Skip to content

T1588.001 Malware

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).

Item Value
ID T1588.001
Sub-techniques T1588.001, T1588.002, T1588.003, T1588.004, T1588.005, T1588.006
Tactics TA0042
Platforms PRE
Version 1.1
Created 01 October 2020
Last Modified 17 October 2021

Procedure Examples

ID Name Description
G0138 Andariel Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.7
G0006 APT1 APT1 used publicly available malware for privilege escalation.3
G0143 Aquatic Panda Aquatic Panda has acquired and used njRAT in its operations.2
G0135 BackdoorDiplomacy BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.14
C0015 C0015 For C0015, the threat actors used Cobalt Strike and Conti ransomware.15
G1006 Earth Lusca Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.12
C0007 FunnyDream For FunnyDream, the threat actors used a new backdoor named FunnyDream.18
G1004 LAPSUS$ LAPSUS$ acquired and used the Redline password stealer in their operations.6
G0140 LazyScripter LazyScripter has used a variety of open-source remote access Trojans for its operations.4
G1014 LuminousMoth LuminousMoth has obtained and used malware such as Cobalt Strike.98
G1013 Metador Metador has used unique malware in their operations, including metaMain and Mafalda.13
C0002 Night Dragon During Night Dragon, threat actors used Trojans from underground hacker websites.17
C0005 Operation Spalax For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.16
G0092 TA505 TA505 has used malware such as Azorult and Cobalt Strike in their operations.5
G0010 Turla Turla has used malware obtained after compromising other threat actors, such as OilRig.1011


ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


ID Data Source Data Component
DS0004 Malware Repository Malware Content


  1. FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017. 

  2. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  3. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  4. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  5. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  6. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. 

  7. FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021. 

  8. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  9. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  10. NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. 

  11. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020. 

  12. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  13. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  14. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  15. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  16. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  17. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  18. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.