TA0043
T1590Gather Victim Network Information×2
Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
Evidence: 2026-06-23/elastic-shows-how-the-newly-ga-azure-ad-graph-activity-logs · 2026-06-11/black-lotus-labs-the-volt-typhoon-linked-jdy-botnet-doubles · ATT&CK page ↗
T1593Search Open Websites/Domains×1
Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.
Evidence: 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗
T1595Active Scanning×1
Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector ×1
Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · ATT&CK page ↗
T1595.002Active Scanning: Vulnerability Scanning×1
Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
Evidence: 2026-06-11/black-lotus-labs-the-volt-typhoon-linked-jdy-botnet-doubles · ATT&CK page ↗
T1598Phishing for Information×1
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.
Evidence: 2026-05-31/signal-support-impersonation-phishing-harvests-cloud-backup · ATT&CK page ↗
T1598.003Phishing for Information: Spearphishing Link×3
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.
Screening Serpens ×1 Security-tool impersonation TDS campaign ×1
Evidence: 2026-06-27/fbi-cisa-russian-intelligence-now-phishing-signal-backup-rec · 2026-06-22/ebanking-phishing-hides-its-landing-page-address-in-ipv4-map · 2026-05-27/nimbus-manticore-unc1549-screening-serpens-check-point-detai · ATT&CK page ↗
Resource Development TA0042
T1583.001Acquire Infrastructure: Domains×2
Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
GemStuffer ×1 Mini Shai-Hulud ×1 Qilin ×1 TeamPCP ×1
Evidence: 2026-05-14/gemstuffer-rubygems-weaponised-as-a-one-way-exfiltration-cha · 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗
T1584Compromise Infrastructure×1
Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Booking.com-fed hotel phishing (CH) ×1 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×1 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×1 Ivanti EPMM remote authenticated → administrative-access via improper access control (CVSS 8.8, May 2026 update) ×1 Ivanti EPMM unauthenticated arbitrary method invocation (CVSS 7.0, May 2026 update) ×1 Ivanti EPMM — fourth companion CVE in May 2026 EPMM update (high-severity per BleepingComputer / SecurityWeek) ×1
Evidence: 2026-05-04/cve-2026-6973-cve-2026-5787-ivanti-epmm-on-prem-pre-auth-cha · ATT&CK page ↗
T1584.005Compromise Infrastructure: Botnet×1
Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).
Evidence: 2026-06-11/black-lotus-labs-the-volt-typhoon-linked-jdy-botnet-doubles · ATT&CK page ↗
T1584.007Compromise Infrastructure: Serverless×2
Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Booking.com-fed hotel phishing (CH) ×1 Ivanti EPMM remote authenticated → administrative-access via improper access control (CVSS 8.8, May 2026 update) ×1 Ivanti EPMM unauthenticated arbitrary method invocation (CVSS 7.0, May 2026 update) ×1 Ivanti EPMM — fourth companion CVE in May 2026 EPMM update (high-severity per BleepingComputer / SecurityWeek) ×1
Evidence: 2026-05-08/ivanti-epmm-cve-2026-5787-cve-2026-6973-pre-auth-certificate · 2026-05-04/cve-2026-6973-cve-2026-5787-ivanti-epmm-on-prem-pre-auth-cha · ATT&CK page ↗
T1586.002Compromise Accounts: Email Accounts×1
Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information, Phishing, or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).
PDAG email-account compromise ×1
Evidence: 2026-07-09/pdag-aargau-email-account-compromise-spam-relay · ATT&CK page ↗
T1608.006Stage Capabilities: SEO Poisoning×1
Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.
Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · ATT&CK page ↗
T1650Acquire Access×1
Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems. In some cases, adversary groups may form partnerships to share compromised systems with each other.
Evidence: 2026-05-22/teampcp-mini-shai-hulud-unit-42-and-stepsecurity-confirm-sls · ATT&CK page ↗
Initial Access TA0001
T1078Valid Accounts×45
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Booking.com-fed hotel phishing (CH) ×9 Akira ×3 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×3 FortiBleed ×2 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Qilin ×2 ShinyHunters ×2 +52 more
Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce +40 more · ATT&CK page ↗
T1078.001Valid Accounts: Default Accounts×4
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.
Booking.com-fed hotel phishing (CH) ×2 Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1 Gitea Docker reverse-proxy trust-all auth bypass (X-WEBAUTH-USER impersonation) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +2 more
Evidence: 2026-06-23/cve-2026-20896-gitea-docker-trust-all-reverse-proxy-default · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗
T1078.002Valid Accounts: Domain Accounts×1
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
Akira ×1 SonicWall SonicOS improper access control (mgmt + SSLVPN, Gen 5/6/7) — Akira/Fog ransomware on-ramp ×1
Evidence: 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · ATT&CK page ↗
T1078.004Valid Accounts: Cloud Accounts×26
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
ShinyHunters ×4 Mini Shai-Hulud ×3 TeamPCP ×3 Booking.com-fed hotel phishing (CH) ×2 Entra Agent ID OBO abuse ×2 'Ghost in the Database' ADFS key recovery ×1 888 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 +27 more
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede +21 more · ATT&CK page ↗
T1091Replication Through Removable Media×1
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Evidence: 2026-06-01/gamaredon-gammaphish-gammaworm-ntfs-ads-usb-gammasteel-s3-ex · ATT&CK page ↗
T1133External Remote Services×12
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.
Akira ×5 Groupe 3R ransomware breach ×2 Akira kill-chain reconstruction (SANS ISC) ×1 AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Dragos Q1 2026 Industrial Ransomware Analysis ×1 GREYVIBE ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 +7 more
Evidence: 2026-07-03/cve-2026-13368-watchguard-fireware-iked-pre-auth-rce · 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-06-10/dragos-q1-2026-industrial-ransomware-analysis-1-020-industri +7 more · ATT&CK page ↗
T1189Drive-by Compromise×5
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:
Bitter ×1 Digital Knowledge KnowledgeDeliver LMS — pre-shared ASP.NET machineKey ViewState deserialization RCE; exploited as zero-day pre-2026-02-24 ×1 GeoVision GeoWebPlayer unauthenticated localhost WebSocket screen-capture (Talos, CVSS 8.8) ×1 GeoVision GV-I/O Box 4E unauthenticated OS command injection (Talos, CVSS 9.1) ×1 Google Chrome V8 out-of-bounds read/write, exploited ITW, CISA KEV; fixed 149.0.7827.103 ×1 GTIG Europe Data Leak Landscape 2025 ×1 Operation Endgame — Amadey/StealC takedown ×1 Operation Endgame — SocGholish expansion ×1 +4 more
Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure · 2026-06-19/operation-endgame-expands-to-socgholish-ta569-106-c2-servers · 2026-06-10/cve-2026-11645-google-chrome-v8-out-of-bounds-read-write-exp · 2026-05-26/cve-2026-5426-digital-knowledge-knowledgedeliver-lms-pre-sha · ATT&CK page ↗
T1190Exploit Public-Facing Application×94
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Booking.com-fed hotel phishing (CH) ×14 ShinyHunters ×7 Unsafe ×4 GTIG Europe Data Leak Landscape 2025 ×3 Security-tool impersonation TDS campaign ×3 Akira ×2 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×2 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×2 +147 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/unk-masstraction-roundcube-edge-exploitation · 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure · 2026-07-09/openplc-cve-2026-14480-file-write-rce +89 more · ATT&CK page ↗
T1195Supply Chain Compromise×12
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
TeamPCP ×3 Agentjacking ×1 Checkmarx Jenkins AST plugin backdoor (TeamPCP/UNC6780 supply-chain compromise, SANDCLOCK credential stealer, CVSS 9.4) ×1 DAEMON Tools supply-chain compromise ×1 Fortinet FortiClient EMS 7.4.5/7.4.6 — improper-access-control on X-SSL-CLIENT-VERIFY header lets unauth attacker spoof mTLS state and reach management API; ITW exploited to push EKZ Infostealer per Arctic Wolf 2026-05-27 ×1 JDownloader official site compromised ×1 Living Off the Pipeline ×1 Megalodon ×1 +6 more
Evidence: 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-13/agentjacking-tenet-security-hijacks-ai-coding-agents-via-for · 2026-06-12/eset-oceanlotus-apt32-compromises-a-stock-trading-platform-s · 2026-05-29/forticlient-ems-cve-2026-35616-ekz-infostealer-kill-chain · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto +7 more · ATT&CK page ↗
T1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools×7
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ "typosquatting" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.
Evidence: 2026-06-30/hijacked-npm-and-go-packages-weaponise-vs-code-s-folderopen · 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-18/15-malicious-jetbrains-marketplace-plugins-exfiltrate-ai-pro +2 more · ATT&CK page ↗
T1195.002Supply Chain Compromise: Compromise Software Supply Chain×30
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
TeamPCP ×7 Mini Shai-Hulud ×4 IronWorm ×2 Living Off the Pipeline ×2 PCPJack ×2 TrapDoor ×2 actions-cool/issues-helper compromise ×1 Atomic Arch ×1 +21 more
Evidence: 2026-07-09/git-signature-malleability-github-verified-commit-ghost-twin · 2026-07-09/ghostapproval-ai-coding-assistant-symlink-trust-boundary · 2026-06-25/cordyceps-the-github-actions-pull-request-target-pwn-request · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-23/shapedplugin-build-pipeline-compromised-three-pro-wordpress +25 more · ATT&CK page ↗
T1199Trusted Relationship×3
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Entra Agent ID OBO abuse ×1 Icarus Salesforce OAuth extortion ×1 Mini Shai-Hulud ×1 TeamPCP ×1
Evidence: 2026-06-25/klue-icarus-salesforce-oauth-breach-beyondtrust-and-lastpass · 2026-06-10/red-canary-microsoft-entra-agent-id-abuse-obo-oauth-flow-tur · 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗
T1566Phishing×19
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
GTIG Europe Data Leak Landscape 2025 ×3 0DIN coding-agent prompt-injection chain ×1 Booking.com-fed hotel phishing (CH) ×1 FrostyNeighbor March–May 2026 campaign ×1 IceCube ×1 Microsoft Exchange Server 2016/2019/SE — OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch — EEMS Mitigation M2 only) ×1 Nextcloud GmbH corporate Elasticsearch data exposure (2026) ×1 Operation Dragon Weave ×1 +14 more
Evidence: 2026-07-10/nextcloud-gmbh-elasticsearch-exposure-msb-nrw · 2026-07-09/unk-masstraction-roundcube-edge-exploitation · 2026-07-09/pdag-aargau-email-account-compromise-spam-relay · 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat +14 more · ATT&CK page ↗
T1566.001Phishing: Spearphishing Attachment×8
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Booking.com-fed hotel phishing (CH) ×1 FrostyNeighbor March–May 2026 campaign ×1 GREYVIBE ×1 GTIG Europe Data Leak Landscape 2025 ×1 Microsoft Exchange Server 2016/2019/SE — OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch — EEMS Mitigation M2 only) ×1 Operation Dragon Weave ×1 Operation XENOFISCAL ×1 Secret Blizzard ×1 +2 more
Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-24/swiss-post-cybersecurity-publishes-its-inaugural-swiss-threa · 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g +3 more · ATT&CK page ↗
T1566.002Phishing: Spearphishing Link×12
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Booking.com-fed hotel phishing (CH) ×2 ARToken ×1 FrostyNeighbor March–May 2026 campaign ×1 GREYVIBE ×1 GTIG Europe Data Leak Landscape 2025 ×1 Job-seeker targeting wave (CH) ×1 LLMShare ×1 Microsoft 365 Copilot Enterprise Search 'SearchLeak' command-injection/info-disclosure; one-click exfil; patched server-side ×1 +2 more
Evidence: 2026-07-09/unc1151-ghostwriter-gmail-realtime-2fa-phishing · 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · 2026-06-16/varonis-searchleak-cve-2026-42824-one-click-m365-copilot-dat · 2026-06-16/dprk-unk-deaddrop-weaponises-vs-code-cursor-auto-run-to-hit · 2026-06-10/ncsc-ch-week-23-coordinated-surge-in-job-seeker-targeting-fa +7 more · ATT&CK page ↗
T1566.003Phishing: Spearphishing via Service×2
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
Booking.com-fed hotel phishing (CH) ×1 JINX-0164 ×1 Job-seeker targeting wave (CH) ×1
Evidence: 2026-06-10/ncsc-ch-week-23-coordinated-surge-in-job-seeker-targeting-fa · 2026-05-29/wiz-cirt-names-jinx-0164-linkedin-recruiter-lures-audiofix-m · ATT&CK page ↗
T1566.004Phishing: Spearphishing Voice×5
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
ShinyHunters ×3 GTIG Europe Data Leak Landscape 2025 ×1 MuddyWater ×1 Odido (Netherlands telecom) ShinyHunters breach ×1 Silent Ransom Group physical USB intrusions ×1 UNC6671 ×1
Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-06-26/shinyhunters-used-a-single-vishing-call-into-the-company-s-i · 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-05-16/gtig-unc6671-blackfile-vishing-aitm-rogue-mfa-programmatic-s · 2026-05-08/muddywater-iran-mois-deploys-chaos-ransomware-as-false-flag · ATT&CK page ↗
T1659Content Injection×1
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.
Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1
Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗
Execution TA0002
T1047Windows Management Instrumentation×2
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.
Akira ×2 Bumblebee → AdaptixC2 → Akira intrusion ×1 Qilin ×1 The Gentlemen ×1
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-05-04/akira-playbook-quarterly-context-q1-2026-healthcare-concentr · ATT&CK page ↗
T1053Scheduled Task/Job×2
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Security-tool impersonation TDS campaign ×1 The Gentlemen ×1 TrapDoor ×1
Evidence: 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗
T1053.003Scheduled Task/Job: Cron×2
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.
Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗
T1053.005Scheduled Task/Job: Scheduled Task×10
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
Security-tool impersonation TDS campaign ×2 Avalon ×1 CrySome RAT ×1 FrostyNeighbor March–May 2026 campaign ×1 INC Ransom ×1 Kimsuky ×1 Operation XENOFISCAL ×1 ScarCruft ×1 +2 more
Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self +5 more · ATT&CK page ↗
T1059Command and Scripting Interpreter×38
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
Booking.com-fed hotel phishing (CH) ×6 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2 TrapDoor ×2 0DIN coding-agent prompt-injection chain ×1 Agentjacking ×1 +62 more
Evidence: 2026-07-03/cve-2026-34038-coolify-authenticated-command-injection-to-rc · 2026-07-02/kemp-loadmaster-cve-2026-8037-exploitation-attempts-confirme · 2026-07-02/argo-cd-repo-server-unauthenticated-rce-no-cve-unpatched-18 · 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat +33 more · ATT&CK page ↗
T1059.001Command and Scripting Interpreter: PowerShell×10
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Booking.com-fed hotel phishing (CH) ×1 CrySome RAT ×1 FamousSparrow Azerbaijan intrusion ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 GREYVIBE ×1 Job-seeker targeting wave (CH) ×1 Kimsuky ×1 Living Off the Pipeline ×1 +3 more
Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-10/ncsc-ch-week-23-coordinated-surge-in-job-seeker-targeting-fa · 2026-06-07/sans-isc-wetransfer-delivered-javascript-stages-a-steganogra · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g +5 more · ATT&CK page ↗
T1059.003Command and Scripting Interpreter: Windows Command Shell×3
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.
Embargo ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1 Pwn2Own Berlin 2026 ×1 Webworm ×1
Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · 2026-05-21/webworm-china-aligned-shifts-to-eu-government-targets-echocr · 2026-05-17/pwn2own-berlin-2026-master-of-pwn-outcomes-the-new-ai-agents · ATT&CK page ↗
T1059.004Command and Scripting Interpreter: Unix Shell×15
Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Booking.com-fed hotel phishing (CH) ×2 Calypso telco espionage campaign ×2 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×2 Megalodon ×2 TeamPCP ×2 0DIN coding-agent prompt-injection chain ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 Cisco Catalyst SD-WAN Manager pre-auth RCE (UAT-8616 prior exploitation, Feb 2026) ×1 +12 more
Evidence: 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-06-16/dprk-unk-deaddrop-weaponises-vs-code-cursor-auto-run-to-hit · 2026-06-10/cve-2026-10520-cve-2026-10523-ivanti-sentry-pre-auth-os-comm · 2026-06-06/ironworm-rust-built-npm-worm-ships-an-ebpf-kernel-rootkit-to · 2026-06-06/cve-2026-20245-cisco-catalyst-sd-wan-manager-actively-exploi +10 more · ATT&CK page ↗
T1059.005Command and Scripting Interpreter: Visual Basic×3
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.
SmartApeSG ClickFix campaign ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1
Evidence: 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · 2026-06-01/smartapesg-clickfix-stages-an-unnamed-rat-that-pivots-to-a-w · ATT&CK page ↗
T1059.006Command and Scripting Interpreter: Python×9
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2 AryStinger ×1 ChromaDB Python FastAPI server pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; v1.5.9 unpatched at disclosure) ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Edgecution ×1 JDownloader official site compromised ×1 LangGraph Redis checkpointer RediSearch query injection (CVSS 6.5; fixed @langchain/langgraph-checkpoint-redis 1.0.1) ×1 +9 more
Evidence: 2026-06-30/hijacked-npm-and-go-packages-weaponise-vs-code-s-folderopen · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-16/obsidian-security-a-three-cve-chain-turns-any-litellm-user-i · 2026-06-13/check-point-chains-sql-injection-to-rce-in-langgraph-s-check +4 more · ATT&CK page ↗
T1059.007Command and Scripting Interpreter: JavaScript×16
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.
Booking.com-fed hotel phishing (CH) ×4 FrostyNeighbor March–May 2026 campaign ×3 DHTMLX Diagram export module — path traversal (CVSS 4.0 score 9.2) ×1 DHTMLX PDF Export Module — path traversal via src attribute (CVSS 4.0 score 9.2) ×1 DHTMLX PDF Export Module — unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0) ×1 Embargo ×1 INC Ransom ×1 Kimsuky ×1 +17 more
Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-06-19/operation-endgame-expands-to-socgholish-ta569-106-c2-servers · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · 2026-06-07/sans-isc-wetransfer-delivered-javascript-stages-a-steganogra +11 more · ATT&CK page ↗
T1072Software Deployment Tools×3
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.
Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Booking.com-fed hotel phishing (CH) ×1 Ivanti EPMM remote authenticated → administrative-access via improper access control (CVSS 8.8, May 2026 update) ×1 Ivanti EPMM unauthenticated arbitrary method invocation (CVSS 7.0, May 2026 update) ×1 Ivanti EPMM — fourth companion CVE in May 2026 EPMM update (high-severity per BleepingComputer / SecurityWeek) ×1 Living Off the Pipeline ×1
Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · 2026-05-08/ivanti-epmm-cve-2026-5787-cve-2026-6973-pre-auth-certificate · 2026-05-04/cve-2026-6973-cve-2026-5787-ivanti-epmm-on-prem-pre-auth-cha · ATT&CK page ↗
T1106Native API×1
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗
T1127.001Trusted Developer Utilities Proxy Execution: MSBuild×1
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.
Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · ATT&CK page ↗
T1197BITS Jobs×1
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗
T1203Exploitation for Client Execution×7
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 +14 more
Evidence: 2026-07-09/unk-masstraction-roundcube-edge-exploitation · 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure · 2026-06-10/cve-2026-11645-google-chrome-v8-out-of-bounds-read-write-exp · 2026-06-07/cve-2026-10881-google-chrome-angle-graphics-engine-out-of-bo · 2026-06-07/an-autonomous-ai-agent-finds-21-zero-days-in-ffmpeg-for-1-00 +2 more · ATT&CK page ↗
T1204User Execution×8
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
Living Off the Pipeline ×2 Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Edgecution ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Megalodon ×1 Packagist Laravel-Lang supply-chain wave ×1 Security-tool impersonation TDS campaign ×1 +2 more
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · 2026-06-10/check-point-a-tds-gated-ecosystem-impersonates-security-tool · 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp +3 more · ATT&CK page ↗
T1204.001User Execution: Malicious Link×4
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.
GREYVIBE ×1 LLMShare ×1 SmartApeSG ClickFix campaign ×1
Evidence: 2026-06-24/macos-clickfix-evolves-hdiutil-attach-nobrowse-mounts-the-ma · 2026-06-01/smartapesg-clickfix-stages-an-unnamed-rat-that-pivots-to-a-w · 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p · 2026-05-30/greyvibe-newly-documented-russia-nexus-cluster-deploys-five · ATT&CK page ↗
T1204.002User Execution: Malicious File×7
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.
Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Edgecution ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1 Megalodon ×1 Operation Endgame — Amadey/StealC takedown ×1 Operation Endgame — SocGholish expansion ×1 +3 more
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · 2026-06-19/operation-endgame-expands-to-socgholish-ta569-106-c2-servers · 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp +2 more · ATT&CK page ↗
T1204.003User Execution: Malicious Image×1
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.
Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · ATT&CK page ↗
T1559Inter-Process Communication×1
Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.
Evidence: 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · ATT&CK page ↗
T1574Hijack Execution Flow×5
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
Akira ×1 Apex2 ×1 Beagle ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cybercrime-underground AI adoption ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Operation Dragon Weave ×1 +3 more
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · 2026-05-22/cve-2026-34926-trend-micro-apex-one-on-premise-post-auth-dir · 2026-05-10/sophos-beagle-backdoor-distributed-via-fake-claude-ai-site-u · ATT&CK page ↗
T1574.001Hijack Execution Flow: DLL×15
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.
Akira ×2 Calypso telco espionage campaign ×2 Stock-exchange mailbox espionage ×2 Beagle ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cavern ×1 Cavern Manticore ×1 Cybercrime-underground AI adoption ×1 +13 more
Evidence: 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-07-08/unit42-factory-v3-loader-vidar-xmrig-sandbox-evasion · 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · 2026-06-30/mustang-panda-abuses-zoho-workdrive-as-a-dead-drop-c2-channe · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware +10 more · ATT&CK page ↗
T1574.008Hijack Execution Flow: Path Interception by Search Order Hijacking×1
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
Screening Serpens ×1 Security-tool impersonation TDS campaign ×1
Evidence: 2026-05-27/nimbus-manticore-unc1549-screening-serpens-check-point-detai · ATT&CK page ↗
T1574.014Hijack Execution Flow: AppDomainManager×2
Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.
Evidence: 2026-06-28/unit-42-chinese-speaking-cluster-cl-sta-1062-deploys-the-new · 2026-05-23/unit-42-iran-s-screening-serpens-unc1549-smoke-sandstorm-nim · ATT&CK page ↗
T1610Deploy Container×2
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node.
Gogs argument-injection RCE ×1 Gogs argument-injection RCE (CVE-2026-52806); now actively exploited in K8s cryptojacking campaign (Wiz) ×1 Linux kernel cgroup v1 release_agent container escape (missing CAP_SYS_ADMIN check); CISA KEV 2026-06-02 ×1
Evidence: 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-03/linux-cgroups-v1-release-agent-container-escape-cve-2022-049 · ATT&CK page ↗
T1651Cloud Administration Command×1
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.
Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · ATT&CK page ↗
Persistence TA0003
T1053Scheduled Task/Job×2
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Security-tool impersonation TDS campaign ×1 The Gentlemen ×1 TrapDoor ×1
Evidence: 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗
T1053.003Scheduled Task/Job: Cron×2
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.
Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗
T1053.005Scheduled Task/Job: Scheduled Task×10
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
Security-tool impersonation TDS campaign ×2 Avalon ×1 CrySome RAT ×1 FrostyNeighbor March–May 2026 campaign ×1 INC Ransom ×1 Kimsuky ×1 Operation XENOFISCAL ×1 ScarCruft ×1 +2 more
Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self +5 more · ATT&CK page ↗
T1078Valid Accounts×45
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Booking.com-fed hotel phishing (CH) ×9 Akira ×3 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×3 FortiBleed ×2 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Qilin ×2 ShinyHunters ×2 +52 more
Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce +40 more · ATT&CK page ↗
T1078.001Valid Accounts: Default Accounts×4
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.
Booking.com-fed hotel phishing (CH) ×2 Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1 Gitea Docker reverse-proxy trust-all auth bypass (X-WEBAUTH-USER impersonation) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +2 more
Evidence: 2026-06-23/cve-2026-20896-gitea-docker-trust-all-reverse-proxy-default · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗
T1078.002Valid Accounts: Domain Accounts×1
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
Akira ×1 SonicWall SonicOS improper access control (mgmt + SSLVPN, Gen 5/6/7) — Akira/Fog ransomware on-ramp ×1
Evidence: 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · ATT&CK page ↗
T1078.004Valid Accounts: Cloud Accounts×26
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
ShinyHunters ×4 Mini Shai-Hulud ×3 TeamPCP ×3 Booking.com-fed hotel phishing (CH) ×2 Entra Agent ID OBO abuse ×2 'Ghost in the Database' ADFS key recovery ×1 888 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 +27 more
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede +21 more · ATT&CK page ↗
T1098Account Manipulation×5
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
Booking.com-fed hotel phishing (CH) ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Entra Agent ID OBO abuse ×1 STAC3725 CitrixBleed 2-to-DragonForce IAB chain ×1 Storm-2949 ×1 Storm-2949 SSPR-to-Key-Vault kill chain ×1 +1 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-06-25/ncsc-ch-active-microsoft-365-voicemail-phishing-wave-in-swit · 2026-05-30/red-canary-detecting-entra-agent-id-privilege-escalation-cre · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · ATT&CK page ↗
T1098.001Account Manipulation: Additional Cloud Credentials×1
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Evidence: 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · ATT&CK page ↗
T1098.004Account Manipulation: SSH Authorized Keys×1
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code><user-home>/.ssh/authorized_keys</code> (or, on ESXi, `/etc/ssh/keys-<username>/authorized_keys`). Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.
Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 UAT-8616 ×1
Evidence: 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · ATT&CK page ↗
T1098.005Account Manipulation: Device Registration×4
Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
Akira ×1 JINX-0164 ×1 Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2) ×1 Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2) ×1 Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2) ×1 Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH) ×1 Keycloak OIDC token introspection endpoint does not enforce audience restriction; lightweight access tokens leak claims cross-client (Keycloak 26.6.2) ×1 Keycloak WebAuthn packed self-attestation acceptable-AAGUID policy bypass enabling enrolment of hardware tokens outside policy (Keycloak 26.6.2) ×1 +2 more
Evidence: 2026-05-29/wiz-cirt-names-jinx-0164-linkedin-recruiter-lures-audiofix-m · 2026-05-23/unit-42-roadtools-operationalised-by-midnight-blizzard-curio · 2026-05-21/keycloak-26-6-2-16-cves-including-oidc-session-fixation-cve · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · ATT&CK page ↗
T1112Modify Registry×2
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 STAC3725 CitrixBleed 2-to-DragonForce IAB chain ×1
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · ATT&CK page ↗
T1133External Remote Services×12
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.
Akira ×5 Groupe 3R ransomware breach ×2 Akira kill-chain reconstruction (SANS ISC) ×1 AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Dragos Q1 2026 Industrial Ransomware Analysis ×1 GREYVIBE ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 +7 more
Evidence: 2026-07-03/cve-2026-13368-watchguard-fireware-iked-pre-auth-rce · 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-06-10/dragos-q1-2026-industrial-ransomware-analysis-1-020-industri +7 more · ATT&CK page ↗
T1136Create Account×5
Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Everest Forms Pro (WordPress) Calculation Addon unauthenticated eval() PHP code injection (CVSS 9.8); mass exploitation since 2026-04-13 creating rogue admin accounts; patched v1.9.13 (2026-03-18) ×1 GTIG Europe Data Leak Landscape 2025 ×1 Prinz Eugen ×1 +1 more
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-26/cisco-catalyst-sd-wan-manager-cve-2026-20245 · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-08/cve-2026-3300-unauthenticated-eval-injection-in-a-commercial · ATT&CK page ↗
T1136.001Create Account: Local Account×6
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
DragonForce ×2 Burst Statistics WordPress 3.4.0-3.4.1.1 unauthenticated REST auth-bypass (is_mainwp_authenticated) → admin impersonation/rogue admin; actively exploited; fix v3.4.2 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce Backdoor.Turn intrusion ×1 GTIG Europe Data Leak Landscape 2025 ×1 Kirki WordPress Freeform Page Builder 6.0.0-6.0.6 unauthenticated password-reset hijack → admin account takeover; actively exploited; fix v6.0.7 ×1 Prinz Eugen ×1 +2 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-06-26/cisco-catalyst-sd-wan-manager-cve-2026-20245 · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-16/wordpress-supply-chain-compromise-via-awesome-motive-s-cdn-b +1 more · ATT&CK page ↗
T1136.002Create Account: Domain Account×1
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.
Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · ATT&CK page ↗
T1176Software Extensions×1
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.
Evidence: 2026-06-28/island-badblocker-an-11m-user-chrome-ad-blocker-is-one-serve · ATT&CK page ↗
T1197BITS Jobs×1
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗
T1505Server Software Component×5
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.
UAT-8616 ×2 Booking.com-fed hotel phishing (CH) ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 Cisco Catalyst SD-WAN Manager web UI authenticated path traversal — arbitrary file write to root RCE; CISA KEV 2026-06-15 ×1 Digital Knowledge KnowledgeDeliver LMS — pre-shared ASP.NET machineKey ViewState deserialization RCE; exploited as zero-day pre-2026-02-24 ×1 GTIG Europe Data Leak Landscape 2025 ×1 PHP SOAP companion to CVE-2026-6722; patched 2026-05-08 ×1 PHP SOAP companion to CVE-2026-6722; patched 2026-05-08 ×1 +3 more
Evidence: 2026-06-20/ptc-windchill-cve-2026-12569-unauthenticated-java-deserializ · 2026-06-16/cisco-catalyst-sd-wan-manager-cve-2026-20262-authenticated-a · 2026-05-26/cve-2026-5426-digital-knowledge-knowledgedeliver-lms-pre-sha · 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · 2026-05-11/cve-2026-6722-php-soap-use-after-free-in-soap-global-ref-map · ATT&CK page ↗
T1505.003Server Software Component: Web Shell×21
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
Booking.com-fed hotel phishing (CH) ×2 PTC Windchill / FlexPLM — unauthenticated Java deserialization RCE (CVSS 10.0), actively exploited ×2 UAT-8616 ×2 Unsafe ×2 Balbooa Forms for Joomla (com_baforms) unauthenticated file-upload RCE (CWE-434, CVSS 4.0 10.0) — zero-day exploited pre-patch; 3rd Joomla-extension file-upload RCE in the 2026-06/07 wave ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 Cisco Catalyst SD-WAN Manager web UI authenticated path traversal — arbitrary file write to root RCE; CISA KEV 2026-06-15 ×1 Control Web Panel pre-auth blind SQLi to web-shell RCE via INTO DUMPFILE (CVSS 9.8) ×1 +26 more
Evidence: 2026-07-09/unk-masstraction-roundcube-edge-exploitation · 2026-07-09/cve-2026-56291-balbooa-forms-joomla-unauth-file-upload-rce · 2026-07-03/cve-2026-57517-control-web-panel-pre-auth-sqli-to-rce · 2026-07-02/cve-2026-45659-microsoft-sharepoint-server-authenticated-des · 2026-06-28/unit-42-chinese-speaking-cluster-cl-sta-1062-deploys-the-new +16 more · ATT&CK page ↗
T1542Pre-OS Boot×1
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.
Booking.com-fed hotel phishing (CH) ×1 GreatXML ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1 RoguePlanet ×1
Evidence: 2026-06-12/greatxml-unpatched-bitlocker-bypass-via-crafted-xml-on-the-r · ATT&CK page ↗
T1542.001Pre-OS Boot: System Firmware×2
Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.
Booking.com-fed hotel phishing (CH) ×2 Nightmare Eclipse ×2 Nightmare Eclipse Windows zero-day series ×2 GreatXML ×1 RoguePlanet ×1
Evidence: 2026-06-12/greatxml-unpatched-bitlocker-bypass-via-crafted-xml-on-the-r · 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗
T1542.003Pre-OS Boot: Bootkit×1
Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Evidence: 2026-06-20/usbliter8-a-permanent-securerom-boot-chain-exploit-for-apple · ATT&CK page ↗
T1543Create or Modify System Process×3
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.
RemotePE ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1
Evidence: 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · ATT&CK page ↗
T1543.001Create or Modify System Process: Launch Agent×3
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
JINX-0164 ×1 Living Off the Pipeline ×1 macOS.Gaslight ×1
Evidence: 2026-06-26/macos-gaslight-a-dprk-aligned-rust-backdoor-that-targets-the · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-29/wiz-cirt-names-jinx-0164-linkedin-recruiter-lures-audiofix-m · ATT&CK page ↗
T1543.002Create or Modify System Process: Systemd Service×3
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Apex2 ×1 c2c / meow ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1
Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · ATT&CK page ↗
T1543.003Create or Modify System Process: Windows Service×2
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Evidence: 2026-06-19/eset-the-gentlemen-raas-gang-centrally-builds-and-maintains · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗
T1546Event Triggered Execution×1
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.
Evidence: 2026-05-23/megalodon-mass-poisons-5-561-github-repos-in-a-6-hour-window · ATT&CK page ↗
T1547Boot or Logon Autostart Execution×4
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
GTIG Europe Data Leak Landscape 2025 ×1 Living Off the Pipeline ×1 PamStealer ×1 Secret Blizzard ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1
Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×6
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×2 FrostyNeighbor March–May 2026 campaign ×1 GTIG Europe Data Leak Landscape 2025 ×1 Operation XENOFISCAL ×1 Secret Blizzard ×1
Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury +1 more · ATT&CK page ↗
T1547.013Boot or Logon Autostart Execution: XDG Autostart Entries×1
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.
Evidence: 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · ATT&CK page ↗
T1554Compromise Host Software Binary×1
Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
Velvet Ant Operation Highland ×1
Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · ATT&CK page ↗
T1556Modify Authentication Process×6
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
Akira ×1 Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1 GTIG Europe Data Leak Landscape 2025 ×1 Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2) ×1 Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2) ×1 Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2) ×1 Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH) ×1 +7 more
Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-06-10/meta-discloses-20-225-instagram-account-takeovers-via-an-ai · 2026-05-21/keycloak-26-6-2-16-cves-including-oidc-session-fixation-cve · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain +1 more · ATT&CK page ↗
T1556.003Modify Authentication Process: Pluggable Authentication Modules×1
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.
Velvet Ant Operation Highland ×1
Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · ATT&CK page ↗
T1556.006Modify Authentication Process: Multi-Factor Authentication×6
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Keycloak CORS ACAO reflected from unverified JWT azp claim on UMA endpoint (fixed 26.6.3) ×1 Keycloak JWT algorithm confusion -> federated-user impersonation (CVSS 8.1) ×1 Keycloak missing server-side WebAuthn credential-registration validation (fixed 26.6.3) ×1 Keycloak policy-enforcer authorization bypass via access-denied-page path (CVSS 8.1) ×1 Keycloak refresh-token replay window after server restart resets startupTime (fixed 26.6.3) ×1 Keycloak ROPC grant bypass of client-policy enforcement (fixed 26.6.3) ×1 Keycloak SSRF via OIDC token endpoint manipulation (fixed 26.6.3) ×1 Keycloak token-exchange privilege escalation via silent subject_token removal (fixed 26.6.3) ×1 +5 more
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede · 2026-06-26/shinyhunters-used-a-single-vishing-call-into-the-company-s-i · 2026-06-07/keycloak-26-6-3-privilege-escalation-via-oauth-token-exchang · 2026-05-23/unit-42-roadtools-operationalised-by-midnight-blizzard-curio +1 more · ATT&CK page ↗
Privilege Escalation TA0004
T1053Scheduled Task/Job×2
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Security-tool impersonation TDS campaign ×1 The Gentlemen ×1 TrapDoor ×1
Evidence: 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗
T1053.003Scheduled Task/Job: Cron×2
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.
Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗
T1053.005Scheduled Task/Job: Scheduled Task×10
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
Security-tool impersonation TDS campaign ×2 Avalon ×1 CrySome RAT ×1 FrostyNeighbor March–May 2026 campaign ×1 INC Ransom ×1 Kimsuky ×1 Operation XENOFISCAL ×1 ScarCruft ×1 +2 more
Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self +5 more · ATT&CK page ↗
T1055Process Injection×5
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
CL-STA-1132 ×2 DAEMON Tools supply-chain compromise ×1 OceanLotus ×1 Palo Alto PAN-OS Captive Portal unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09) ×1 RemotePE ×1
Evidence: 2026-06-12/eset-oceanlotus-apt32-compromises-a-stock-trading-platform-s · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · 2026-05-04/cve-2026-0300-palo-alto-pan-os-captive-portal-unauthenticate · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗
T1055.002Process Injection: Portable Executable Injection×1
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗
T1055.012Process Injection: Process Hollowing×2
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
DesckVB RAT malspam ×1 Trojanised ScreenConnect AsyncRAT campaign ×1
Evidence: 2026-07-02/kaspersky-mdr-seo-poisoned-fake-installer-sites-trojanize-sc · 2026-06-04/desckvb-rat-malspam-launders-through-google-doubleclick-and · ATT&CK page ↗
T1068Exploitation for Privilege Escalation×26
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Booking.com-fed hotel phishing (CH) ×5 Nightmare Eclipse ×4 Nightmare Eclipse Windows zero-day series ×4 DragonForce ×2 Embargo ×2 RoguePlanet ×2 UAT-8616 ×2 AMD-SB-7052 ×1 +37 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-09/ncsc-ch-rogueplanet-cve-2026-50656-defender-lpe-fixed · 2026-07-09/cve-2026-48614-plesk-xml-api-code-injection-root-lpe · 2026-07-08/ghostlock-cve-2026-43499-linux-kernel-rtmutex-uaf-lpe · 2026-06-28/cve-2026-58053-gitea-act-runner-docker-backend-container-har +21 more · ATT&CK page ↗
T1078Valid Accounts×45
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Booking.com-fed hotel phishing (CH) ×9 Akira ×3 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×3 FortiBleed ×2 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Qilin ×2 ShinyHunters ×2 +52 more
Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce +40 more · ATT&CK page ↗
T1078.001Valid Accounts: Default Accounts×4
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.
Booking.com-fed hotel phishing (CH) ×2 Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1 Gitea Docker reverse-proxy trust-all auth bypass (X-WEBAUTH-USER impersonation) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +2 more
Evidence: 2026-06-23/cve-2026-20896-gitea-docker-trust-all-reverse-proxy-default · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗
T1078.002Valid Accounts: Domain Accounts×1
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
Akira ×1 SonicWall SonicOS improper access control (mgmt + SSLVPN, Gen 5/6/7) — Akira/Fog ransomware on-ramp ×1
Evidence: 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · ATT&CK page ↗
T1078.004Valid Accounts: Cloud Accounts×26
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
ShinyHunters ×4 Mini Shai-Hulud ×3 TeamPCP ×3 Booking.com-fed hotel phishing (CH) ×2 Entra Agent ID OBO abuse ×2 'Ghost in the Database' ADFS key recovery ×1 888 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 +27 more
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede +21 more · ATT&CK page ↗
T1098Account Manipulation×5
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
Booking.com-fed hotel phishing (CH) ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Entra Agent ID OBO abuse ×1 STAC3725 CitrixBleed 2-to-DragonForce IAB chain ×1 Storm-2949 ×1 Storm-2949 SSPR-to-Key-Vault kill chain ×1 +1 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-06-25/ncsc-ch-active-microsoft-365-voicemail-phishing-wave-in-swit · 2026-05-30/red-canary-detecting-entra-agent-id-privilege-escalation-cre · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · ATT&CK page ↗
T1098.001Account Manipulation: Additional Cloud Credentials×1
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Evidence: 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · ATT&CK page ↗
T1098.004Account Manipulation: SSH Authorized Keys×1
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code><user-home>/.ssh/authorized_keys</code> (or, on ESXi, `/etc/ssh/keys-<username>/authorized_keys`). Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.
Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 UAT-8616 ×1
Evidence: 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · ATT&CK page ↗
T1098.005Account Manipulation: Device Registration×4
Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
Akira ×1 JINX-0164 ×1 Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2) ×1 Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2) ×1 Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2) ×1 Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH) ×1 Keycloak OIDC token introspection endpoint does not enforce audience restriction; lightweight access tokens leak claims cross-client (Keycloak 26.6.2) ×1 Keycloak WebAuthn packed self-attestation acceptable-AAGUID policy bypass enabling enrolment of hardware tokens outside policy (Keycloak 26.6.2) ×1 +2 more
Evidence: 2026-05-29/wiz-cirt-names-jinx-0164-linkedin-recruiter-lures-audiofix-m · 2026-05-23/unit-42-roadtools-operationalised-by-midnight-blizzard-curio · 2026-05-21/keycloak-26-6-2-16-cves-including-oidc-session-fixation-cve · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · ATT&CK page ↗
T1134Access Token Manipulation×1
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Booking.com-fed hotel phishing (CH) ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1
Evidence: 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗
T1134.003Access Token Manipulation: Make and Impersonate Token×1
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.
Evidence: 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · ATT&CK page ↗
T1134.004Access Token Manipulation: Parent PID Spoofing×1
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.
Evidence: 2026-06-27/kaspersky-great-strikeshark-loader-deploys-cobalt-strike-via · ATT&CK page ↗
T1543Create or Modify System Process×3
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.
RemotePE ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1
Evidence: 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · ATT&CK page ↗
T1543.001Create or Modify System Process: Launch Agent×3
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
JINX-0164 ×1 Living Off the Pipeline ×1 macOS.Gaslight ×1
Evidence: 2026-06-26/macos-gaslight-a-dprk-aligned-rust-backdoor-that-targets-the · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-29/wiz-cirt-names-jinx-0164-linkedin-recruiter-lures-audiofix-m · ATT&CK page ↗
T1543.002Create or Modify System Process: Systemd Service×3
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Apex2 ×1 c2c / meow ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1
Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · ATT&CK page ↗
T1543.003Create or Modify System Process: Windows Service×2
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Evidence: 2026-06-19/eset-the-gentlemen-raas-gang-centrally-builds-and-maintains · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗
T1546Event Triggered Execution×1
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.
Evidence: 2026-05-23/megalodon-mass-poisons-5-561-github-repos-in-a-6-hour-window · ATT&CK page ↗
T1547Boot or Logon Autostart Execution×4
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
GTIG Europe Data Leak Landscape 2025 ×1 Living Off the Pipeline ×1 PamStealer ×1 Secret Blizzard ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1
Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×6
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×2 FrostyNeighbor March–May 2026 campaign ×1 GTIG Europe Data Leak Landscape 2025 ×1 Operation XENOFISCAL ×1 Secret Blizzard ×1
Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury +1 more · ATT&CK page ↗
T1547.013Boot or Logon Autostart Execution: XDG Autostart Entries×1
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.
Evidence: 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · ATT&CK page ↗
T1548Abuse Elevation Control Mechanism×3
Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Booking.com-fed hotel phishing (CH) ×1 Copy Fail — Linux kernel algif_aead local privilege escalation (ITW, KEV) ×1 Dirty Frag — Linux kernel RxRPC page-cache write primitive, LPE chain (ITW, patch pending) ×1 Dirty Frag — Linux kernel xfrm-ESP page-cache write primitive, LPE (ITW, PoC public) ×1 Embargo ×1 LiteLLM authorization bypass via unvalidated allowed_routes in key-generation; CVSS 8.8; fixed v1.83.14 ×1 LiteLLM Custom Code Guardrails sandbox escape to RCE via exec()/bytecode; CVSS 8.8; fixed v1.83.14 ×1 LiteLLM privilege escalation — self-promote to proxy_admin via /user/update; CVSS 8.8; fixed v1.83.14 ×1
Evidence: 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-16/obsidian-security-a-three-cve-chain-turns-any-litellm-user-i · 2026-05-04/cve-2026-31431-copy-fail-cve-2026-43284-cve-2026-43500-dirty · ATT&CK page ↗
T1548.001Abuse Elevation Control Mechanism: Setuid and Setgid×1
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Booking.com-fed hotel phishing (CH) ×1 Copy Fail — Linux kernel algif_aead local privilege escalation (ITW, KEV) ×1 Dirty Frag — Linux kernel RxRPC page-cache write primitive, LPE chain (ITW, patch pending) ×1 Dirty Frag — Linux kernel xfrm-ESP page-cache write primitive, LPE (ITW, PoC public) ×1 Embargo ×1
Evidence: 2026-05-04/cve-2026-31431-copy-fail-cve-2026-43284-cve-2026-43500-dirty · ATT&CK page ↗
T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control×1
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · ATT&CK page ↗
T1548.003Abuse Elevation Control Mechanism: Sudo and Sudo Caching×1
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · ATT&CK page ↗
T1611Escape to Host×10
Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.
Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2 Booking.com-fed hotel phishing (CH) ×1 GhostLock — Linux kernel rtmutex use-after-free LPE + container escape, public exploit ×1 Gitea act_runner Docker container-hardening bypass to host escape (CVSS 9.4, public PoC) ×1 Gogs argument-injection RCE ×1 Gogs argument-injection RCE (CVE-2026-52806); now actively exploited in K8s cryptojacking campaign (Wiz) ×1 JADEPUFFER ×1 +9 more
Evidence: 2026-07-09/cve-2026-53359-januscape-kvm-x86-guest-to-host-vm-escape · 2026-07-08/ghostlock-cve-2026-43499-linux-kernel-rtmutex-uaf-lpe · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/cve-2026-58053-gitea-act-runner-docker-backend-container-har +5 more · ATT&CK page ↗
Stealth TA0005
T1006Direct Volume Access×1
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.
Booking.com-fed hotel phishing (CH) ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1
Evidence: 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗
T1014Rootkit×1
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Software-exposed BYOVD hardware-gate bypass ×1
Evidence: 2026-05-24/atos-trc-hardware-gated-windows-drivers-can-be-made-byovd-ex · ATT&CK page ↗
T1027Obfuscated Files or Information×8
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
FrostyNeighbor March–May 2026 campaign ×2 Booking.com-fed hotel phishing (CH) ×1 Cavern ×1 Cavern Manticore ×1 CERT-FR agentic-AI risk report (CERTFR-2026-ACT-016) ×1 GemStuffer ×1 GTIG AI Threat Tracker (May 2026) ×1 GTIG Europe Data Leak Landscape 2025 ×1 +4 more
Evidence: 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-22/ebanking-phishing-hides-its-landing-page-address-in-ipv4-map · 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p · 2026-05-23/ghostwriter-uac-0057-frostyneighbor-cert-ua-documents-new-oy +3 more · ATT&CK page ↗
T1027.003Obfuscated Files or Information: Steganography×1
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Evidence: 2026-06-07/sans-isc-wetransfer-delivered-javascript-stages-a-steganogra · ATT&CK page ↗
T1027.004Obfuscated Files or Information: Compile After Delivery×1
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe, csc.exe, or GCC/MinGW.
Evidence: 2026-06-27/microsoft-photo-zip-phishing-laundered-through-calendly-drop · ATT&CK page ↗
T1027.005Obfuscated Files or Information: Indicator Removal from Tools×1
Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
Evidence: 2026-06-16/wordpress-supply-chain-compromise-via-awesome-motive-s-cdn-b · ATT&CK page ↗
T1036Masquerading×9
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
AryStinger ×1 Bitter ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 DAEMON Tools supply-chain compromise ×1 JDownloader official site compromised ×1 Kimsuky ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 LLMShare ×1 +5 more
Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · 2026-06-27/sans-isc-linux-process-name-masquerading-via-prctl-pr-set-na · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p +4 more · ATT&CK page ↗
T1036.004Masquerading: Masquerade Task or Service×1
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
DAEMON Tools supply-chain compromise ×1
Evidence: 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · ATT&CK page ↗
T1036.005Masquerading: Match Legitimate Resource Name or Location×10
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.
Calypso telco espionage campaign ×2 Stock-exchange mailbox espionage ×2 Akira ×1 Apex2 ×1 c2c / meow ×1 JDownloader official site compromised ×1 Megalodon ×1 Mistic ×1 +6 more
Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-06-25/mistic-backdoor-signed-defender-dll-sideloading-and-in-memor · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign +5 more · ATT&CK page ↗
T1055Process Injection×5
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
CL-STA-1132 ×2 DAEMON Tools supply-chain compromise ×1 OceanLotus ×1 Palo Alto PAN-OS Captive Portal unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09) ×1 RemotePE ×1
Evidence: 2026-06-12/eset-oceanlotus-apt32-compromises-a-stock-trading-platform-s · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · 2026-05-04/cve-2026-0300-palo-alto-pan-os-captive-portal-unauthenticate · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗
T1055.002Process Injection: Portable Executable Injection×1
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗
T1055.012Process Injection: Process Hollowing×2
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
DesckVB RAT malspam ×1 Trojanised ScreenConnect AsyncRAT campaign ×1
Evidence: 2026-07-02/kaspersky-mdr-seo-poisoned-fake-installer-sites-trojanize-sc · 2026-06-04/desckvb-rat-malspam-launders-through-google-doubleclick-and · ATT&CK page ↗
T1070Indicator Removal×9
Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.
Booking.com-fed hotel phishing (CH) ×2 CERT.LV LVM/Olpha ransomware intrusion (2026) ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 GTIG Europe Data Leak Landscape 2025 ×1 LONGLEASH / SHORTLEASH ORB malware suite ×1 +11 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-08/talos-uat-7810-china-nexus-orb-network-longleash · 2026-06-26/cisco-catalyst-sd-wan-manager-cve-2026-20245 · 2026-06-10/unit-42-catalogues-cloud-logging-defense-evasion-across-aws +4 more · ATT&CK page ↗
T1070.003Indicator Removal: Clear Command History×1
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 GTIG Europe Data Leak Landscape 2025 ×1
Evidence: 2026-06-26/cisco-catalyst-sd-wan-manager-cve-2026-20245 · ATT&CK page ↗
T1070.004Indicator Removal: File Deletion×2
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
RemotePE ×1 SmartApeSG ClickFix campaign ×1
Evidence: 2026-06-01/smartapesg-clickfix-stages-an-unnamed-rat-that-pivots-to-a-w · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗
T1070.006Indicator Removal: Timestomp×1
Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
Evidence: 2026-06-06/op-512-china-linked-cluster-runs-a-cryptographically-unique · ATT&CK page ↗
T1078Valid Accounts×45
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Booking.com-fed hotel phishing (CH) ×9 Akira ×3 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×3 FortiBleed ×2 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Qilin ×2 ShinyHunters ×2 +52 more
Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce +40 more · ATT&CK page ↗
T1078.001Valid Accounts: Default Accounts×4
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.
Booking.com-fed hotel phishing (CH) ×2 Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1 Gitea Docker reverse-proxy trust-all auth bypass (X-WEBAUTH-USER impersonation) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +2 more
Evidence: 2026-06-23/cve-2026-20896-gitea-docker-trust-all-reverse-proxy-default · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗
T1078.002Valid Accounts: Domain Accounts×1
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
Akira ×1 SonicWall SonicOS improper access control (mgmt + SSLVPN, Gen 5/6/7) — Akira/Fog ransomware on-ramp ×1
Evidence: 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · ATT&CK page ↗
T1078.004Valid Accounts: Cloud Accounts×26
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
ShinyHunters ×4 Mini Shai-Hulud ×3 TeamPCP ×3 Booking.com-fed hotel phishing (CH) ×2 Entra Agent ID OBO abuse ×2 'Ghost in the Database' ADFS key recovery ×1 888 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 +27 more
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede +21 more · ATT&CK page ↗
T1127.001Trusted Developer Utilities Proxy Execution: MSBuild×1
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.
Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · ATT&CK page ↗
T1134Access Token Manipulation×1
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Booking.com-fed hotel phishing (CH) ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1
Evidence: 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗
T1134.003Access Token Manipulation: Make and Impersonate Token×1
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.
Evidence: 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · ATT&CK page ↗
T1134.004Access Token Manipulation: Parent PID Spoofing×1
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.
Evidence: 2026-06-27/kaspersky-great-strikeshark-loader-deploys-cobalt-strike-via · ATT&CK page ↗
T1140Deobfuscate/Decode Files or Information×2
Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Megalodon ×1 Packagist Laravel-Lang supply-chain wave ×1 RemotePE ×1 TeamPCP ×1
Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-24/packagist-supply-chain-wave-laravel-lang-autoloader-backdoor · ATT&CK page ↗
T1197BITS Jobs×1
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗
T1202Indirect Command Execution×1
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.
Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · ATT&CK page ↗
T1218System Binary Proxy Execution×1
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Evidence: 2026-05-29/forticlient-ems-cve-2026-35616-ekz-infostealer-kill-chain · ATT&CK page ↗
T1218.005System Binary Proxy Execution: Mshta×1
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code
Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗
T1480Execution Guardrails×3
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.
Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 GTIG Europe Data Leak Landscape 2025 ×1 Living Off the Pipeline ×1 RemotePE ×1 Secret Blizzard ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1
Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗
T1480.001Execution Guardrails: Environmental Keying×1
Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.
Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗
T1497.001Virtualization/Sandbox Evasion: System Checks×1
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · ATT&CK page ↗
T1542Pre-OS Boot×1
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.
Booking.com-fed hotel phishing (CH) ×1 GreatXML ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1 RoguePlanet ×1
Evidence: 2026-06-12/greatxml-unpatched-bitlocker-bypass-via-crafted-xml-on-the-r · ATT&CK page ↗
T1542.001Pre-OS Boot: System Firmware×2
Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.
Booking.com-fed hotel phishing (CH) ×2 Nightmare Eclipse ×2 Nightmare Eclipse Windows zero-day series ×2 GreatXML ×1 RoguePlanet ×1
Evidence: 2026-06-12/greatxml-unpatched-bitlocker-bypass-via-crafted-xml-on-the-r · 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗
T1542.003Pre-OS Boot: Bootkit×1
Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Evidence: 2026-06-20/usbliter8-a-permanent-securerom-boot-chain-exploit-for-apple · ATT&CK page ↗
T1564Hide Artifacts×1
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
Evidence: 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · ATT&CK page ↗
T1564.003Hide Artifacts: Hidden Window×1
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
Evidence: 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · ATT&CK page ↗
T1574Hijack Execution Flow×5
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
Akira ×1 Apex2 ×1 Beagle ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cybercrime-underground AI adoption ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Operation Dragon Weave ×1 +3 more
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · 2026-05-22/cve-2026-34926-trend-micro-apex-one-on-premise-post-auth-dir · 2026-05-10/sophos-beagle-backdoor-distributed-via-fake-claude-ai-site-u · ATT&CK page ↗
T1574.001Hijack Execution Flow: DLL×15
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.
Akira ×2 Calypso telco espionage campaign ×2 Stock-exchange mailbox espionage ×2 Beagle ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cavern ×1 Cavern Manticore ×1 Cybercrime-underground AI adoption ×1 +13 more
Evidence: 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-07-08/unit42-factory-v3-loader-vidar-xmrig-sandbox-evasion · 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · 2026-06-30/mustang-panda-abuses-zoho-workdrive-as-a-dead-drop-c2-channe · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware +10 more · ATT&CK page ↗
T1574.008Hijack Execution Flow: Path Interception by Search Order Hijacking×1
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
Screening Serpens ×1 Security-tool impersonation TDS campaign ×1
Evidence: 2026-05-27/nimbus-manticore-unc1549-screening-serpens-check-point-detai · ATT&CK page ↗
T1574.014Hijack Execution Flow: AppDomainManager×2
Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.
Evidence: 2026-06-28/unit-42-chinese-speaking-cluster-cl-sta-1062-deploys-the-new · 2026-05-23/unit-42-iran-s-screening-serpens-unc1549-smoke-sandstorm-nim · ATT&CK page ↗
T1620Reflective Code Loading×4
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).
Bitter ×1 Cavern ×1 Cavern Manticore ×1 IceCube ×1 MuddyWater ×1 OP-512 ×1 Roundcube Crypt_GPG_Engine PHP deserialization RCE - chained by UNK_MassTraction after CVE-2024-42009 XSS (Proofpoint) ×1 Roundcube XSS — exploited by FrostyNeighbor / Ghostwriter (UNC1151) for Polish-targeting credential harvesting ×1 +1 more
Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · 2026-07-09/unk-masstraction-roundcube-edge-exploitation · 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-06-06/op-512-china-linked-cluster-runs-a-cryptographically-unique · ATT&CK page ↗
T1684.001Social Engineering: Impersonation×2
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
Edgecution ×1 Odido (Netherlands telecom) ShinyHunters breach ×1 ShinyHunters ×1
Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · ATT&CK page ↗
Defense Impairment TA0112
T1112Modify Registry×2
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 STAC3725 CitrixBleed 2-to-DragonForce IAB chain ×1
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · ATT&CK page ↗
T1222File and Directory Permissions Modification×1
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
AWS Language Servers / Amazon Q Developer symlink trust-boundary write outside workspace (GhostApproval, CWE-61); fixed language-servers 1.69.0 / @aws/lsp-codewhisperer 0.0.117 ×1 Cursor IDE sandbox escape via symlink + failed path canonicalization (GhostApproval); fixed Cursor 3.0 ×1 GhostApproval ×1
Evidence: 2026-07-09/ghostapproval-ai-coding-assistant-symlink-trust-boundary · ATT&CK page ↗
T1553Subvert Trust Controls×2
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.
Booking.com-fed hotel phishing (CH) ×1 CERT-FR agentic-AI risk report (CERTFR-2026-ACT-016) ×1 GeoVision GeoWebPlayer unauthenticated localhost WebSocket screen-capture (Talos, CVSS 8.8) ×1 GeoVision GV-I/O Box 4E unauthenticated OS command injection (Talos, CVSS 9.1) ×1 GTIG AI Threat Tracker (May 2026) ×1 GTIG Europe Data Leak Landscape 2025 ×1 TeamPCP ×1 VTK-DICOM heap overflow on crafted DICOM file (Talos, CVSS 8.1) ×1 +3 more
Evidence: 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure · 2026-05-12/gtig-ai-threat-tracker-may-2026-first-confirmed-ai-generated · ATT&CK page ↗
T1553.002Subvert Trust Controls: Code Signing×3
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.
Factory-v3 ×1 Fox Tempest ×1 Mini Shai-Hulud ×1 TeamPCP ×1
Evidence: 2026-07-08/unit42-factory-v3-loader-vidar-xmrig-sandbox-evasion · 2026-06-09/microsoft-threat-intelligence-ai-brand-impersonation-drives · 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗
T1556Modify Authentication Process×6
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
Akira ×1 Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1 GTIG Europe Data Leak Landscape 2025 ×1 Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2) ×1 Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2) ×1 Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2) ×1 Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH) ×1 +7 more
Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-06-10/meta-discloses-20-225-instagram-account-takeovers-via-an-ai · 2026-05-21/keycloak-26-6-2-16-cves-including-oidc-session-fixation-cve · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain +1 more · ATT&CK page ↗
T1556.003Modify Authentication Process: Pluggable Authentication Modules×1
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.
Velvet Ant Operation Highland ×1
Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · ATT&CK page ↗
T1556.006Modify Authentication Process: Multi-Factor Authentication×6
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Keycloak CORS ACAO reflected from unverified JWT azp claim on UMA endpoint (fixed 26.6.3) ×1 Keycloak JWT algorithm confusion -> federated-user impersonation (CVSS 8.1) ×1 Keycloak missing server-side WebAuthn credential-registration validation (fixed 26.6.3) ×1 Keycloak policy-enforcer authorization bypass via access-denied-page path (CVSS 8.1) ×1 Keycloak refresh-token replay window after server restart resets startupTime (fixed 26.6.3) ×1 Keycloak ROPC grant bypass of client-policy enforcement (fixed 26.6.3) ×1 Keycloak SSRF via OIDC token endpoint manipulation (fixed 26.6.3) ×1 Keycloak token-exchange privilege escalation via silent subject_token removal (fixed 26.6.3) ×1 +5 more
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede · 2026-06-26/shinyhunters-used-a-single-vishing-call-into-the-company-s-i · 2026-06-07/keycloak-26-6-3-privilege-escalation-via-oauth-token-exchang · 2026-05-23/unit-42-roadtools-operationalised-by-midnight-blizzard-curio +1 more · ATT&CK page ↗
T1578Modify Cloud Compute Infrastructure×2
An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Cloud-bucket hijacking via namespace reuse ×1
Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-06-24/unit-42-cloud-bucket-hijacking-via-global-namespace-reuse-si · ATT&CK page ↗
T1599.001Network Boundary Bridging: Network Address Translation Traversal×1
Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.
Evidence: 2026-06-10/cve-2026-7473-arista-eos-tunnel-decapsulation-logic-flaw-byp · ATT&CK page ↗
T1685Disable or Modify Tools×11
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.
AryStinger ×1 Avalon ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 CrySome RAT ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 DesckVB RAT malspam ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 +11 more
Evidence: 2026-07-08/unit42-factory-v3-loader-vidar-xmrig-sandbox-evasion · 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch +6 more · ATT&CK page ↗
T1685.002Disable or Modify Tools: Disable or Modify Cloud Log×1
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
Evidence: 2026-06-10/unit-42-catalogues-cloud-logging-defense-evasion-across-aws · ATT&CK page ↗
T1685.006Disable or Modify Tools: Clear Linux or Mac System Logs×3
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the `/var/log/` directory. Subfolders in this directory categorize logs by their related functions, such as:
Booking.com-fed hotel phishing (CH) ×2 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 SEPPmail GINAv2 — server-side template injection via Freemarker (CVSS 8.3) ×1 SEPPmail Secure Email Gateway — unauthenticated RCE via exposed GINAv2 test endpoints (CVSS 9.3) ×1 +1 more
Evidence: 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗
T1686Disable or Modify System Firewall×1
Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.
AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector ×1
Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · ATT&CK page ↗
T1686.001Disable or Modify System Firewall: Cloud Firewall×1
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
Storm-2949 ×1 Storm-2949 SSPR-to-Key-Vault kill chain ×1
Evidence: 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · ATT&CK page ↗
Credential Access TA0006
T1003OS Credential Dumping×4
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.
CL-STA-1132 ×2 Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Palo Alto PAN-OS Captive Portal unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09) ×1 STAC3725 CitrixBleed 2-to-DragonForce IAB chain ×1
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-05-04/cve-2026-0300-palo-alto-pan-os-captive-portal-unauthenticate · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗
T1003.001OS Credential Dumping: LSASS Memory×3
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
Stock-exchange mailbox espionage ×1 Webworm ×1
Evidence: 2026-06-09/unit-42-microsoft-teams-external-chat-now-a-primary-phishing · 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · 2026-05-21/webworm-china-aligned-shifts-to-eu-government-targets-echocr · ATT&CK page ↗
T1003.002OS Credential Dumping: Security Account Manager×1
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
Living Off the Pipeline ×1 MuddyWater ×1 Stock-exchange mailbox espionage ×1
Evidence: 2026-05-28/muddywater-seedworm-symantec-and-carbon-black-document-new-d · ATT&CK page ↗
T1003.003OS Credential Dumping: NTDS×1
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.
Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · ATT&CK page ↗
T1003.007OS Credential Dumping: Proc Filesystem×1
Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.
Evidence: 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗
T1040Network Sniffing×1
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Squidbleed — 29-year-old heap over-read in Squid FTP gateway leaks cross-user HTTP credentials ×1
Evidence: 2026-06-23/squidbleed-a-29-year-old-heap-over-read-in-squid-s-ftp-gatew · ATT&CK page ↗
T1056Input Capture×1
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).
Evidence: 2026-06-28/island-badblocker-an-11m-user-chrome-ad-blocker-is-one-serve · ATT&CK page ↗
T1056.001Input Capture: Keylogging×1
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.
Evidence: 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · ATT&CK page ↗
T1110Brute Force×4
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Apex2 ×1 c2c / meow ×1 FortiBleed ×1 Kairos ×1 Mini Shai-Hulud ×1 TeamPCP ×1 Verizon 2026 DBIR ×1
Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-06-22/fortibleed-russian-speaking-operator-cracking-86-644-fortiga · 2026-05-21/verizon-2026-dbir-vulnerability-exploitation-overtakes-crede · ATT&CK page ↗
T1110.002Brute Force: Password Cracking×1
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.
Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1
Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · ATT&CK page ↗
T1110.003Brute Force: Password Spraying×1
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
LSHIY Azure CLI ROPC token-spray ×1 Railway device-code phishing ×1
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · ATT&CK page ↗
T1111Multi-Factor Authentication Interception×3
Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.
GTIG Europe Data Leak Landscape 2025 ×1 Security-tool impersonation TDS campaign ×1
Evidence: 2026-06-10/check-point-a-tds-gated-ecosystem-impersonates-security-tool · 2026-05-26/google-s-threat-intel-group-maps-a-chinese-language-phaas-ec · 2026-05-23/fbi-psa260521-kali365-oauth-device-code-phaas-bypasses-m365 · ATT&CK page ↗
T1187Forced Authentication×2
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1
Evidence: 2026-06-04/huntress-windows-search-uri-handler-leaks-ntlmv2-hashes-micr · 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗
T1212Exploitation for Credential Access×2
Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
BigBlueButton bbb-web < 3.0.21 — insecure sessionToken generation (CWE-330) enables session hijack ×1 BigBlueButton bbb-web < 3.0.21 — presentationUploadExternalUrl API checksum bypass (CWE-284) ×1 BigBlueButton bbb-web < 3.0.23 — SSRF in presentation URL validation (CWE-918) ×1 BigBlueButton bbb-web CVE trio ×1 Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1
Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · 2026-05-19/bigbluebutton-bbb-web-3-0-21-3-0-23-three-flaws-in-eu-educat · ATT&CK page ↗
T1528Steal Application Access Token×10
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
ARToken ×1 GTIG Europe Data Leak Landscape 2025 ×1 Icarus Salesforce OAuth extortion ×1 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×1 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×1 LSHIY Azure CLI ROPC token-spray ×1 Railway device-code phishing ×1 ShinyHunters ×1 +1 more
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · 2026-06-25/klue-icarus-salesforce-oauth-breach-beyondtrust-and-lastpass · 2026-06-04/one-click-github-oauth-token-theft-via-github-dev-full-discl +5 more · ATT&CK page ↗
T1539Steal Web Session Cookie×2
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
PAN-OS GlobalProtect pre-auth authentication bypass ×1
Evidence: 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · ATT&CK page ↗
T1552Unsecured Credentials×16
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).
Booking.com-fed hotel phishing (CH) ×3 TeamPCP ×3 'Ghost in the Database' ADFS key recovery ×1 Argo CD repo-server unauthenticated RCE ×1 CERT-FR agentic-AI risk report (CERTFR-2026-ACT-016) ×1 Checkmarx Jenkins AST plugin backdoor (TeamPCP/UNC6780 supply-chain compromise, SANDCLOCK credential stealer, CVSS 9.4) ×1 cve-search unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 +20 more
Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-05/cve-2026-59509-cve-search-fetch-cve-data-nosql · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce · 2026-07-02/argo-cd-repo-server-unauthenticated-rce-no-cve-unpatched-18 +11 more · ATT&CK page ↗
T1552.001Unsecured Credentials: Credentials In Files×24
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
TeamPCP ×8 Booking.com-fed hotel phishing (CH) ×4 Mini Shai-Hulud ×3 PCPJack ×2 888 ×1 actions-cool/issues-helper compromise ×1 Argo CD repo-server unauthenticated RCE ×1 Avalon ×1 +24 more
Evidence: 2026-07-10/nextcloud-gmbh-elasticsearch-exposure-msb-nrw · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-07-02/argo-cd-repo-server-unauthenticated-rce-no-cve-unpatched-18 · 2026-06-23/shapedplugin-build-pipeline-compromised-three-pro-wordpress +19 more · ATT&CK page ↗
T1552.004Unsecured Credentials: Private Keys×5
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
AWS Language Servers / Amazon Q Developer symlink trust-boundary write outside workspace (GhostApproval, CWE-61); fixed language-servers 1.69.0 / @aws/lsp-codewhisperer 0.0.117 ×1 Cursor IDE sandbox escape via symlink + failed path canonicalization (GhostApproval); fixed Cursor 3.0 ×1 GhostApproval ×1 Grafana Labs CoinbaseCartel breach ×1 Living Off the Pipeline ×1 Megalodon ×1 ShinyHunters ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1
Evidence: 2026-07-09/ghostapproval-ai-coding-assistant-symlink-trust-boundary · 2026-05-23/megalodon-mass-poisons-5-561-github-repos-in-a-6-hour-window · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · 2026-05-19/grafana-labs-coinbasecartel-breach-victim-confirms-source-co · 2026-05-19/cisa-contractor-nightwing-exposed-aws-govcloud-admin-keys-an · ATT&CK page ↗
T1552.005Unsecured Credentials: Cloud Instance Metadata API×1
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Mautic API contact-filtering SQL injection (post-auth) ×1 Mautic file inclusion / path traversal (post-auth) ×1 Mautic Focus component SSRF (post-auth; reaches internal/cloud-metadata) ×1 Mautic JavaScript code injection (post-auth) ×1 Mautic path traversal / file manipulation (post-auth) ×1 Mautic stored XSS (post-auth) ×1 Mautic stored XSS / JS injection (post-auth) ×1
Evidence: 2026-05-31/mautic-7-1-2-6-0-9-seven-authenticated-flaws-including-two-p · ATT&CK page ↗
T1555Credentials from Password Stores×13
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
Avalon ×1 Booking.com-fed hotel phishing (CH) ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Fortinet FortiClient EMS 7.4.5/7.4.6 — improper-access-control on X-SSL-CLIENT-VERIFY header lets unauth attacker spoof mTLS state and reach management API; ITW exploited to push EKZ Infostealer per Arctic Wolf 2026-05-27 ×1 JINX-0164 ×1 Job-seeker targeting wave (CH) ×1 Living Off the Pipeline ×1 +3 more
Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-06-24/macos-clickfix-evolves-hdiutil-attach-nobrowse-mounts-the-ma · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 +8 more · ATT&CK page ↗
T1555.001Credentials from Password Stores: Keychain×2
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-05-10/clickfix-campaign-expands-to-macos-macsync-shub-stealer-and · ATT&CK page ↗
T1555.003Credentials from Password Stores: Credentials from Web Browsers×8
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
CrySome RAT ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Fortinet FortiClient EMS 7.4.5/7.4.6 — improper-access-control on X-SSL-CLIENT-VERIFY header lets unauth attacker spoof mTLS state and reach management API; ITW exploited to push EKZ Infostealer per Arctic Wolf 2026-05-27 ×1 PamStealer ×1 Stock-exchange mailbox espionage ×1 TA4922 ×1 UNK_DeadDrop ×1 +1 more
Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-16/dprk-unk-deaddrop-weaponises-vs-code-cursor-auto-run-to-hit +3 more · ATT&CK page ↗
T1556Modify Authentication Process×6
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
Akira ×1 Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1 GTIG Europe Data Leak Landscape 2025 ×1 Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2) ×1 Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2) ×1 Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2) ×1 Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH) ×1 +7 more
Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-06-10/meta-discloses-20-225-instagram-account-takeovers-via-an-ai · 2026-05-21/keycloak-26-6-2-16-cves-including-oidc-session-fixation-cve · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain +1 more · ATT&CK page ↗
T1556.003Modify Authentication Process: Pluggable Authentication Modules×1
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.
Velvet Ant Operation Highland ×1
Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · ATT&CK page ↗
T1556.006Modify Authentication Process: Multi-Factor Authentication×6
Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
Keycloak CORS ACAO reflected from unverified JWT azp claim on UMA endpoint (fixed 26.6.3) ×1 Keycloak JWT algorithm confusion -> federated-user impersonation (CVSS 8.1) ×1 Keycloak missing server-side WebAuthn credential-registration validation (fixed 26.6.3) ×1 Keycloak policy-enforcer authorization bypass via access-denied-page path (CVSS 8.1) ×1 Keycloak refresh-token replay window after server restart resets startupTime (fixed 26.6.3) ×1 Keycloak ROPC grant bypass of client-policy enforcement (fixed 26.6.3) ×1 Keycloak SSRF via OIDC token endpoint manipulation (fixed 26.6.3) ×1 Keycloak token-exchange privilege escalation via silent subject_token removal (fixed 26.6.3) ×1 +5 more
Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede · 2026-06-26/shinyhunters-used-a-single-vishing-call-into-the-company-s-i · 2026-06-07/keycloak-26-6-3-privilege-escalation-via-oauth-token-exchang · 2026-05-23/unit-42-roadtools-operationalised-by-midnight-blizzard-curio +1 more · ATT&CK page ↗
T1557Adversary-in-the-Middle×4
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.
GTIG Europe Data Leak Landscape 2025 ×1 ShinyHunters ×1 UNC6671 ×1 Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1
Evidence: 2026-06-14/sekoia-apt28-gru-unit-26165-tradecraft-shifts-to-llm-generat · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · 2026-05-16/gtig-unc6671-blackfile-vishing-aitm-rogue-mfa-programmatic-s · 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗
T1557.001Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay×1
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.
Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1
Evidence: 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗
T1558.003Steal or Forge Kerberos Tickets: Kerberoasting×2
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1
Evidence: 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-11/sophos-2026-state-of-identity-security-71-of-orgs-breached-v · ATT&CK page ↗
T1606Forge Web Credentials×1
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.
Evidence: 2026-05-26/cve-2026-9058-szafir-sdk-kir-signature-verification-routine · ATT&CK page ↗
T1606.002Forge Web Credentials: SAML Tokens×2
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>. Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.
'Ghost in the Database' ADFS key recovery ×1 Mini Shai-Hulud ×1 TeamPCP ×1
Evidence: 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗
T1621Multi-Factor Authentication Request Generation×2
Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Evidence: 2026-06-24/swiss-post-cybersecurity-publishes-its-inaugural-swiss-threa · 2026-06-23/two-scattered-spider-members-plead-guilty-over-the-2024-tran · ATT&CK page ↗
T1649Steal or Forge Authentication Certificates×1
Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.
Evidence: 2026-05-08/muddywater-iran-mois-deploys-chaos-ransomware-as-false-flag · ATT&CK page ↗
Discovery TA0007
T1018Remote System Discovery×2
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping, <code>net view</code> using Net, or, on ESXi servers, `esxcli network diag ping`.
CL-STA-1132 ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Stock-exchange mailbox espionage ×1
Evidence: 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗
T1040Network Sniffing×1
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Squidbleed — 29-year-old heap over-read in Squid FTP gateway leaks cross-user HTTP credentials ×1
Evidence: 2026-06-23/squidbleed-a-29-year-old-heap-over-read-in-squid-s-ftp-gatew · ATT&CK page ↗
T1046Network Service Discovery×4
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.
Akira ×1 AryStinger ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 PAN-OS GlobalProtect pre-auth authentication bypass ×1 +2 more
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · ATT&CK page ↗
T1082System Information Discovery×4
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.
FrostyNeighbor March–May 2026 campaign ×1 Linux kernel cgroup v1 release_agent container escape (missing CAP_SYS_ADMIN check); CISA KEV 2026-06-02 ×1 Mini Shai-Hulud ×1 TrapDoor ×1
Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · 2026-06-03/linux-cgroups-v1-release-agent-container-escape-cve-2022-049 · 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · 2026-05-15/frostyneighbor-ghostwriter-unc1151-belarus-state-aligned-ese · ATT&CK page ↗
T1083File and Directory Discovery×7
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Booking.com-fed hotel phishing (CH) ×2 Megalodon ×1 Mini Shai-Hulud ×1 Packagist Laravel-Lang supply-chain wave ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +7 more
Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · 2026-05-24/packagist-supply-chain-wave-laravel-lang-autoloader-backdoor · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · 2026-05-16/node-ipc-npm-package-backdoored-via-expired-domain-account-t +2 more · ATT&CK page ↗
T1087Account Discovery×4
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Living Off the Pipeline ×1 MuddyWater ×1 Stock-exchange mailbox espionage ×1
Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-05-28/muddywater-seedworm-symantec-and-carbon-black-document-new-d · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · 2026-05-23/unit-42-roadtools-operationalised-by-midnight-blizzard-curio · ATT&CK page ↗
T1087.004Account Discovery: Cloud Account×2
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
Evidence: 2026-06-23/elastic-shows-how-the-newly-ga-azure-ad-graph-activity-logs · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · ATT&CK page ↗
T1135Network Share Discovery×1
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Silent Ransom Group physical USB intrusions ×1
Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · ATT&CK page ↗
T1482Domain Trust Discovery×1
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.
Living Off the Pipeline ×1 MuddyWater ×1 Stock-exchange mailbox espionage ×1
Evidence: 2026-05-28/muddywater-seedworm-symantec-and-carbon-black-document-new-d · ATT&CK page ↗
T1497.001Virtualization/Sandbox Evasion: System Checks×1
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · ATT&CK page ↗
T1518.001Software Discovery: Security Software Discovery×1
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗
T1526Cloud Service Discovery×1
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
Evidence: 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · ATT&CK page ↗
T1580Cloud Infrastructure Discovery×1
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · ATT&CK page ↗
T1614System Location Discovery×1
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Mini Shai-Hulud ×1 TrapDoor ×1
Evidence: 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · ATT&CK page ↗
T1619Cloud Storage Object Discovery×1
Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.
Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · ATT&CK page ↗
Lateral Movement TA0008
T1021Remote Services×11
Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
Akira ×2 The Gentlemen ×2 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Oracle PeopleSoft PeopleTools PSEMHUB pre-auth RCE (CVSS 9.8), zero-day exploited by UNC6240/ShinyHunters ×1 Prinz Eugen ×1 +10 more
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-15/handala-breaches-california-water-service-through-an-interne · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic +6 more · ATT&CK page ↗
T1021.001Remote Services: Remote Desktop Protocol×6
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Akira ×3 Akira kill-chain reconstruction (SANS ISC) ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 FamousSparrow Azerbaijan intrusion ×1 PAN-OS GlobalProtect pre-auth authentication bypass ×1 Prinz Eugen ×1 Qilin ×1 The Gentlemen ×1
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-14/famoussparrow-three-wave-intrusion-of-an-azerbaijani-energy +1 more · ATT&CK page ↗
T1021.002Remote Services: SMB/Windows Admin Shares×3
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Avalon ×1 FamousSparrow Azerbaijan intrusion ×1 Security-tool impersonation TDS campaign ×1 The Gentlemen ×1
Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self · 2026-05-14/famoussparrow-three-wave-intrusion-of-an-azerbaijani-energy · ATT&CK page ↗
T1021.003Remote Services: Distributed Component Object Model×1
Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗
T1021.004Remote Services: SSH×6
Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
ShinyHunters ×2 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 Oracle PeopleSoft PeopleTools PSEMHUB pre-auth RCE (CVSS 9.8), zero-day exploited by UNC6240/ShinyHunters ×1 ShinyHunters PeopleSoft campaign ×1 TrapDoor ×1 UAT-8616 ×1 Velvet Ant Operation Highland ×1
Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-06-12/shinyhunters-peoplesoft-campaign-oracle-confirms-cve-2026-35 · 2026-06-11/shinyhunters-oracle-peoplesoft-campaign-gadget-chain-access · 2026-05-30/sysdig-trt-first-observed-llm-agent-driven-post-exploitation · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto +1 more · ATT&CK page ↗
T1021.007Remote Services: Cloud Services×1
Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
Storm-2949 ×1 Storm-2949 SSPR-to-Key-Vault kill chain ×1
Evidence: 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · ATT&CK page ↗
T1072Software Deployment Tools×3
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.
Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Booking.com-fed hotel phishing (CH) ×1 Ivanti EPMM remote authenticated → administrative-access via improper access control (CVSS 8.8, May 2026 update) ×1 Ivanti EPMM unauthenticated arbitrary method invocation (CVSS 7.0, May 2026 update) ×1 Ivanti EPMM — fourth companion CVE in May 2026 EPMM update (high-severity per BleepingComputer / SecurityWeek) ×1 Living Off the Pipeline ×1
Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · 2026-05-08/ivanti-epmm-cve-2026-5787-cve-2026-6973-pre-auth-certificate · 2026-05-04/cve-2026-6973-cve-2026-5787-ivanti-epmm-on-prem-pre-auth-cha · ATT&CK page ↗
T1091Replication Through Removable Media×1
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Evidence: 2026-06-01/gamaredon-gammaphish-gammaworm-ntfs-ads-usb-gammasteel-s3-ex · ATT&CK page ↗
T1210Exploitation of Remote Services×3
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Akira ×1 Microsoft Dynamics 365 On-Premises — authenticated code injection with scope change (CVSS 9.9, May 2026 Patch Tuesday) ×1 Microsoft SSO Plugin for Jira/Confluence — unauthenticated Entra ID credential forgery (CVSS 9.1, More Likely exploitation) ×1 Veeam Backup & Replication 12.x authenticated domain-user deserialization RCE (CVSS 9.4); fixed 12.3.2.4854 ×1 Windows DNS Client (dnsapi.dll) heap buffer overflow — RCE via malicious DNS response (CVSS 9.8, May 2026 Patch Tuesday) ×1 Windows Netlogon stack buffer overflow — unauthenticated remote RCE to SYSTEM on domain controllers (CVSS 9.8, May 2026 Patch Tuesday); active ITW exploitation confirmed by CCB Belgium 2026-06-01 ×1
Evidence: 2026-06-10/cve-2026-44963-veeam-backup-replication-authenticated-domain · 2026-06-05/university-of-toronto-vector-institute-a-self-propagating-wo · 2026-05-13/cve-2026-41089-cve-2026-41096-cve-2026-41103-cve-2026-42898 · ATT&CK page ↗
T1534Internal Spearphishing×1
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation.
Booking.com-fed hotel phishing (CH) ×1 Microsoft Exchange Server 2016/2019/SE — OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch — EEMS Mitigation M2 only) ×1
Evidence: 2026-05-16/microsoft-exchange-cve-2026-42897-active-exploitation-withou · ATT&CK page ↗
T1550Use Alternate Authentication Material×4
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1
Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · 2026-05-23/unit-42-roadtools-operationalised-by-midnight-blizzard-curio · 2026-05-18/tycoon2fa-after-the-march-2026-takedown-oauth-device-authori · ATT&CK page ↗
T1550.001Use Alternate Authentication Material: Application Access Token×11
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
Keycloak SSRF via OIDC token endpoint manipulation (fixed 26.6.3) ×2 Keycloak token-exchange privilege escalation via silent subject_token removal (fixed 26.6.3) ×2 ARToken ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Icarus Salesforce OAuth extortion ×1 Keycloak CORS ACAO reflected from unverified JWT azp claim on UMA endpoint (fixed 26.6.3) ×1 Keycloak JWT algorithm confusion -> federated-user impersonation (CVSS 8.1) ×1 +6 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede · 2026-06-24/8x8-confirms-klue-icarus-salesforce-exfiltration-in-an-sec-8 +6 more · ATT&CK page ↗
T1550.002Use Alternate Authentication Material: Pass the Hash×1
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.
Evidence: 2026-06-09/unit-42-microsoft-teams-external-chat-now-a-primary-phishing · ATT&CK page ↗
T1550.004Use Alternate Authentication Material: Web Session Cookie×1
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.
Evidence: 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · ATT&CK page ↗
T1570Lateral Tool Transfer×3
Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.
CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Mini Shai-Hulud ×1 STAC3725 CitrixBleed 2-to-DragonForce IAB chain ×1 TeamPCP ×1
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-06-05/university-of-toronto-vector-institute-a-self-propagating-wo · 2026-05-21/teampcp-mini-shai-hulud-campaign-github-itself-breached-3-80 · ATT&CK page ↗
Collection TA0009
T1005Data from Local System×4
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2 GREYVIBE ×1 GTIG Europe Data Leak Landscape 2025 ×1 Secret Blizzard ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1
Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-05-30/greyvibe-newly-documented-russia-nexus-cluster-deploys-five · 2026-05-10/microsoft-semantic-kernel-cve-2026-26030-cve-2026-25592-prom · 2026-05-04/cve-2026-26030-cve-2026-25592-microsoft-semantic-kernel-pyth · ATT&CK page ↗
T1025Data from Removable Media×1
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Evidence: 2026-06-01/gamaredon-gammaphish-gammaworm-ntfs-ads-usb-gammasteel-s3-ex · ATT&CK page ↗
T1056Input Capture×1
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).
Evidence: 2026-06-28/island-badblocker-an-11m-user-chrome-ad-blocker-is-one-serve · ATT&CK page ↗
T1056.001Input Capture: Keylogging×1
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.
Evidence: 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · ATT&CK page ↗
T1074Data Staged×1
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
Silent Ransom Group physical USB intrusions ×1
Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · ATT&CK page ↗
T1074.001Data Staged: Local Data Staging×1
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
Evidence: 2026-05-23/rhysida-claims-stuttgart-municipal-data-theft-for-5-btc-city · ATT&CK page ↗
T1114Email Collection×1
Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients.
Booking.com-fed hotel phishing (CH) ×1
Evidence: 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · ATT&CK page ↗
T1114.001Email Collection: Local Email Collection×1
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
Stock-exchange mailbox espionage ×1
Evidence: 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · ATT&CK page ↗
T1114.002Email Collection: Remote Email Collection×1
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.
Evidence: 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · ATT&CK page ↗
T1114.003Email Collection: Email Forwarding Rule×2
Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators. Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.
Booking.com-fed hotel phishing (CH) ×1
Evidence: 2026-06-25/ncsc-ch-active-microsoft-365-voicemail-phishing-wave-in-swit · 2026-06-16/prc-unc6508-ran-year-plus-espionage-through-internet-facing · ATT&CK page ↗
T1115Clipboard Data×3
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Gremlin Stealer ×1 PamStealer ×1 Security-tool impersonation TDS campaign ×1
Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-06-18/crypto-clipboard-hijacker-campaign-weaponises-virustotal-com · 2026-05-16/unit-42-gremlin-stealer-evolved-with-net-resource-xor-obfusc · ATT&CK page ↗
T1185Browser Session Hijacking×2
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Booking.com-fed hotel phishing (CH) ×1 Gremlin Stealer ×1 Microsoft Exchange Server 2016/2019/SE — OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch — EEMS Mitigation M2 only) ×1
Evidence: 2026-05-16/unit-42-gremlin-stealer-evolved-with-net-resource-xor-obfusc · 2026-05-16/microsoft-exchange-cve-2026-42897-active-exploitation-withou · ATT&CK page ↗
T1213Data from Information Repositories×4
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).
Booking.com-fed hotel phishing (CH) ×2 ShinyHunters ×2 Mini Shai-Hulud ×1 Odido (Netherlands telecom) ShinyHunters breach ×1 SAP Commerce Cloud — unauthenticated arbitrary code execution via Spring Security misordering on cloud-config endpoint (CVSS 9.6, SAP Note 3733064) ×1 SAP S/4HANA Enterprise Search ABAP — authenticated SQL injection in SAP_BASIS 751–758 / 816 (CVSS 9.6) ×1
Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-06-11/shinyhunters-oracle-peoplesoft-campaign-gadget-chain-access · 2026-06-11/servicenow-unauthenticated-rest-endpoint-queried-customer-in · 2026-05-13/cve-2026-34263-cve-2026-34260-sap-commerce-cloud-pre-auth-rc · ATT&CK page ↗
T1213.003Data from Information Repositories: Code Repositories×4
Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
888 ×1 Icarus Salesforce OAuth extortion ×1 ShinyHunters ×1
Evidence: 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-25/klue-icarus-salesforce-oauth-breach-beyondtrust-and-lastpass · 2026-05-29/carnival-corporation-confirms-5-99-m-record-shinyhunters-bre · 2026-05-13/bwh-hotels-best-western-worldhotels-sure-hotels-181-day-unau · ATT&CK page ↗
T1530Data from Cloud Storage×8
Adversaries may access data from cloud storage.
ShinyHunters ×2 Cloud-bucket hijacking via namespace reuse ×1 DAEMON Tools Lite signed-build trojanisation (12.5.0.2421–12.5.0.2434) via Disc Soft Limited build infrastructure; CISA KEV 2026-05-27 ×1 Medtronic breach ×1 Nx Console v18.95.0 VS Code extension supply-chain compromise — credential-stealing payload harvested 1Password, Claude Code config, npm, GitHub, AWS creds; CISA KEV 2026-05-27 ×1 Storm-2949 ×1 Storm-2949 SSPR-to-Key-Vault kill chain ×1 TanStack Router npm credential-stealing payload — exfiltrated Nx contributor GitHub CLI OAuth token (precursor to CVE-2026-48027 Nx Console compromise); CISA KEV 2026-05-27 ×1 +1 more
Evidence: 2026-06-24/unit-42-cloud-bucket-hijacking-via-global-namespace-reuse-si · 2026-06-10/unit-42-catalogues-cloud-logging-defense-evasion-across-aws · 2026-05-29/carnival-corporation-confirms-5-99-m-record-shinyhunters-bre · 2026-05-28/nx-console-tanstack-daemon-tools-supply-chain-cascade-lands · 2026-05-27/lithuania-s-centre-of-registers-loses-600-000-state-register +3 more · ATT&CK page ↗
T1557Adversary-in-the-Middle×4
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.
GTIG Europe Data Leak Landscape 2025 ×1 ShinyHunters ×1 UNC6671 ×1 Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1
Evidence: 2026-06-14/sekoia-apt28-gru-unit-26165-tradecraft-shifts-to-llm-generat · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · 2026-05-16/gtig-unc6671-blackfile-vishing-aitm-rogue-mfa-programmatic-s · 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗
T1557.001Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay×1
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.
Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1
Evidence: 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗
T1560Archive Collected Data×1
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Calypso telco espionage campaign ×1
Evidence: 2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco · ATT&CK page ↗
T1602Data from Configuration Repository×1
Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
Booking.com-fed hotel phishing (CH) ×1
Evidence: 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · ATT&CK page ↗
Command and Control TA0011
T1001.002Data Obfuscation: Steganography×1
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
Calypso telco espionage campaign ×1
Evidence: 2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco · ATT&CK page ↗
T1071Application Layer Protocol×14
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
GTIG Europe Data Leak Landscape 2025 ×3 0DIN coding-agent prompt-injection chain ×1 Booking.com-fed hotel phishing (CH) ×1 CERT-FR agentic-AI risk report (CERTFR-2026-ACT-016) ×1 CERT.LV LVM/Olpha ransomware intrusion (2026) ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 Digital Knowledge KnowledgeDeliver LMS — pre-shared ASP.NET machineKey ViewState deserialization RCE; exploited as zero-day pre-2026-02-24 ×1 Edgecution ×1 +12 more
Evidence: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js +9 more · ATT&CK page ↗
T1071.001Application Layer Protocol: Web Protocols×15
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
GTIG Europe Data Leak Landscape 2025 ×3 Bitter ×1 Booking.com-fed hotel phishing (CH) ×1 CERT-FR agentic-AI risk report (CERTFR-2026-ACT-016) ×1 Digital Knowledge KnowledgeDeliver LMS — pre-shared ASP.NET machineKey ViewState deserialization RCE; exploited as zero-day pre-2026-02-24 ×1 Edgecution ×1 Fortinet FortiClient EMS 7.4.5/7.4.6 — improper-access-control on X-SSL-CLIENT-VERIFY header lets unauth attacker spoof mTLS state and reach management API; ITW exploited to push EKZ Infostealer per Arctic Wolf 2026-05-27 ×1 GTIG AI Threat Tracker (May 2026) ×1 +10 more
Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-16/varonis-searchleak-cve-2026-42824-one-click-m365-copilot-dat +10 more · ATT&CK page ↗
T1071.004Application Layer Protocol: DNS×2
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
0DIN coding-agent prompt-injection chain ×1 Microsoft Dynamics 365 On-Premises — authenticated code injection with scope change (CVSS 9.9, May 2026 Patch Tuesday) ×1 Microsoft SSO Plugin for Jira/Confluence — unauthenticated Entra ID credential forgery (CVSS 9.1, More Likely exploitation) ×1 Windows DNS Client (dnsapi.dll) heap buffer overflow — RCE via malicious DNS response (CVSS 9.8, May 2026 Patch Tuesday) ×1 Windows Netlogon stack buffer overflow — unauthenticated remote RCE to SYSTEM on domain controllers (CVSS 9.8, May 2026 Patch Tuesday); active ITW exploitation confirmed by CCB Belgium 2026-06-01 ×1
Evidence: 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-05-13/cve-2026-41089-cve-2026-41096-cve-2026-41103-cve-2026-42898 · ATT&CK page ↗
T1090Proxy×6
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Embargo ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 Popa residential-proxy botnet ×1 Pwn2Own Berlin 2026 ×1 +4 more
Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-21/krebs-and-qurium-tie-the-popa-android-tv-residential-proxy-b · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-05/verdantbamboo-unc5221-warp-panda-an-18-month-china-nexus-int · 2026-05-25/underminr-a-multi-tenant-cdn-domain-fronting-variant-that-bl +1 more · ATT&CK page ↗
T1090.001Proxy: Internal Proxy×3
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
Calypso telco espionage campaign ×2 TrickMo C ×1
Evidence: 2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco · 2026-05-22/calypso-red-lamassu-bronze-medley-deploys-showboat-linux-and · 2026-05-13/trickmo-trickmo-c-android-banking-trojan-migrates-c2-to-the · ATT&CK page ↗
T1090.002Proxy: External Proxy×3
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.
AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Kimsuky ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 Popa residential-proxy botnet ×1 QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector ×1
Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-21/krebs-and-qurium-tie-the-popa-android-tv-residential-proxy-b · 2026-05-17/kaspersky-great-documents-kimsuky-s-rust-based-hellodoor-and · ATT&CK page ↗
T1090.003Proxy: Multi-hop Proxy×3
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
Living Off the Pipeline ×1 LONGLEASH / SHORTLEASH ORB malware suite ×1 MuddyWater ×1 Popa residential-proxy botnet ×1 Stock-exchange mailbox espionage ×1 UAT-5918 ×1 UAT-7810 ×1
Evidence: 2026-07-08/talos-uat-7810-china-nexus-orb-network-longleash · 2026-07-04/netnut-popa-residential-proxy-botnet-disrupted-by-google-fbi · 2026-05-28/muddywater-seedworm-symantec-and-carbon-black-document-new-d · ATT&CK page ↗
T1090.004Proxy: Domain Fronting×1
Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).
Evidence: 2026-05-25/underminr-a-multi-tenant-cdn-domain-fronting-variant-that-bl · ATT&CK page ↗
T1102Web Service×1
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Operation Dragon Weave ×1 VerdantBamboo ×1
Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗
T1102.001Web Service: Dead Drop Resolver×5
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Calypso telco espionage campaign ×2 Operation Dragon Weave ×1 ScarCruft ×1 VerdantBamboo ×1
Evidence: 2026-06-30/mustang-panda-abuses-zoho-workdrive-as-a-dead-drop-c2-channe · 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · 2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco · 2026-05-22/calypso-red-lamassu-bronze-medley-deploys-showboat-linux-and · ATT&CK page ↗
T1102.002Web Service: Bidirectional Communication×1
Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.
Evidence: 2026-05-21/webworm-china-aligned-shifts-to-eu-government-targets-echocr · ATT&CK page ↗
T1105Ingress Tool Transfer×6
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
Apex2 ×1 c2c / meow ×1 FrostyNeighbor March–May 2026 campaign ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1 Prinz Eugen ×1
Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-24/macos-clickfix-evolves-hdiutil-attach-nobrowse-mounts-the-ma · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp +1 more · ATT&CK page ↗
T1219Remote Access Tools×8
An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.
Akira ×2 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cavern ×1 Cavern Manticore ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Dragos Q1 2026 Industrial Ransomware Analysis ×1 FrostyNeighbor March–May 2026 campaign ×1 +5 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-10/dragos-q1-2026-industrial-ransomware-analysis-1-020-industri +3 more · ATT&CK page ↗
T1572Protocol Tunneling×3
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
CL-STA-1132 ×2 AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 Palo Alto PAN-OS Captive Portal unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09) ×1 QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector ×1
Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-05-04/cve-2026-0300-palo-alto-pan-os-captive-portal-unauthenticate · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗
T1573Encrypted Channel×1
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
DAEMON Tools supply-chain compromise ×1
Evidence: 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · ATT&CK page ↗
T1573.002Encrypted Channel: Asymmetric Cryptography×1
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
DAEMON Tools supply-chain compromise ×1
Evidence: 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · ATT&CK page ↗
T1659Content Injection×1
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.
Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1
Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗
Exfiltration TA0010
T1020Automated Exfiltration×1
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.
Evidence: 2026-06-30/hijacked-npm-and-go-packages-weaponise-vs-code-s-folderopen · ATT&CK page ↗
T1041Exfiltration Over C2 Channel×6
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Fortinet FortiClient EMS 7.4.5/7.4.6 — improper-access-control on X-SSL-CLIENT-VERIFY header lets unauth attacker spoof mTLS state and reach management API; ITW exploited to push EKZ Infostealer per Arctic Wolf 2026-05-27 ×1 GTIG Europe Data Leak Landscape 2025 ×1 Ivanti Xtraction < 2026.2 external control of file name/path (CWE-73, CVSS 9.6) — arbitrary file read + HTML write to web tree; auth required ×1 PCPJack ×1 Secret Blizzard ×1 Storm-2949 ×1 Storm-2949 SSPR-to-Key-Vault kill chain ×1 TeamPCP ×1 +1 more
Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-05-29/forticlient-ems-cve-2026-35616-ekz-infostealer-kill-chain · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · 2026-05-19/teampcp-shai-hulud-first-copycat-wave-phantom-bot-ssh-cloud · 2026-05-14/cve-2026-8043-ivanti-xtraction-external-file-control-cvss-9 +1 more · ATT&CK page ↗
T1048Exfiltration Over Alternative Protocol×3
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1
Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-05-30/sysdig-trt-first-observed-llm-agent-driven-post-exploitation · 2026-05-16/node-ipc-npm-package-backdoored-via-expired-domain-account-t · ATT&CK page ↗
T1048.003Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol×1
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Evidence: 2026-05-16/node-ipc-npm-package-backdoored-via-expired-domain-account-t · ATT&CK page ↗
T1052Exfiltration Over Physical Medium×1
Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
Silent Ransom Group physical USB intrusions ×1
Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · ATT&CK page ↗
T1052.001Exfiltration Over Physical Medium: Exfiltration over USB×2
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
Silent Ransom Group physical USB intrusions ×2
Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-06-01/luna-moth-unc3753-vishing-to-physical-usb-data-theft-extorti · ATT&CK page ↗
T1567Exfiltration Over Web Service×11
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Akira ×4 Groupe 3R ransomware breach ×3 ShinyHunters ×3 Bumblebee → AdaptixC2 → Akira intrusion ×1 DAEMON Tools Lite signed-build trojanisation (12.5.0.2421–12.5.0.2434) via Disc Soft Limited build infrastructure; CISA KEV 2026-05-27 ×1 Grafana Labs CoinbaseCartel breach ×1 Kairos ×1 Living Off the Pipeline ×1 +4 more
Evidence: 2026-07-09/groupe-3r-akira-forensic-confirmation-darknet-publication · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-28/naic-breached-via-oracle-peoplesoft-zero-day-shinyhunters-pu · 2026-06-24/xsolis-healthcare-ai-vendor-breach-exposes-1-4m-patients-acr +6 more · ATT&CK page ↗
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage×3
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Medtronic breach ×1 ShinyHunters ×1 Silent Ransom Group physical USB intrusions ×1 Stock-exchange mailbox espionage ×1
Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · 2026-05-19/7-eleven-confirms-shinyhunters-breach-of-600-000-salesforce · ATT&CK page ↗
T1567.004Exfiltration Over Web Service: Exfiltration Over Webhook×1
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server. Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello. When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.
Evidence: 2026-05-14/gemstuffer-rubygems-weaponised-as-a-one-way-exfiltration-cha · ATT&CK page ↗
Impact TA0040
T1485Data Destruction×4
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Ababil of Minab ×1 Cloud-bucket hijacking via namespace reuse ×1 JADEPUFFER ×1 Langflow /api/v1/validate/code missing-auth RCE — initial access for the JADEPUFFER agentic ransomware operation ×1 Mini Shai-Hulud ×1 TeamPCP ×1
Evidence: 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce · 2026-06-24/unit-42-cloud-bucket-hijacking-via-global-namespace-reuse-si · 2026-05-28/iran-mois-attributed-to-lacmta-destructive-breach-via-ababil · 2026-05-26/teampcp-mini-shai-hulud-framework-open-sourced-microsoft-pyp · ATT&CK page ↗
T1486Data Encrypted for Impact×14
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Akira ×7 Groupe 3R ransomware breach ×3 Avalon ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Dragos Q1 2026 Industrial Ransomware Analysis ×1 JADEPUFFER ×1 +7 more
Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-09/groupe-3r-akira-forensic-confirmation-darknet-publication · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware +9 more · ATT&CK page ↗
T1490Inhibit System Recovery×3
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.
Akira ×1 Avalon ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1
Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-05-12/west-pharmaceutical-services-files-sec-form-8-k-item-1-05-da · ATT&CK page ↗
T1496Resource Hijacking×3
Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 Gogs argument-injection RCE ×1 Gogs argument-injection RCE (CVE-2026-52806); now actively exploited in K8s cryptojacking campaign (Wiz) ×1 Popa residential-proxy botnet ×1 UAT-8616 ×1
Evidence: 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-21/krebs-and-qurium-tie-the-popa-android-tv-residential-proxy-b · 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · ATT&CK page ↗
T1498Network Denial of Service×2
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.
Apex2 ×1 Atomic Arch ×1 Booking.com-fed hotel phishing (CH) ×1 c2c / meow ×1 GreatXML ×1 Nightmare Eclipse ×1 RoguePlanet ×1
Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-06-14/looking-ahead-2026-w24 · ATT&CK page ↗
T1499Endpoint Denial of Service×2
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.
Atomic Arch ×1 Booking.com-fed hotel phishing (CH) ×1 GreatXML ×1 HTTP/2 Bomb — HPACK dynamic-table amplification + Slowloris stream-hold memory-exhaustion DoS vs nginx/Apache/IIS/Envoy/Pingora; nginx 1.29.8 & Apache mod_http2 2.0.41 patched, IIS/Envoy/Pingora unpatched at disclosure ×1 Nightmare Eclipse ×1 RoguePlanet ×1
Evidence: 2026-06-14/looking-ahead-2026-w24 · 2026-06-04/http-2-bomb-cve-2026-49975-a-single-connection-memory-exhaus · ATT&CK page ↗
T1499.003Endpoint Denial of Service: Application Exhaustion Flood×1
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.
Evidence: 2026-06-06/cve-2026-28318-solarwinds-serv-u-unauthenticated-dos-added-t · ATT&CK page ↗
T1499.004Endpoint Denial of Service: Application or System Exploitation×3
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.
Exim 4.97–4.99.2 GnuTLS builds — BDAT/CHUNKING use-after-free (Dead.Letter), pre-auth RCE (CVSS 9.8, ENISA EUVD critical); fixed in Exim 4.99.3 ×1 HTTP/2 Bomb — HPACK dynamic-table amplification + Slowloris stream-hold memory-exhaustion DoS vs nginx/Apache/IIS/Envoy/Pingora; nginx 1.29.8 & Apache mod_http2 2.0.41 patched, IIS/Envoy/Pingora unpatched at disclosure ×1 libssh2 infinite-loop pre-auth DoS via crafted SSH_MSG_EXT_INFO (CVSS 8.2) ×1 libssh2 pre-auth heap OOB write in ssh2_transport_read() (CVSS 9.2) — public PoC released 2026-06-29; no fixed release tagged yet ×1
Evidence: 2026-06-28/cve-2026-55200-libssh2-heap-out-of-bounds-write-in-ssh2-tran · 2026-06-04/http-2-bomb-cve-2026-49975-a-single-connection-memory-exhaus · 2026-05-13/cve-2026-45185-exim-dead-letter-use-after-free-in-bdat-chunk · ATT&CK page ↗
T1565Data Manipulation×2
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2
Evidence: 2026-05-10/microsoft-semantic-kernel-cve-2026-26030-cve-2026-25592-prom · 2026-05-04/cve-2026-26030-cve-2026-25592-microsoft-semantic-kernel-pyth · ATT&CK page ↗
T1565.001Data Manipulation: Stored Data Manipulation×2
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2
Evidence: 2026-05-10/microsoft-semantic-kernel-cve-2026-26030-cve-2026-25592-prom · 2026-05-04/cve-2026-26030-cve-2026-25592-microsoft-semantic-kernel-pyth · ATT&CK page ↗