Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2025-0411 | 7-Zip Mark of the Web Bypass Vulnerability | primary_impact | T1588.001 | Malware |
Comments
Attackers can double-archive malicious payloads with 7-Zip to bypass Windows's Mark-of-the-Web security feature, further allowing the bypassing of Microsoft Defender SmartScreen. This allows attackers to disseminate these payloads via methods like email attachments, which would normally be subject to additional scrutiny by the service's protective measures. This flaw was patched in 7-Zip version 24.09.
References
|
| CVE-2023-34048 | VMware vCenter Server Out-of-Bounds Write Vulnerability | secondary_impact | T1588.001 | Malware |
Comments
This vulnerability is exploited by an adversary who has already gained network access to the vCenter Server. The adversary sends a crafted payload to the server that has a vulnerable DCERPC protocol and causes an out-of-bounds write on the jmp rax instruction. Adversary group UNC3886 has been attributed to leveraging this vulnerability in the wild to establish a backdoor in victim vCenter servers.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Unknown | Unknown | related-to | T1588.001 | Malware | |
| action.malware.variety.Unknown | Unknown | related-to | T1588.001 | Malware | |
| value_chain.development.variety.Bot | A small program that can be distributed, installed, and controlled en mass. | related-to | T1588.001 | Malware | |
| value_chain.development.variety.Payload | The portion a program that causes a negative effect. | related-to | T1588.001 | Malware | |
| value_chain.development.variety.Ransomware | Ransomware (encrypt or seize stored data) | related-to | T1588.001 | Malware | |
| value_chain.development.variety.Trojan | A program which masquerades as another program to get a target to execute malicious content | related-to | T1588.001 | Malware |