Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.
|T1584.001, T1584.002, T1584.003, T1584.004, T1584.005, T1584.006, T1584.007
|01 October 2020
|13 April 2023
|APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.8
|Dragonfly has compromised legitimate websites to host C2 and malware modules.9
|Earth Lusca has used compromised web servers as part of their operational infrastructure.10
|Indrik Spider has served fake updates via legitimate websites that have been compromised.11
|Lazarus Group has compromised servers to stage malicious tools.4
|During Night Dragon, threat actors compromised web servers to use for C2.16
|Operation Dream Job
|For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.151314
|For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign’s infrastructure.12
|Turla has used compromised servers as infrastructure.567
|This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.